I'm in the initial phases of planning a move from Endpoint Protection 11.x running an integrated database, to 12.1.3 and an external SQL database. My DB Admins are asking for expected resource utilization. Due to issues with 11.x, I intend to do a fresh install, then import policies from 11.x
I downloaded the Sizing and Scalability Best Practices White Paper, but the information in there seems to tell me that my database is going to be *much* larger than the existing one.
For rollout, it's just going to be antivirus, SONAR, and very basic endpoint firewalling with later plans to test Application and Device control. We have about 4500 clients, about 1000 of which are servers. I want to retain logs for 30 days.
The White Paper says this is typical data usage (in MB, per 10000 log entries):
System Administrative 10
System Client-Server Activity 9
System Enforcer 6
Audit 6
System Server Activity 66
Client Activity 45
Security 45
Traffic 45
Packet 45
Control 45
Enforcer Client 16
Enforcer Server 14
Enforcer Traffic 9
Then their typical usage:
10 events per day per administrator
9 client-server events per machine per day
Audit negligible
System Server activity 650 events per server per day
Client Activity 120 events per machine per day
Security 1 event per machine per day
Viruses 250 per month per thousand clients
This came from a table presuming 17,000 clients. So the patterns are high, but for scalability, I thought they made good design points.
The problem is, it calls for 200GB of data retention. That doesn't even account for software content (i.e. LiveUpdate). The existing database is under 5GB.
So... have I overcalculated? I'd rather be over than under, but 40 times more than with 11 and an integrated DB?