KB Article | Forcepoint Support

Problem Description

If the Log Server is only used for receiving and storing log data, the processing capacity is approximately 20,000 log entries per GHz of CPU, with linear scaling up to 10 CPU cores. With more cores, the performance increases, but no longer linearly.
On a system with 40 CPU cores running at 2.8 GHz, a Log Server receiving log entries from 10 Next Generation Firewall (NGFW) Engines at a time has been tested to process more than 560,000 log entries per second (20,000 x 2.8 x 10). A peak was reached with approximately 60 NGFW Engines, where the tested performance was more than 1.2 million log entries per second. When the number of NGFW Engines is increased, the Log Server performance starts to slowly decrease.
The Log Server scales well when there are several NGFW Engines sending log data to it. However, if a single NGFW Engine produces a large number of log entries, then the Log Server might not be able to process the received log entries quickly enough. This causes the NGFW Engine to start spooling log data to the local hard drive until the Log Server has more processing capacity available. If this happens regularly, we recommend that the NGFW Engine would have its own Log Server, to make sure that there are enough resources available. In cases where the Log Server serves one or two NGFW Engines, the recommended number of CPUs is 4–8. Note that adding more CPUs does increase performance when there are more nodes sending logs to that Log Server.
Note Keep in mind that in real usage, when the Log Server is doing other tasks at the same time, the performance decreases.
Tasks that reduce the log reception and storage performance are:
  • Evaluating Log Pruning filters
  • Receiving third-party log data
  • Correlating log entries (depends on the percentage of log entries that requires correlation)
  • Sending log data to a Logs view in Current Events mode
  • Computing real-time statistics on log data being received. This can happen when an Overview is opened, for example.
When high performance needs to be demonstrated, the above tasks are to be avoided. Additionally, the Log Server might be used to browse log data (when not in Current Events mode) or to generate reports. These operations do not necessarily affect the log reception and storage performance, but both of these operations heavily increase the CPU load.
Information specific to third-party log data
The performance when parsing third-party log data depends on the complexity of the parsing.
As a general guideline, the Log Server can process 30,000 third-party log entries per second when the parsing is complex and 75,000 log entries per second when the parsing is simple. One Log Server supports up to 200 third-party log data senders.
The Linux EXT4 file system is significantly faster than the Microsoft Windows NTFS file system for Log Server file storage. Because of this, we recommend that you use Linux as the Log Server platform in enterprise-level environment, and that you avoid using a Microsoft Windows virtual machine as the Log Server when high scalability for log data processing is needed.

We recommend setting up dedicated partition for log storage. Storage location can be selected during installation, but also changed afterwards. To change log server log storage see KB10154. We suggest to store logs in active storage only for period that is needed actively for reports and browsing. Older logs can be archived (can still be browsed in Logs view) or exported.

Article Feedback

Thank you for the feedback and comments.