The formula involves directly correlating an agent's log-total, and using the average size of an event as a multiplier; the average calculation will be specific to the customer's implementation of SCSP.
Step 1 Execute the report, ‘Event Summary.’
This report will provide console access to a total number of events managed by your management server. Record-report field is ‘Total Management Event Records.’
Step 2 Execute the ‘Database Status’ Report to query for the size of the CSPEVENTS table.
Record 'Size' under the ‘DB File Usage’ -> ‘Real-Time Events’ -> Size.
Step 3 Divide the two values in step 1 and 2 for an average row size for the CSPEvents table.
‘Total Management Event Records’ / ‘Real-Time Events -> size ‘ = rowAverage
Step 4 Execute the ‘Agent Counts All’ Report
Use the value calculated in Step 3 (rowAverage) as a multiplier against the ‘Total Events’ for each agent reported in the ‘Agent Counts All’ Report.
The average row size calculated in Step 3 will not need to be calculated on a recurring basis. If IDS and IPS policies are changed to collect new types of events, then average row size (Step 3) should be calculated at that time. For example, Windows Events greatly differ in size because of the Microsoft Window’s descriptions, you can gauge these variations by simply using the Windows built-in Event Viewer (Eventvwr.msc); Windows Event ID 538 contains 4 keys in the description and event ID 4625 description contains ~22 keys. Averaging between the two Event IDs will be quite different because the size of the event description can be several times larger or smaller.
Reports tab -> Queries -> <Domain> -> <Version> -> ‘Events’ -> ‘Agent Counts All’
Reports tab -> Queries -> <Domain> -> <Version> -> ‘status’ -> ‘Database Status’ AND ‘Event Summary.’