I'm going through the process of validating the storage configuration of our deployment and would like to work out the size on disk of the events of each log source type so I can calculate storage requirements based on EPS, etc.
Does anyone have any suggestions about going about that? For example for any syslog type event source just use the standard size of a syslog packet and for Winevents just work out the size of a event based on the evtx format?
Thanks Aaron, that'll solve my problem easily, Cheers.
I also created a rule for packets as well and just swapped out device.type with service