Syslog Storage Calculator

{{ result.statusText }} {{ result.epsBadge }} {{ result.dailyBadge }} {{ result.retentionBadge }} {{ result.reserveBadge }}

Ingest input:

Choose whether the storage estimate starts from device count or a measured total EPS.

Log sources:

Use the number of active sources that will send events into the same searchable store.

Average EPS per source:

Use a sustained average per source, not a one-minute maximum.

EPS

Aggregate EPS:

Use the sustained total rate for the store being sized.

EPS

Average event size:

Measure a sample file when possible; 400-900 bytes is common for first-pass network syslog estimates.

bytes/event

Searchable retention:

Use the searchable retention window for this tier, not a cold archive requirement.

days

Compression ratio:

Use measured compression when available; 2:1 is a conservative indexed-log planning baseline.

Index overhead:

Add the storage used by terms, metadata, normalized fields, or acceleration side files.

Stored copies:

Use 1 for a single searchable copy, 2 for primary plus one replica, and higher only when the platform stores more copies.

Planning reserve:

Keep a reserve so the searchable tier does not run full during merge, rollover, or burst periods.

Syslog storage inputs need review

{{ message }}

Export label:

Optional handoff label; it does not change storage math.

Peak multiplier:

Keep 1.0 for measured daily average storage; raise only when the retained window must absorb sustained peaks.

x EPS

Usable disk budget:

Set 0 to skip fixed-disk guardrails.

Budget target:

Used only when disk budget is set; 80-90% keeps operator headroom outside the modeled reserve.

Metric	Value	Detail	Copy
{{ row.metric }}	{{ row.value }}	{{ row.detail }}

Guardrail	Setting	Reading	Operator action	Copy
{{ row.guardrail }}	{{ row.setting }}	{{ row.reading }}	{{ row.action }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Syslog storage planning starts before anyone chooses a disk size. Network devices, Linux hosts, appliances, applications, and security controls can all send events into the same search system, but they do not behave alike. One source might emit a few short notices per minute, while another can produce large structured events whenever a policy, debug setting, or audit rule changes.

The searchable store is the space kept ready for queries, dashboards, alerts, and incident review. It is not the same as a cold archive or a backup copy. A cold archive may satisfy a long retention policy, but analysts usually need a smaller, faster window where indexed events remain ready to search without a restore job.

Three measurements drive the first estimate: sustained events per second, average message size, and the number of days kept searchable. The final capacity is larger than raw retained bytes because log platforms usually compress source text, build search indexes, keep copies or replicas, and need spare space for rollover, compaction, filesystem safety, and growth.

Common syslog storage planning factors
Planning factor	What changes it	Common mistake
Event rate	Device count, logging level, policy changes, seasonal traffic, and forwarding scope.	Using a quiet-hour EPS sample for a tier that must retain busy-hour volume.
Event size	Vendor format, structured fields, hostname length, timestamps, application payloads, and multiline messages.	Assuming every syslog source looks like a short network device message.
Searchable retention	Investigation windows, audit needs, analyst habits, search speed requirements, and archive restore time.	Treating searchable retention and legal archive retention as the same requirement.
Searchable footprint	Compression, index structures, normalized fields, replicas, filesystem reserve, and platform safety thresholds.	Sizing only compressed raw logs and forgetting search indexes or copy policy.

Events per second and message bytes becoming daily ingest, retained data, searchable storage, and reserve headroom.

Syslog is a protocol and message format, not a promise about how many bytes a platform will store. RFC 5424 describes fields such as priority, timestamp, hostname, application name, structured data, and message text, but storage depends on what each sender includes and how the receiving search system parses it.

A useful plan names its assumptions instead of hiding them inside one total. EPS, message size, retention days, compression, index overhead, stored copies, and reserve should all be visible so a reviewer can challenge the weakest measurement first.

How to Use This Tool:

Run one estimate for one searchable tier, tenant, environment, index group, or retention class. Mixing unrelated streams can hide the noisy source that actually drives the storage request.

Choose Ingest input. Use Devices and EPS per device for early fleet planning, or Measured aggregate EPS when a collector, parser, or SIEM already reports the total rate for the stream being sized.
Enter Log sources and Average EPS per source, or enter Aggregate EPS. The summary badges should reflect the resulting planning EPS and raw daily ingest.
Set Average event size in bytes and Searchable retention in days. Use a representative sample where possible, especially after enabling verbose audit logs, firewall accepts, or a new vendor format.
Fill in Compression ratio, Index overhead, Stored copies, and Planning reserve. These values convert raw retained data into usable searchable storage.
Open Advanced only when the plan needs an Export label, Peak multiplier, Usable disk budget, or Budget target. Keep the peak multiplier at 1.0 unless the retained window must absorb a sustained busy-hour, migration, or seasonal rate.
If Syslog storage inputs need review appears, fix the listed field before trusting the number. Common triggers are zero EPS, zero event size, retention below one day, compression below 1:1, stored copies below one, negative reserve, or a budget target outside 1% to 100%.
Review Storage Footprint first, then use Sizing Guardrails, Retention Runway Curve, and Storage Component Mix to challenge the assumptions behind the total.

