Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MARS Event calculator

Does anyone have a mechanism/guideline to calculate the number of events to determine the MARS model to select ?

(without counting the number of events recieved by an existing log server)

2 REPLIES
Silver

Re: MARS Event calculator

The best method of calculating EPS is to point the bulk of the devices (especially firewalls) to a temp syslog server and _count_

the EPS averaging for hour/day/week. This is very easy with a UNIX/linux box and the count command. And unfortunately it's really the only accurate way. Everything else is a wild guess.

New Member

Re: MARS Event calculator

I find you can take a few major indicators to at least get a range. The big ones are how many firewalls do you have, and how busy are the links they are securing. Many organizations have one firewall on their Internet connection with some hosts in the DMZ. If they have a T1 for internet, a few remote sites, an IDS system on the Inet connection and a few servers or so, this is a good fit for a mars 20 if it's on the low end, but if this is a busy network it would be a mars 50.

If you've got a larger network with more servers, bigger internet pipes and more remote sites, this could still be mars50 range. Once you hit around 10MB of internet, and more than a dozen outward facing servers you are starting to push a mars 50 to it's limits. These are just rouch guidelines, but should give you some idea.

Dan

100
Views
4
Helpful
2
Replies
CreatePlease login to create content