A: Yes, but...  Different organizations may have very different ideas about what they intend to collect from the firewalls, and each organization may have widely different traffic volumes on firewalls overall.  For instance, a major bank company with an Internet presence may be legally required to collect and store information about the disposition of every packet that encounters their firewall... an awesome amount of event data.  A university with the exact same amount of firewall traffic may only need (or desire) to keep information about successful authentications, error conditions and status... a much, much smaller amount of event data.  

Since the NetMRI Event Collector is packaged as an appliance, it has been sized to address a certain set of applications.  Specifically, the NetMRI Event Collector is sized to comfortably handle the event streams of the typical NetMRI installation where the application is network operations.  If the customer application is not network operations or is something clearly different like security management/forensics or enterprise-wide compliance (archiving of events from absolutely everything from servers and desktops to access control systems and building management) then they should be looking at something else.  The key is the average daily volume of event information.  If average daily volume approaches or exceeds a 2 gigabits per day (the limit of the NetMRI Event Collector purchased with optional bandwidth capacity), the customer should be considering a standalone event management system on a dedicated server with features like removable storage.  If the event management software they choose to purchase is Splunk, they can still get the same functionality as the NetMRI Event Collector by purchasing the NetMRI Event Analysis Module and installing it on their server.

 Mike good post