Currently, i have two separate site for SIEM. These are physical SIEM.
If site A was to go offline with the exception REC A. Can I use ESM B to have REC A connect to it without losing the data source that has been already configured while REC A was connected to ESM A?
If so, any help on the steps would be greatly appreciate
It's possible to do it but it has to be manual process however you will loose log data during that process.
Maybe better option will be to setup redundant ESM.
Also there is an option to export/Import data sources
We would like to keep things separate until a failover needs to be done to a different ESM.
would you happen to have the steps for moving a REC to a different ESM without losing data source?
it should be as simple as adding receiver and then under the receiver properties there is sync button that will bring all of the data sources from the receiver to the ESM.
I never tried it but this is how it should work
This will be good but if by any reason you don't have it you can reset the key.
i'm not sure whether McAfee published the procedure to their external KB but it is standard linux command:
cat /etc/NitroGuard/factory-id_rsa.pub > /root/.ssh/authorized_keys2
Remember that the best will be first to test this so you can create procedure and include in in you DR process