cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

Distributed ESM questions

Hi all,

I'm interested in a few things related to adding and/or removing a DESM to an existing setup.

Is there a good document other than the brief mentions in the user guide?

Has anyone deployed with ESM's in HA i.e. Primary/Redundant setups?  Would that even matter?

Is removing a DESM from a setup destructive to the downstream ESM's and related devices/data sources?

Cheers,

  -B

3 Replies
alexander_h
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Distributed ESM questions

HI,

Both processes are quite simple honestly.

1.Removing ESM:

     - From the central ESM remove the DESM(Will remove event data from Central ESM)

     - On the DESM properties under ESM management remove the Key Associated with the Central ESM this way you will destroy the trust completely, if you want to readd it in future you have to go through the standard process.Capture.PNG

  - There should be no negative impact on the DESM and it's device such effects are caused only by adding the DESM as the central ESM will overwrite the Custom types on the DESM

2. Redundancy is quite good feature however you have to switch manually in case of failure on the primary ESM.

     - Again under ESM properties --> File Maintenance --> Backup files --> Settings --> Redundancy

          As show below just set the role and Corresponding IP in that case i'm creating primary ESM respectivly i have to enter the IP/IP's of secondary ESM/s

          On each of your Redundat ESM follow the same steps but just select the role of Redundant and enter the IP of your Primary ESM.

Capture.PNG

Bare in mind that Once initiated the process must not be interupted otherwise you might end up with broke ESM

Once initiated first the Redundant ESM will restart so it could switch the mode and start the synchronization.

After some time at the end of the Sync both ESM will go down until the sync is fully completed.

It's quite good feature as all of your data will be replicated to the redundant.

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: Distributed ESM questions

alexander,

  #1 is good stuff as usual from you

For #2 guess, maybe it was not so clear...... Say I want a Central ESM with DESM's underneath that are in a Primary/Redundant mode i.e. say HA ESM's configuration which would would be call HA DESM?  Is that possible?

It would be ideal the the Central ESM could add both HA's which are now (D)ESM's but when it came time for the Central to grab events, the request would go to both the Primay HA ESM and Redundant HA ESM which would not return the data because it is not the Primary. Primary should return the event data upstream.

Hope that makes sense but more important that the ESM can handle all that logic...   I'll let you know if I find out any more on this topic over the next few days.

Thanks again.

alexander_h
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Distributed ESM questions

Hi,

Once the the ESM enters Redundant mode you can't use it for anything else meaning that it will be dedicated for redundancy.

In your case you will need 1 Primary 1 Redundant and 1 DESM which means you need 3 ESM's.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community