cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

ERC Capacity/Ratings

Jump to solution

Hi,

Does anyone know how an internal correlation engine affects the ERC? Is there any way we can check either via CLI or GUI how much resource the correlation engine takes from the ERC? 

Also, during many occasions weve experienced ERCs with a rating lower than the EPS they are experiencing cope with the overshoot just fine (e,g: ERC 1270 getting a consistent 24k EPS without any major issues) does anyone have a figure to just how much overshoot an Appliance/device can handle ? 

If possible can anyone link me documents that might help answer these. Thank you.

 

 

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: ERC Capacity/Ratings

Jump to solution

Dear Customer,

It is always recommended to use a separate ACE appliance or an ACE VM instead of using an internal correlation engine (correlation engine as a datasource on the ERC).

Using a correlation engine as a datasource can drastically affect the performance of the ERC.

You can verify the performance of the ERC by selecting the ERC on the ESM GUI physical display & then by selecting the device status in the drop down box.

This will show you the Ten minute Average CPU load, Current CPU load, Current Memory, disk utilization as well as details about aggregate collection & parsing rate EPS on the ERC.

As far the overshoot part is concerned, attached is the SIEM specifictaion sheet which states how much EPS each appliance/device can handle.

The specification sheet describes the maximum EPS rates that each device can handle.

Sometimes, due to the overshoot you can see the EPS rates for collection & parsing  going higher.

Please remember that excessive collection rates can overwhelm and sometimes cause the parsing to slow down thereby causing a backlog of the collected raw data from the datasources that needs to be parsed.

Regards,

Prashanth B Pillai

McAfee Technical Support

Customer Success Group

View solution in original post

1 Reply
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: ERC Capacity/Ratings

Jump to solution

Dear Customer,

It is always recommended to use a separate ACE appliance or an ACE VM instead of using an internal correlation engine (correlation engine as a datasource on the ERC).

Using a correlation engine as a datasource can drastically affect the performance of the ERC.

You can verify the performance of the ERC by selecting the ERC on the ESM GUI physical display & then by selecting the device status in the drop down box.

This will show you the Ten minute Average CPU load, Current CPU load, Current Memory, disk utilization as well as details about aggregate collection & parsing rate EPS on the ERC.

As far the overshoot part is concerned, attached is the SIEM specifictaion sheet which states how much EPS each appliance/device can handle.

The specification sheet describes the maximum EPS rates that each device can handle.

Sometimes, due to the overshoot you can see the EPS rates for collection & parsing  going higher.

Please remember that excessive collection rates can overwhelm and sometimes cause the parsing to slow down thereby causing a backlog of the collected raw data from the datasources that needs to be parsed.

Regards,

Prashanth B Pillai

McAfee Technical Support

Customer Success Group

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community