cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7

Event Data Versus Flow Data

I am trying to free up space on the ESM and the space requirements are set at 50 - 50 for both flow and event data. However, we do not utilize flow data.

What are the implications of increasing space for event data to - say 90% - in terms of the ESM being available?

Can this be configured back to 50 50?

What would need to be done to be able to feed flow data into the SEIM if we were going to utilize that?

6 Replies
sssyyy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Event Data Versus Flow Data

DB will rebuild and GUI will have down time to reallocate partitions. You can change back to 50/50, but you will lose data, so decide then do it. Don't suggest rolling back. Smaller partition % means less disk space for flow data, so it will get purged quicker.

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 7

Re: Event Data Versus Flow Data

Right now we don't use flow data.  I suppose we would need flow data feed availability from our devices.

sssyyy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Event Data Versus Flow Data

Go with 70/30 then, so you have the ability to store flow data, and chances to increase to 80/20 or 90/10 in the future.

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 7

Re: Event Data Versus Flow Data

What about the bottom slider? Should that be changed to match?

sssyyy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: Event Data Versus Flow Data

Yeah, you use the slider to adjust the scale between event and flows. Note the DB will rebuild, so outage in GUI.

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 7

Re: Event Data Versus Flow Data

Tangential data point; I used to be a huge proponent of netflow data in the SIEM but over the years I've come to realize that in most cases the most critical netflows are already being logged as flow setups/teardowns by your firewall. Beyond that the use case becomes to track lateral traffic, but I think even that should be collected opportunistically to support use cases and not wholesale across the org. Even better would be to deploy security sensors internally and collect from those instead for increased lateral visibility.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community