Because guessing your SIEM EPS & storage requirements is a terrible idea.
A PowerShell tool that actually measures your Windows Event Log volume instead of making you guess based on vendor marketing materials that put you at a disadvantage.
Calculates:
- Events Per Second (EPS) - How fast events are flying into your logs
- Storage consumption - Real bytes, not "roughly 2KB per event" nonsense
- Retention planning - How long before your 1TB disk says "I'm full"
- Per-Event ID breakdown - Because Event ID 4688 is not the same size as 4624
Works across single systems or entire fleets. Handles permission elevation automatically because nobody remembers to right-click "Run as Administrator" every time.
I built this for SANS SEC555 (the SIEM and data analysis class), my clients, and mainly?... a big "check yourself" to the SIEM vendors out there.
I won't disclose the SIEM vendor, but I had an interaction with one of vendor where they did a client dirty and used the client's lack of technical awareness to sell them more SIEM than they'll ever need.
EVERYONE needs to understand log volume before standing up a SIEM. I'm tired of orgs throwing away money to vendors who should be helping them more.
Turns out "how much storage do I need?" is a question everyone asks and nobody can answer without actual data. That ends now.
Due to lack of information, most organizations either:
- Wildly overestimate and buy too much storage
- Wildly underestimate and run out of space in a week
- Pay a "consultant" to badly use (aka smash the "next" button) a vendor's sizing calculator
This tool is free and tells you what's actually happening in your environment.
- Dual modes: Storage analysis (default) or EPS calculation
- Time ranges: Analyze the entire log history, last week, last day, last hour, or custom
- Multi-computer support: Feed it a text file of hostnames/IPs
- Smart permission handling: Checks if you have access, offers to elevate if you don't
- Actual size calculation: Samples events and serializes to XML to get real storage footprint
- Retention planning: "If I have 5TB, how many days can I keep logs?" - answered instantly
- CSV export: Because infosec lives and dies by spreadsheets!
- Proper help documentation: Works with
Get-Helplike a civilized PowerShell script
Clone it. Or download the .ps1 file. There's one script one config file. Hopefully it's not complicated.
git clone https://github.com/besimorhino/Get-EventEPS.git
cd Get-EventEPS- PowerShell 5.1 or later (comes with Windows 10/Server 2016+)
- Administrator privileges OR Event Log Readers group membership
- Security log always needs admin
- Other logs can work with Event Log Readers group
- Access to the event logs you want to analyze
.\Get-EventEPS.ps1 -EventIdFile .\eventids.txtThis analyzes the entire Security log history for the Event IDs in your file and tells you how much storage they're consuming.
Make a text file (something like eventids.txt) with the Event IDs you care about:
# Common security events
4624
4625
4672
4688
4689
4720
4732
4740
Lines starting with # are comments. Blank lines are ignored.
.\Get-EventEPS.ps1 -EventIdFile .\eventids.txt -Mode EPS -TimeRange WeekWant to know your events-per-second rate? This does that. Use it for SIEM sizing or capacity planning.
.\Get-EventEPS.ps1 -EventIdFile .\eventids.txt -ComputerFile .\servers.txt -ContinueOnErrorMake servers.txt with one hostname or IP per line:
DC01
DC02
192.168.1.10
WEB-SERVER-01
The -ContinueOnError flag means "if one server is offline, keep going anyway."
# Last 24 hours
.\Get-EventEPS.ps1 -EventIdFile .\eventids.txt -TimeRange Day
# Last week
.\Get-EventEPS.ps1 -EventIdFile .\eventids.txt -TimeRange Week
# Last hour
.\Get-EventEPS.ps1 -EventIdFile .\eventids.txt -TimeRange Hour
# Custom (72 hours)
.\Get-EventEPS.ps1 -EventIdFile .\eventids.txt -TimeRange Custom -CustomHours 72
# Everything in the log (default)
.\Get-EventEPS.ps1 -EventIdFile .\eventids.txt -TimeRange All# Application log
.\Get-EventEPS.ps1 -EventIdFile .\eventids.txt -LogName Application
# System log
.\Get-EventEPS.ps1 -EventIdFile .\eventids.txt -LogName System
# Custom log
.\Get-EventEPS.ps1 -EventIdFile .\eventids.txt -LogName "Microsoft-Windows-PowerShell/Operational"Get-Help .\Get-EventEPS.ps1 -Examples
Get-Help .\Get-EventEPS.ps1 -FullShows you:
- Event count per Event ID
- Average event size in bytes
- Total storage consumed
- Daily/monthly/yearly projections
- Retention planning for common storage sizes (100GB, 1TB, 5TB, etc.)
