SIEM Foundations: Define ELM Storage Pools

Version 4

    The McAfee ELM stores the raw event/log data collected from data sources configured on Event Receivers. Before raw log storage can be enabled, you must define ELM storage pools that will be used to store the logs.  ELM supports a wide range of storage technologies.  ELM storage options include:

    • Local Storage (standalone ELMs only; local storage is not available with ESM/REC/ELM nor REC/ELM combos).
    • Direct Attached Storage (DAS). 
    • iSCSI
    • SAN
    • Network Attached Storage (NAS).  Typically attached via NFS or CIFS.

     

    For our purposes here we will assume that you will be using an NFS-based file share for storing your logs.  Please see the product documentation for description of configuring other options.

     

    Define ELM Storage Device

    The first step in defining ELM storage pools is to configure a storage device for the ELM to use.

     

    To configure an ELM storage device:

    1. Open ELM Properties (or Receiver/ELM Properties for a combo appliance)
    2. Select the Storage Pools tab on the left side.
    3. Click Add in the top-right corner to define a new storage device.  Complete the dialog

      elm-storage-device.png
      In our example we have allocated approximately 1TB of storage for the ELM storage pool.  Note that, for a combo ELM appliance, we will be migrating the ELM index database off of the ELM to this storage device.  As a result approximately 500GB on the storage device will be reserved for the ELM database.  You should size your storage device appropriate to meet your long-term storage needs.  For a small pilot, 1TB of ELM storage is recommended.
    4. Click OK to define your storage device.

     

    Migrate the ELM Database

    The ELM database is used by the ELM to maintain an index of where your logs are located on the storage device, for more efficient searching.  For ELM combo appliances, there is insufficient local storage, and you will need to migrate the ELM database to your storage device before defining storage pools.

     

    To migrate the ELM Database to external storage:

    1. Open ELM Properties (or Receiver/ELM Properties for a combo appliance)
    2. Select the ELM Configuration tab on the left side (Receiver Configuration for a combo appliance).
    3. Click the Migrate DB button.
    4. Select a storage device to hold your ELM database.  You may optionally select a mirror location to maintain a mirrored copy of your ELM data for redundancy.
      migrate-elm-db.png
    5. Click OK to save your settings.

     

    Define ELM Storage Pools

    Once you have at least one storage device defined, and your ELM Database is migrated, you are ready to define one or more ELM storage pools.  ELM storage pools are the allocations used for actually storing logs.  A single storage device may have several different storage pools defined.  A storage pool has two key settings:

    • The size of the pool.  The maximum size of a storage pool is 2TB, or the remaining storage available on your storage device, whichever is smaller.
    • The retention time of the pool.  This is determined by your compliance and/or local data retention policies. 

    Logs stored in the ELM are automatically pruned when either the retention period is exceeded, or the ELM has reached full capacity. 


    To define an ELM Storage Pool:

    1. Open ELM Properties (or Receiver/ELM Properties for a combo appliance)
    2. Select the Storage Pools tab on the left side.
    3. Click Add in the bottom-right corner to define a new storage pool.  Choose a name for your storage pool, and set your desired retention time. 
      elm-storage-pool-1.png
    4. Click Add to select your storage device and allocation for this pool.
      elm-storage-pool-2.png
    5. Click OK to save your settings, and then click OK once more to create the storage pool.

     

    Your new ELM storage pool will now be available to you, for use in storing raw logs.  Logging is configured in the properties of each individual data source, and can also be reviewed by looking in Receiver Properties/Data Sources.  The screenshot below shows an example where all data sources are being parsed, and all except Apache and Domain Controller are being logged to the ELM as well.

     

    elm-logging.png

    Once you have data sources defined, you may use this dialog to enable logging.  You may enable logging on multiple data sources simultaneously by multi-selecting data sources (via control-click or shift-click) and then selecting the Logging check box at the top of the dialog.

     

    « previousoutlinenext »