Who rated this post

This is what my colleague told me. Apologies, Im not SIEM person myself, so hopefully it makes sense, but if not, let me know and I will be happy to clarify @Sergej_Gurenko 

****************************

Raw logs stored in Elastic, that's true growing about 30-100% usually, sometime even reaches to about 200%, and that is the primary only, the size will be doubled if replica is enabled and set to 1. Elastic uses LZ4 as default compression algorithm, it can be changed to DEFLATE to get higher compression ratio. The reason is Elastic tokenizes logs to keywords and stored them as inverted index or forward index which makes ES can search things almost real time (default 1 sec delay) but consumed more storage, if only need ES to store raw logs without tokenization and analyzing, I think it will be definitely small than raw logs.