I have remote sites with no connectivity back to my master site. I wish to deploy an ERC into these sites run it for a while 2-3 weeks then bring it back to my min site to investigate the logs. I read that every McAfee SIEM deployment has to have at least one ESM, does that mean I must deploy an ESM in each of the remote sites or can I just deploy an ERC and bring this back and connect it to an ESM at my main site?
In theory you can do that. Add the ERCs into ESM, apply the data source configuration to the ERCs and then physically move them but still keep them into ESM.
Depending on your ERCs you have different values for internal storage (McAfee Event Receiver – Event Collection | Intel Security Products ) which you should take into account.
It's gonna be interesting when you connect them after a while and the ESM starts pulling data :-D
Let us know how it goes.