Example output:
Per Event ID Breakdown:
Event ID Count Avg Size Total Size Per Day
---------- ------------ ------------ --------------- ---------------
4624 45,231 1,847 B 79.61 MB 3.32 MB
4688 123,456 2,134 B 250.91 MB 10.45 MB
Retention Planning:
1 TB = 73 days retention
5 TB = 365 days retention
Shows you:
- Events per second
- Events per minute
- Events per hour
- Projected daily volume
Use this when your vendor asks "what's your EPS?" and you want to give them real numbers instead of guessing.
Storage calculation:
- Queries events for each Event ID in your time range
- Samples up to 100 events per ID (doing them all takes too much time!)
- Serializes each event to XML (like SIEMs do)
- Calculates average size
- Multiplies by total count
- Does math to project storage needs
EPS calculation:
- Counts events in your time range
- Divides by seconds in that range
- Math happens!!
- You get honest to goodness EPS
The permission checking is smarter than just trying to query and failing. For Security logs, it checks your group membership first because Windows lies about access errors ("fun" fact, Windows often returns "no events found" instead of "access denied").
- Permission detection on Security log can be weird at times - Windows returns "no events found" instead of "access denied" when you lack permissions. We work around this by checking group membership first, but it's janky. See [issue #X] for details.
Found a bug? Sorry about that! Please open an issue.
Want to code up some features? HELL YEAH! open a PR.
Keep it simple. This is a single-file PowerShell script that does one thing well. I'm not adding a GUI or converting it to Python, Rust, or whatever. Yes, it could be made to run faster... but I want simplicity and reliability more than anything else... at least for now.
Apache 2.0 - do whatever you want with it. If it breaks something, that's on you.
Mick Douglas - coder
InfoSec Innovations
Built for SANS SEC555, SIEM and Data Analytics
Shabti.AI - research, initial code generation
Claude - troubleshooting, code review
If you're using this for SIEM capacity planning, lab builds, or SOC operations, let me know. I like hearing about real-world usage.
Q: Why PowerShell?
A: Because it's already on every Windows system and has native Event Log cmdlets. I want any org to be able to do this.
Q: Does this work on Linux?
A: Yes... technically it should run (but it's not supported), but keep in mind this a Windows Event Log analyzer. The target system MUST be Windows.
Q: Can I use this commercially?
A: Yes. Apache 2.0 license. Go nuts.
HOWEVER! If you're a SIEM vendor, before each run... I want you to outloud and audibly ask "What can I do to make capacity planning better for my clients?" If you get caught using this (catch you at a con, webinar, etc) and you are not heard doing this, THE COMMUNITY WILL CALL YOU OUT.
Q: Why isn't this on PowerShell Gallery?
A: It's a single file. Just download it. You don't need a package manager for everything. If it gets bigger or more complex, maybe?
Q: My SIEM vendor's calculator gave me different numbers.
A: OK? Let's think about this...
This tool uses your actual data.
Their calculator uses assumptions.
They have some perverse economic incentives to sell you more SIEM or storage than you actually need.
I'm making nothing on this. NOTHING.
Pick whoever you trust more.
Q: Can you add feature X?
A: Maybe? Open an issue and make a case for why it's useful. No promises. But I do want this to be helpful.
Q: Your tool didn't work!
A: Oh no! Seriously let me know. Fill out an issue. Please.
Q: An issue isn't good enough! I'm still mad!!!
A: I'm so sorry to hear that, I'll refund you the $0.00 you paid me for this. We'll be even.
- SANS SEC555 - Why this was built
- Get-WinEvent documentation - The cmdlet doing the heavy lifting
- Windows Event Log reference - What all those Event IDs mean
- What2Log - More ideas on logging
Built because guessing is not a strategy.