What version of Windows is this installed on? We saw a large performance drop going from Windows 2003 to Windows 2012. We're hoping the latest hotfix will improve that.
Do you log all messages to SQL? If so why, for search?
1200k sustained is nearing the usable max for Kiwi. This depends on your rules and action types but beyond 1500k we've seen problems keeping up. Again this is on Windows 2012 with LOTS of rules, script actions and logging. On 2003 we ran near the rated max of 2000k without much concern and absorbed spikes of 2400k on regular intervals. I wouldn't recommend going past 1800k without keeping a close eye on it.
As always, rule order has a big impact on performance. Rules that have a lot of matches and processing should be at the top and have a 'Stop Processing' action if the message will not be matched by another rule.
Using the native capability to write to SQL has been more efficient than using a script action with SQL calls.
Most of the Kiwi work is done in memory so until you put lots of writing logs to disk or SQL there isn't a heavy I/O impact. You can certainly put the SQL instance on the same server if it is sized appropriately. SQL would be the driver of those requirements. We separate our servers by workload so SQL is always installed on dedicated servers spec'd for SQL usage(Lots of RAM/high I/O capable) while the log servers are pretty minimal.
The network I/O is not very heavy even at the the highest Kiwi utilization due to the nature of syslog. Since there a lots of small messages the utilization tends to be low but the packet count high. Any modern device will be able to handle any and all traffic a Kiwi server can generate.