This one definitely falls into the "Grey" category.

 

Question:

On a redundant ESM pair, how long can a secondary device be disconnected before we need to worry that we might have trouble re-syncing?

 

Short Answer:

It depends.

 

Long Answer:

It depends on data rates and free space on the ESM. In a very low volume environment, like we see in many of our SMB customers, it might be as long as a few weeks. In a very high volume environment, collecting from thousands of event sources, that might be as short as a few days. There is really no way to know for sure ahead of time.

 

This is yet another reason why SIEM users should practice good "log hygiene", eliminating event sources that do not serve a business purpose, and reducing the logging level on all devices to the minimum required to accomplish the required use cases. It not only provides a longer outage window in the above scenario, but also maximizes performance of the system overall and increases the retention periods available for the business-relevant data. Watch this space for more on that topic in future posts.