Cost of the logs storage

Viewing 5 reply threads
  • Author
    • #8035

      Hello guys,

      I have a question for you: How much costs (in average) the logs storage (1 year, 3, and most important 7 years).

      The reason of my question is that I am trying to convince my client to get rid of some usefull IDS/SIEM rules, and even to stop collecting some events.

      Besides the noise they generate, they cost a lot of money to store them for a long time.

      So, if you have some data, or some links please share them with me/us.

      Thank you very much!

      P.S. If you have data about how much space different events/logs take … it would be welcome

    • #50960

      I would approach this from a different angle. Storage is comparatively inexpensive so trying to justify reducing a retention period on this basis may be hard. It may be easy to counter your argument with space is cheep, we will keep everything forever.

      What is your reason for wanting to reduce the retention period? I assume you mean to get rid of some useless (not usefull [sic]) IDS alerts. Tuning is an important part of managing any IDS solution so time would be well spent reducing noise and false positives. That does not mean you have to reduce the time you keep the alerts for. You could certainly sell the need for a clean up based on the effectiveness of the system and reduced overhead on those reading the logs.


    • #50961

      Hi Jim,

      Thanks for the answer.

      My idea is not to reduce the retention period, but to give an extra argument to get rid of many useless alerts. If they have to keep the logs for 7 years (as an ex), they must comply, but keeping garbage for 7 years…

      Also, it will be a very useful exercise for all the analysts (and not only), exercise that will make them think twice before using all the default alerts.

    • #50962

      There’s a big difference between collecting and alerting. My preference is to collect as much data as feasible and then filter the data set down to a manageable level. I would rarely condone collecting less data but almost always recommend trimming alertable events, tuning, and filtering so as to not DOS the analyst. You can always expand your filters if necessary as long as you have the data.

    • #50963

      @tturner wrote:

      There’s a big difference between collecting and alerting

      Agreed. The big issue is what to expose via alerts, dashboards etc. and what to keep. If capacity is not an issue keep everything. By all means trim down on noisy alerts that add no value but let the value of this filter down. Frequently you don’t know what you need until after the fact and finding out you have deleted something useful could be embarassing.

      Again, look at the junk as useful as a metric. What are the number of alerts following a tuning exercise versus untuned? This is a quantifiable metric to show improvement.


    • #50964

      Thanks for the answers!

      I’ll think about your opinions.

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?