JSA Maximum EPS Certification Methodology

JSA appliances are certified to support a certain maximum events per second (EPS) rate. Maximum EPS depends on the type of data that is processed, system configuration, and system load.

Deployments that significantly deviate from the test parameters that are described in this document might not be able to support the certified rates. The maximum certified EPS rate is absolute. If the load on your system is lighter than the JSA maximum EPS certification load, the EPS maximum rate for your deployment won't increase.

The following information describes the test parameters used to determine the maximum EPS rates of JSA hosts to help you set expectations and plan future JSA deployments with an appropriate EPS goal in mind.

Event Traffic
- Unique log sources - 50,000
- Unique log source types - 17
- Unique source IP addresses 250,000
- Unique destination IP addresses - 250,000
- Unique username - 300,000
- Coalescing ratio - 15%
- Average raw event size - 382 B
Traffic composition specifics: Percentage of the total contribution of data for each device type out of the total dataset. For example, the Microsoft Windows Security events represent 25% of the total dataset used in testing.
- Microsoft Windows Security - 25%
- Linux OS - 25%
- Cisco IOS - 15%
- Cisco ASA - 10%
- Linux DHCP - 5%
- Aruba Mobility controller - 5%
- Blue Coat SG Appliance - 3%
- McAfee Web Gateway - 3%
- Apache HTTP Server - 1%
- CheckPoint - 1%
- Cisco IronPort - 1%
- F5 Networks FirePass - 1%
- FireEyeMPS - 1%
- IBM Security Network ProtectionXGS - 1%
- Palo Alto PA Series - 1%
- Symantec Endpoint Protection - 1%
- Websense V Series - 1%
System configuration
- Network Hierarchy - 1000 objects
- Custom properties - 350
- Custom Rules and Building Blocks - 451
- Indexes - 20
Artifacts created as a result of data processing
- Offenses - 3000
- Assets - 365,000
- Reference Data - 11 data structures, 100,000 elements in total
User load
- Up to 16 concurrent searches