As for syslogs per day. That depends on your environment. Like for us, its in the 10's of millions. I would work with your SIEM vendor and get a demo license first and see what the ingest rate is of all the logs you wish to capture. At that point you can determine what the actual scale would be.
Hope that helps.
This article will probably help in your situation. It is actually written for panorama sozing but the steps you need to take for a proper panorama sizing can be applied also to a syslog server: https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/determine-panorama-log...
Agree with @OtakarKlier, the vast majority of SIEMs will be happy to supply you with an unlimited trial license for a few weeks so you can configure it exactly how you want and have legitimate numbers for how many logs you'll actually pass. Just be mindful of the pricing model of the SIEM when you are deciding what you actually want to send to it and if it'll actually be useful. When you get to something like Splunk pricing alone can determine what you are actually passing off of the box.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!