Showing results for 
Search instead for 
Did you mean: 

SIEM Foundations: Architecture Primer

The McAfee SIEM solution is comprised of several appliance-based platforms working in conjunction to deliver unmatched value and performance to enterprise security professionals within an enterprise.  A multitude of deployment configurations allow for the most scalable and feature-rich SIEM architecture available, delivering real-time forensics, comprehensive application and database traffic/content monitoring, advanced rule- and risk-based correlation for real-time as well as historical incident detection and the most complete set of compliance features of any SIEM on the market.  All appliances are available in a range of physical and virtual models.


The following list details the entire suite of available SIEM components.

ESM - Enterprise Security Manager (sometimes referred to as ETM)

The McAfee ESM is the ‘brains’ of the McAfee SIEM solution.  It hosts the web interface through which all SIEM interaction is performed as well as the master database of parsed events used for forensics and compliance reporting.  It is powered by the industry-leading McAfeeEDB proprietary embedded database which boasts speeds more than 400% faster than any leading commercial or open source database.

All McAfee SIEM deployments must start with [at least one] ESM (or a combination ESM/REC/ELM appliance).

REC - Event Receiver (sometimes referred to as ERC)

The McAfee REC is used for the collection of all third-party event and flow data.

Event collection is supported via several methodologies:

  1. Push – devices forward events or flows using SYSLOG, NetFlow, etc.
  2. Pull – event/log data is collected from the data source using SQL, WMI, etc.
  3. Agent – data sources are configured to send event/log/flow data using a small-footprint agent such as McAfee SIEM Event Collector, SNARE, Adiscon, Lasso, etc.

The Event Receiver can also be configured to collect scan results from existing vulnerability assessment platforms such as McAfee MVM, Nessus, Qualys, eEye, Rapid7, etc.  In addition, the REC supports the configuration of rule-based event correlation as an application running on the Receiver.  Receiver-based correlation has several limitations.   Risk based correlation, deviation, and correlation flows are not supported on a Receiver; an ACE (see below) is required for these functions. Also, as a rule-of-thumb, Receiver-based correlation imposes approximately 20% performance penalty on your Receiver. For most enterprise environments, McAfee recommends using an ACE to centralize the correlation, and provide sufficient resources for this function.

McAfee Event Receivers come in physical appliances with EPS ratings ranging from 6k to 26k events per second as well as VM-based models with event collection rates ranging from 500 to 15k EPS.

Multiple REC appliances (or VM platforms) can be deployed centrally to provide a consolidated collection environment or can be geographically distributed throughout the enterprise.  Typical deployment scenarios will locate an Event Receiver in each of several data centers, all of which will feed their collected events back to a centralized ESM (or to multiple ESM appliances for redundancy and disaster recovery purposes).

ELM - Enterprise Log Manager

The McAfee ELM stores the raw, litigation-quality event/log data collected from data sources configured on Event Receivers.  In SIEM environments where compliance is a success factor, the ELM is used to maintain event chain of custody and ensure full non-repudiation.

In addition to providing compliant-quality raw event archival, the ELM also supports the full-text index (FTI) for all event details.  The McAfee SIEM supports the ability to perform ad-hoc searches against the unstructured data maintained in the archive.


The ESMRECELM - also called an All-in-One (AIO) or a ‘combo box’ - provides the combined functions of the McAfee Enterprise Security Manager (ESM), Event Receiver (REC) and Enterprise Log Manager (ELM) in a single appliance.

As most SIEM POC deployments are intended to showcase functionality rather than performance, the ESMRECELM is commonly used to demonstrate the features and ease of use delivered by the McAfee SIEM.  It can be deployed with minimal disruption (single appliance, minimal rack space and power, single network connection and IP address).

In larger POC or production SIEM environments, a combo box may be inadequate to handle the sizable EPS performance requirements of an enterprise.  The largest ESMRECELM peaks at 6k EPS and provides no local storage for ELM archive but instead requires supplemental storage by means of a SAN connection, NFS or CIFS share.

ACE - Advanced Correlation Engine

The ACE provides the SIEM with unmatched advanced correlation capabilities that include both rule- and risk-based options.  In addition to performing real-time analysis, the ACE can be configured to process historical event/log data against the current set of rule and risk profiles, as well as deviation correlation and flow-correlation.  The ACE provides native risk scoring for GTI (for SIEM) and MRA-enabled customer environments.  It also allows custom risk scoring to be configured to highlight threats performed against high-value assets, sensitive data and/or by privileged users.

Typical production SIEM deployments will include two ACE appliances – one performing real-time rule and risk correlation and another configured for historical rule and risk correlation of events.

ADM - Application Data Monitor (sometimes referred to as APM)

The ADM provides layer 7 application decode of enterprise traffic via four promiscuous network interfaces.  It is used to track transmission of sensitive data and application usage as well as detect malicious, covert traffic, theft or misuse of credentials and application-layer threats.

Not to be confused with a true DLP, the integration with the SIEM provides advanced forensics value by preserving full transactional detail for sessions violating the user-defined policy managed from within the McAfee ESM common user interface.  Complex rule correlation can leverage policy violation or suspicious application usage events to identify potential security incidents in real-time.

DEM - Database Event Monitor (sometimes referred to as DBM)

The DEM provides a network-based solution for real-time discovery and transactional monitoring of database activity via two or four promiscuous network interfaces.  It works in lieu of OR in parallel with the McAfee (Sentrigo) agent-based database activity solution to provide comprehensive, transaction-level database monitoring of user or application DB usage.

« outlinenext »



  How bout this for a more accurate architecture image I exported with 0 compression so it is a little big but you can compress again as needed....   I was thinking the redundant drawing might be too busy.... Anyway, can I use this in my local documentation being as you are the original author?




Hi Bob,  Yes, you're right that yours is more technically accurate.  Feel free to use the image as you see fit.  For the record, I stole it too.  🙂


Impressive Document. Easy to Understand.

Thanks guys.

Hi , I'm looking for the best possible design to implement SIEM system with below list of devices,  if any one could give me an idea will be appreciate.


Device List
TEETM5600GIEAD-ALMcAfee MFE GTI for ESM5600 1:1GL Elite 1+ 1Service
ERC-2600L x4

How can I fully utilise the 4 ERC's, Is there any way to setup a culster with ERCs.

What about limitation for COMBOBOX?

Version history
Revision #:
1 of 1
Last update:
‎08-08-2014 08:52 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community