Hacker News new | ask | show | jobs
by silverfox17 996 days ago
You can't really make an informed decision without knowing how much data they were moving. For it to be that expensive, you'd need to be moving a ludicrous amount of data, and you can always parse data down to the required fields before indexing, which saves on licensing costs.
2 comments
Damogran6 996 days ago
in 20 years of doing SIEM and SIEMlike solutions, I've yet to find an engagement that said 'Oh, yes...our volumes are XX and YY'...mostly it's a /shrug and a less than educated guess.

There's even reluctance to turning things on and _watching_ it for 10 minutes. An activity that would immediately give you a much better idea of volume. Folks just don't like doing it.

Then you get the things were setting up a redundant logsource is just unwise. DNS logging was 2 orders of magnitude greater than everything else a SIEM was doing. And Email was about the same size.

link
wbl 996 days ago
What are the required fields in an incident with a new bug pray tell?
link
silverfox17 993 days ago
It obviously depends. It's not a one size fits all answer.
link