Hi, "Muhammad Asim" <masim@juniper.net> írta 2015-06-08 07:46-kor:
Thanks, the main objective is to reduce the EPS rate towards the SIEM which is Juniper Secure Analytics (QRadar).
So my question is if the syslog-ng OSE is getting 100K logs/sec then would I able to send those logs to the QRadar system with reduce EPS rate i.e 2500EPS.
I am not sure if I understand you well. How did you plan that to achieve? Drop the 97,5% of the logs based on...? Or does the logs correlate with each other, and in real: 40 log event is about one "real"/ big event, which should be transformed somehow into one? Can you show example about what you would expect? Eg. show 200 incoming log event example, and show the other 5 which should be leave the syslog-ng towards qradar? Kind regards, György Pásztor