Re: [logs] Re: how much memory can I have? (followup)

From: Tom Perrine (tperrine@private)
Date: Mon Jan 12 2004 - 10:49:42 PST

  • Next message: Rishi Pande: "[logs] blaster log detection"

    On Fri, Jan 09, 2004 at 07:20:32PM -0700, Jim Prewett wrote:
    > 
    > Ok, so here's a little more concrete question.  What percentage of a
    > machine would you spend on machines for log analysis?  (if your network
    > had 100 workstations worth $1,000 each, how much money would you spend for 
    > log analysis (only including machine and software costs)?)
    > 
    > One answer i've recieved is between 1 and 5 percent.
    > 
    
    It really depends on what you *use* the logs for.  If you need them
    for regulatory compliance, you have to spend whatever it takes.  If
    you are using a centralized, log-based IDS, you also need to spend the
    $$.  At SDSC we were getting about 3 million records/day from the
    whole site, and were doing it with a Linux box (Dell 1650, 1 CPU
    IIRC), storing multiple copies (one on local disk for failure
    protection and one into the main NFS complex).  Analysis was separate,
    but on a workstation-class machine, e.g. Linux on a 1.6Ghz, 512M RAM
    machine.  Total cost, < $3K.
    
    At SCEA.com, where I'm at now, I'll probably be feeding the logs from
    all the online game servers and all of our internal log traffic (from
    8 sites) into 2 Dell 1650s (dual 1.3 Ghz CPUs), just because I need
    the redundancy and also so I can have one relay/aggregator outside the
    firewall.  Total cost, about $4K or less.
    
    
    -- 
    Tom Perrine - tperrine@private
    Sony Computer Entertainment America
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Jan 12 2004 - 12:09:07 PST