For procurement or a retention commitment, rerun the estimate after a real ingest sample and keep the EPS, message-size, compression, overhead, copy, and reserve assumptions with the storage request.

Interpreting Results:

Required usable storage is the main capacity number. It includes compressed retained data, index overhead, stored searchable copies, and planning reserve. Raw daily ingest is the first clue for noisy sources, while Daily required bytes in the JSON output shows the approximate cost of one more retained day under the same assumptions.

Storage Footprint explains how the total is built. Sizing Guardrails flags assumptions that deserve evidence, such as low index overhead, low reserve, long retention, large messages, unusual compression, or pressure against a disk budget. Retention Runway Curve helps compare history length, and Storage Component Mix separates compressed data, index overhead, stored copies, and reserve.

Syslog storage status meanings
Status	When it appears	Read it as
`needs input`	At least one required value is invalid.	Do not use the storage total until the validation banner is clear.
`over disk`	Required usable storage is greater than the optional usable disk budget.	The plan does not fit the configured capacity.
`over target`	Required storage fits the disk budget but is greater than the selected budget target.	The volume may fit, but the planned headroom has already been consumed.
`headroom watch`	Required storage reaches at least `80%` of the selected budget target.	Growth, compression evidence, and noisy sources need review before rollout.
`capacity planned`	Inputs are valid and no configured disk-budget warning applies.	The arithmetic is clean, but the assumptions still need evidence.

A clean status does not prove parser quality, timestamp accuracy, shard sizing, search speed, backup coverage, legal sufficiency, or incident-response readiness. Verify EPS and average event size from the same stream, then compare the required storage with platform disk thresholds and the operator's reserve policy.

Technical Details:

RFC 5424 standardizes the shape of a syslog message and leaves storage outside the protocol. The same collector can receive compact device notices, legacy BSD-style lines, structured security events, and application messages with long key-value payloads. That is why byte-per-event sampling matters as much as the EPS number.

Searchable log stores usually keep more than compressed source text. They maintain terms, metadata, parsed fields, summaries, or acceleration files so queries can find events quickly. Availability policies can multiply that searchable primary data through replicas or clustered copies, and busy indexing systems need available space for rollover, compaction, merges, and filesystem safety.

Formula Core:

The storage path is linear until compression and overhead are applied. Byte output uses binary display units, so GiB and TiB are powers of 1024, not decimal GB and TB.

\begin{array}{lll} R_{base} & = & sources \times EPS per source or measured aggregate EPS \\ R_{plan} & = & R_{base} \times peak multiplier \\ B_{day} & = & R_{plan} \times average event bytes \times 86,400 \\ B_{raw} & = & B_{day} \times retention days \\ B_{index} & = & \frac{B_{raw}}{compression ratio} \times \frac{index overhead %}{100} \\ B_{required} & = & (\frac{B_{raw}}{compression ratio} + B_{index}) \times stored copies \times (1 + \frac{reserve %}{100}) \end{array}

With 250 sources at 0.8 EPS each, the base rate is 200 EPS. At 700 bytes per event, raw daily ingest is 200 x 700 x 86,400 bytes, displayed as 11.27 GiB. Over 180 days that becomes about 1.98 TiB of raw retained data. A 2:1 compression ratio, 35% index overhead, one stored copy, and 20% reserve produce about 1.60 TiB of required usable storage.

Syslog storage validation and warning rules
Check	Rule	Why it matters
Required rate and size	EPS and average event size must be greater than zero.	Zero input would collapse the estimate to zero storage.
Searchable retention	Retention must be at least `1` day; more than `365` days raises a long-retention warning.	Long queryable windows are often better split from colder archive requirements.
Compression ratio	Compression must be at least `1:1`; below `1.5:1` or above `8:1` should be proven with a sample.	Compression varies by source format, field structure, and platform storage format.
Index overhead	Overhead is accepted from `0%` to `500%`; below `20%` raises a low-overhead warning.	Parsed fields, terms, metadata, and acceleration files can exceed a raw-only estimate.
Stored copies	Stored copies must be at least `1`.	Primary plus replica storage should match the search tier's availability policy.
Planning reserve	Reserve is accepted from `0%` to `300%`; below `15%` raises a headroom warning.	Indexing tiers can fail operationally before every byte on the volume is consumed.
Disk budget	Usable disk budget cannot be negative, and the budget target must be `1%` to `100%`.	The budget target reserves space outside the modeled log footprint.

The model is deterministic and does not account for ingestion CPU, search concurrency, shard sizing, license limits, clock quality, parser failures, deduplication, lifecycle movement, backup copies, or archive restore time. Those concerns should be reviewed in the chosen SIEM, log search, or syslog platform after the usable storage number is reasonable.

Accuracy Notes:

Syslog storage estimates are only as good as the measurements behind them. Treat defaults as a planning start, then replace them with values from the collector, search platform, or a representative indexed sample before buying capacity or promising retention.

