cancel
Showing results for 
Search instead for 
Did you mean: 
layer0
Level 7
Report Inappropriate Content
Message 1 of 4

Difference between size of pools

Hello

I have the following situation, we have 2 ELM that stores almost the identical information for our Active Directory Data sources. But we see a hugh difference between the total storage used.

ELM 1

Pool: Active Directory

================================================================================

Description: Active Directory

Retention period: 1Y

Total storage allocated: 210 GB

Total storage used: 209 GB

Total storage available: 799 MB

Log times: 12/10/2014 08:30:10 to 03/27/2015 16:27:04

Log files: 673,382 (avg. 6,273 files/day)

Logs: 11,223,534,353 (avg. 104,569,187 logs/day)

Bytes: 187 GB (avg. 1.74 GB/day)

Log file rates: 7,773 files/day, 49,791 files/week, 242,279 files/month

Log rates: 129,677,047 logs/day, 825,356,902 logs/week, 3,951,950,663 logs/month

Byte rates: 2.36 GB/day, 14.7 GB/week, 69.6 GB/month

ELM 2

Pool: Active Directory

==============================
Description: Active Directory
Retention period: 1Y
Total storage allocated: 52.0 GB
Total storage used: 49.7 GB
Total storage available: 2.31 GB
Log times: 12/27/2014 08:07:39 to 03/27/2015 16:51:13
Log files: 692,689 (avg. 7,665 files/day)
Logs: 11,321,017,626 (avg. 125,282,958 logs/day)
Bytes: 196 GB (avg. 2.17 GB/day)
Log file rates: 7,781 files/day, 49,759 files/week, 241,295 files/month
Log rates: 129,765,807 logs/day, 824,911,716 logs/week, 3,935,675,833 logs/month
Byte rates: 2.37 GB/day, 14.7 GB/week, 69.4 GB/month

Why this huge difference? is there something wrong with the configuration?

Thanks

3 Replies
rth67
Level 12
Report Inappropriate Content
Message 2 of 4

Re: Difference between size of pools

Are the storage pools mirrored? If so it may be a setting on the compression ratio being used.

If the storage pools are simply manually defined per data source, you may want to review which data sources are sending to which ELM.

I might suggest modifying the names so they aren't identical, unless while selecting a pool it denotes which ELM it is connecting to, we only have 1 ELM per ESM so I am not sure how it would show up for two.

layer0
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Difference between size of pools

Hello rth67

They are two separate independet SIEM They cover the same data sources of Active Directory. The strange thing is tha they have almost identical number of log but the total storages differs a lot. they also have the same compression ratio.

Bye

aszotek
Level 10
Report Inappropriate Content
Message 4 of 4

Re: Difference between size of pools

Look at your log file/log/byte rates, they are nearly identical.

Your problem is the size of storage pools, they are too small, you are not getting 1Y retention.