https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80794#M80816 No, because a single, 10GB stream will generate less logs than, say, 1,000 users surfing the web will, even if the aggregate bandwidth they use is less than 10GB.<BR />The number of concurrent connections, the exact rules they match and the level of logging for those rules (None versus Log versus Detailed versus Extended) is what will determine the log volume.<BR /><BR />While there is also non-user traffic, it's almost guaranteed that user traffic will generate the most logs.<BR />You could probably simulate typical user traffic in the lab for one user and have it accepted on the expected rule they'd hit (e.g. with Detailed or Extended Logs) for whatever period of time you're interested in.<BR />Based on the volume of logs that simulation generates, multiply by the expected number of users and...you have an estimate over that period.<BR /><BR /> Fri, 03 Apr 2020 21:10:14 GMT PhoneBoy 2020-04-03T21:10:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80453#M80813 <P>Hi,</P><P>&nbsp;</P><P>We are installing and configuring NGFW for multiple sites and due to the current splunk configuration, we need to send the log from CheckPoint to a syslog server prior to the splunk environment.</P><P>We therefore need to estimate the logging data flowbefore the installation (all solutions to estimate the log size based on CheckPoint interface are then not applicable).</P><P>Is there a simple way to estimate the size of the logging flow? Based on the equipment (for example CP5800), number of users (for example 10) and the traffic going through the firewall (for example 10G/sec)?</P><P>Thanks for the help!</P> Wed, 01 Apr 2020 11:43:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80453#M80813 hutinop 2020-04-01T11:43:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80685#M80814 Logging is a function of three things: Traffic, blades enabled, and your precise policy configuration, all of which determine what is actually logged.<BR />A "size" of appliance doesn't really tell you how much logs will be generated.<BR />Are you using Log Exporter here or what's the precise configuration?<BR /> Fri, 03 Apr 2020 00:02:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80685#M80814 PhoneBoy 2020-04-03T00:02:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80725#M80815 <P>For now we are assuming that all the blades of NGFW will be active (therefore not the sandblast ones).</P><P>We are using the checkpoint Log Exporter to send the log to the splunk environment via a syslog server (we need the syslog server to ensure the load balancing over the 4 splunk indexers).</P><P>As for traffic, is it a more or less linear function? i.e. 10G/s will generate 10x more log than 1G/s?</P><P>Thanks for you help <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a> !</P> Fri, 03 Apr 2020 09:04:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80725#M80815 hutinop 2020-04-03T09:04:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80794#M80816 No, because a single, 10GB stream will generate less logs than, say, 1,000 users surfing the web will, even if the aggregate bandwidth they use is less than 10GB.<BR />The number of concurrent connections, the exact rules they match and the level of logging for those rules (None versus Log versus Detailed versus Extended) is what will determine the log volume.<BR /><BR />While there is also non-user traffic, it's almost guaranteed that user traffic will generate the most logs.<BR />You could probably simulate typical user traffic in the lab for one user and have it accepted on the expected rule they'd hit (e.g. with Detailed or Extended Logs) for whatever period of time you're interested in.<BR />Based on the volume of logs that simulation generates, multiply by the expected number of users and...you have an estimate over that period.<BR /><BR /> Fri, 03 Apr 2020 21:10:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80794#M80816 PhoneBoy 2020-04-03T21:10:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80907#M80817 <P>thank you very much<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a> - this is valuable information.</P><P>Running a test to get the log size for one user presupposes that you already have the CheckPoint infrastructure, at least in a test environment. Assuming we do not, is there any chance that there is a method / estimate for let's say all blades enabled, detailed or extended log policy, 1 user surfing for 1GB traffic?</P><P>I understand it is difficult to estimate but we are just looking at ballpark figures.</P><P>Thanks again for your help!</P> Mon, 06 Apr 2020 07:36:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80907#M80817 hutinop 2020-04-06T07:36:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80985#M80818 Detailed versus Extended Logs can make a huge difference in log volume.<BR />In any case, I personally don't have a way to test at this volume. <BR />I can see if we have anything based on QA testing, but your best bet would be to engage your local office with this requirement. Mon, 06 Apr 2020 14:57:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/80985#M80818 PhoneBoy 2020-04-06T14:57:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/81042#M80819 What R&amp;D told me was that each log record is roughly 850 bytes to 1000 bytes when exported with Log Exporter, with the average being 950.<BR /><BR />Since I don't have a way to test this, what I can give you is the stats from a family of four who making use of our Internet at home.<BR />During the last 24 hours or so, my family of four generated about 30GB of traffic through my gateway, which generated roughly 80,000 logs...with most of the blades enabled and most (not all) things logged.<BR /><BR />Using these estimates--and they are just that--I would be exporting 72.5mb a day in traffic via Log Exporter.<BR />However, this is based on the traffic patterns of my family over the course of one day.<BR />Lots of things will impact the real numbers, as I said. Mon, 06 Apr 2020 20:53:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/81042#M80819 PhoneBoy 2020-04-06T20:53:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/81088#M80820 <P>Many thanks!<BR />We will try to set up a test as you suggested!</P> Tue, 07 Apr 2020 08:05:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Estimate-data-load-for-logging-to-splunk/m-p/81088#M80820 hutinop 2020-04-07T08:05:16Z