Measure EPS over a window that includes normal peaks, not only a short quiet period.
Measure average event size from the same source mix that will be retained.
Check compression and index overhead after the log platform parses real data.
Keep archive retention, backups, and disaster recovery copies outside the searchable-storage total unless they are stored in the same queryable tier.

Advanced Tips:

Use Measured aggregate EPS for mature streams because it captures bursty source mixes better than multiplying a rough per-device average.
Set Peak multiplier only for sustained higher-rate windows. A one-minute spike belongs in alerting and queue sizing, not always in long-retention disk math.
Review Retention Runway Curve before increasing Searchable retention; the curve shows how quickly each extra day consumes usable storage under the current assumptions.
Use Storage Component Mix to explain why a replica, high index overhead, or large reserve can matter more than raw log volume.
When a fixed appliance, VM, or volume is already chosen, set Usable disk budget and Budget target so the status warns before the modeled store consumes operational headroom.

Worked Examples:

First-pass network fleet

A production network has 250 log sources averaging 0.8 EPS each. With 700 bytes per event, 180 days of searchable retention, 2:1 compression, 35% index overhead, one stored copy, and 20% reserve, Storage Footprint shows Planning EPS of 200.00 EPS, Raw daily ingest of 11.27 GiB, and Required usable storage of about 1.60 TiB. That is enough for early scoping, but the average event size still needs a real sample before procurement.

Measured aggregate security stream

A collector reports 1,200 aggregate EPS for a security stream. At 900 bytes per event, 90 days, 2.5:1 compression, 45% index overhead, two stored copies, 25% reserve, and a 50 TiB usable disk budget with an 85% target, Required usable storage is about 11.08 TiB. Sizing Guardrails reports roughly 26.1% target use and about 345.4 modeled budget-retention days, so copy policy and event size matter more than the disk ceiling in this run.

Budget target pressure

A year-long plan at 400 aggregate EPS, 800 bytes per event, 2:1 compression, 35% index overhead, one stored copy, and 20% reserve needs about 7.43 TiB. On an 8 TiB usable disk budget with an 85% target, Disk budget use is about 92.9% and target use is about 109.3%, so the status becomes over target even though the raw disk budget is not exceeded.

Validation recovery

In Devices and EPS per device mode, 50 sources with 0 EPS per source trigger Syslog storage inputs need review and the message Average EPS per source must be greater than zero. Enter a sustained rate from the collector or a conservative planning value before using Required usable storage.

FAQ:

Should I use device count or aggregate EPS?

Use Measured aggregate EPS when the collector or SIEM reports the exact stream being sized. Use Devices and EPS per device when planning a new fleet, a new tenant, or a source group that does not yet have a reliable total rate.

What average event size should I enter?

Enter the raw syslog message size before compression, normalization, or indexing. A measured sample is better than a generic value because firewall accepts, authentication logs, structured audit events, and application messages can differ by several times.

Why can storage grow after compression?

Compression reduces raw retained bytes, but searchable systems also store index overhead such as terms, parsed fields, metadata, and acceleration files. Storage Component Mix separates compressed retained data copies, index overhead copies, and planning reserve.

Why does the status say over target when the disk is not full?

over target means Required usable storage is below the usable disk budget but above the selected Budget target. The budget target is a headroom rule, so it can warn before the modeled footprint reaches the full disk size.

What should I do when the inputs need review?

Read the validation message and fix that field first. EPS and average event size must be greater than zero, searchable retention must be at least one day, compression must be at least 1:1, stored copies must be at least one, and the budget target must be between 1% and 100%.

Does the calculator inspect or upload my logs?

No. It works from numeric planning values you enter, such as EPS, bytes per event, retention, compression, overhead, copies, reserve, and optional disk budget. Do not paste raw log contents into fields because the calculator does not need them.

Glossary:

EPS: Events per second, the rate at which syslog messages enter the retained stream.
Raw daily ingest: The uncompressed bytes produced in one day before retention, compression, indexing, copies, or reserve.
Searchable retention: The number of days kept in a tier that analysts can query directly.
Compression ratio: Raw-to-stored reduction. A 2:1 ratio stores compressed raw data at about half of raw size.
Index overhead: Additional searchable structures such as terms, parsed fields, metadata, or acceleration files.
Stored copies: The number of searchable copies retained by the platform, including replicas when they live in the same queryable tier.
Planning reserve: Extra usable space held for growth, filesystem safety, rollover, merge work, and sizing uncertainty.
Budget target: The portion of usable disk allowed for the modeled syslog workload after leaving operator headroom.

References:

RFC 5424: The Syslog Protocol, RFC Editor, March 2009.
SP 800-92: Guide to Computer Security Log Management, National Institute of Standards and Technology, September 2006.
Estimate your storage requirements, Splunk Enterprise, updated January 7, 2026.
Watermark errors, Elastic Docs.
How to store remote syslog messages by hostname in rsyslog, Simplified Guide.
How to receive remote syslog messages with rsyslog, Simplified Guide.