Environment
Situation
Resolution
To figure out the events per second for a Windows agent open the native Windows Event Viewer on your busiest Windows Agent and follow the example below.
Filter the event viewer - Application for 1 week, see below
2/15/2010 12:00:01 AM ? 2/22/2010 12:00:01 AM
E.g. 30,000 application events for application log for 1 week.
30,000 application log events and divide by 7 (due to 7 days in a week)
Equals = 4285.71 events per day
If you take 4285.71 (events per day) and want to find the events per hour divide by 24 (24 hours in 1 day)
So divide 4285.71 by 24
Equals = 178.57 events per minute.
Take 178.57 events per minute and divide by 60 (because 60 seconds per minute)
Equals 2.97 (events per second)
Now take 2.97 and multiple by 30 (30 is the number Windows agents in this example)
2.97 x 30 = 89.1
Equals 89.1 events per second
The central computer in the case would receive 89.1 events per second just from the application log for 30 Windows agents. Therefore, if you want to figure out the exact load for a environment you will need to apply this practice for any auditing done on an agent.
For example, from the event viewer, this practice needs to be applied to Application, System, and the Security log.
Note: This type of calculation does not take into account if the agent is acting as a proxy for other network devices.