- Products
- Learn
- Local User Groups
- Partners
- More
The State of Ransomware Q1 2026
Key Trends and Their Impact
Good, Better, Best:
Prioritizing Defenses Against Credential Abuse
AI Security Masters E7:
How CPR Broke ChatGPT's Isolation and What It Means for You
Blueprint Architecture for Securing
The AI Factory & AI Data Center
Call For Papers
Your Expertise. Our Stage
CheckMates Go:
CheckMates Fest
This is what my colleague told me. Apologies, Im not SIEM person myself, so hopefully it makes sense, but if not, let me know and I will be happy to clarify @Sergej_Gurenko
****************************
Raw logs stored in Elastic, that's true growing about 30-100% usually, sometime even reaches to about 200%, and that is the primary only, the size will be doubled if replica is enabled and set to 1. Elastic uses LZ4 as default compression algorithm, it can be changed to DEFLATE to get higher compression ratio. The reason is Elastic tokenizes logs to keywords and stored them as inverted index or forward index which makes ES can search things almost real time (default 1 sec delay) but consumed more storage, if only need ES to store raw logs without tokenization and analyzing, I think it will be definitely small than raw logs.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
