This is very common question being ask, based on so affordable per single install server can be licensed.
Kiwi Syslog Server commercial edition software is built and tested to support more than two million messages an hour without tuning. (That would support more than 500 machines each sending one message a second.)
That about 500 events-log-per-second (EPS) with the adequate memory, cpu and bandwidth provided. For seizing can use 500 per seconds x 60 seconds a minutes x 60 minutes = 1.8 millions per hours.
Be note the above figure will be less, if additional policy and rules is apply where incur additional system resources.
Commercial version regularly tested to handle 400-600 messages per second while logging to file. So, for seizing, you can use 500 messages event per second (EPS).
Be note, it can it can handle 20,000 message buffer at it max.
Is yours a virtual system? If so, then it is really going to depend on the resources/reservations you have made at the host level for your system, since all virtual system guest same the physical limit of host resources, like port, cpu, memory, hard disk.
How many Kiwi Syslog Server required, depend on how many EPS aggregate required and network typology.
So, based on my configuration I have seen as high as 3200 events per second. The insertion time vs detection time was usually a zero to one second variant but I found it to be as high as 5 seconds but I don’t know if that is normal or not. If I could figure out a way to reliably search by insertion time it would be better events per second collection rate numbers.