EPS Stats & Reading Graphics


Logsign calculates EPS (Event Per Second) according to many processes that occur. You can monitor these values by updating them at certain time intervals. Now, let's see how we can read the graphs in this menu and what we can extract from them.


By using the Logsign Unified SecOps Platform WEB interface, when you click on the Settings -> Maintenance -> EPS Stats tab, you will see a page with EPS tables according to many processes.


Log: Indicates the log values taken per second from the devices added to Data Collection.

Correlation Engine: Indicates the number of logs passing through the alarm service.

Total: Indicates the total of Log and Correlation Engine values.



Correlation Engine:

Queued: Shows how many logs match the alarm rules.

Processed: Shows how many matching logs were produced as an alarm.




Parsed: Shows the graph of how many of the raw logs coming from the sources added to Logsign are normalized and mapped to the device's plugin.

Index: Shows the graph of how many normalized and mapped logs were sent to the Elasticsearch service.

Index Failed: Shows the amount of logs that could not be sent to the Elasticsearch service by the parser.

Note: Elasticsearch is the service that allows us to analyze logs live through the web interface.

Processed: Shows how much of the log sent to Elasticsearch service by the parser service was successfully processed.



Log By Source Types:

Shows the total EPS values according to the type of the source added to Data Collection.



Json Archive: Shows the amount of logs coming to the archive service. The event(s) collected on the Logsign Unified SecOps Platform are stored in the Archive section after going through certain processes.

5651 Archive (raw): Shows how many logs are archived according to 5651.




This is the field that shows the EPS value of the logs that are excluded from the archive, 5651, and index through the Data Policy feature.

See also: https://support.logsign.net/hc/en-us/articles/360009693079-Data-Policies-DPM-

At the same time, you can also see the EPS values of the sources that send logs to Logsign as Syslog but are not added to Data Collection.




Source Unknown: Reflects the values in the Unknown Source graph.

Syslog Error: Shows the logs that come to the Syslog service but cannot be distributed to the services. (There may be a problem with the Syslog service, it should be checked)

EPS License Drop: Indicates that the EPS limit assigned to your license has been exceeded.

See also: https://support.logsign.net/hc/en-us/articles/360009631420-How-to-View-Host-ID-and-License-Information

SFTP Failed: Shows the EPS values that fall due to errors in the source attached as SFTP type.



Socket Drop (Context):

The Parser and Persist services are incremented according to the EPS values. If the service is insufficient, we can track this through the graph.



Source Unknown:

The EPS value that Logsign sends to syslog (514) port with sources that are not added to Data Collection but send logs, and the graph that allows us to analyze it based on IP.


Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.