cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

How to make McAfee SIEM near real-time as much as possible

Dear guys,

According to data flow used by McAfee SIEM, there are few points of delay. I try to list what I know below:

(1) For agent likes Windows Agents, events will be sent in a timely manner, 5 minutes interval. This value isn't configurable.

(2) ESM will pull event & flow from Receiver every 10 minutes by default. This value is configurable. You can change it in "System Properties -> Events, Flows & Logs". The least value is 1 minute.

(3) ELM will pull raw log from Receiver if size of raw log file for that data source exceed 5 MB or wait for 12 hours. This condition isn't configurable.

For (1), you can avoid it by using agent-less if possible. Syslog is real-time in this case. There is a setting for interval value for file transfer & WMI retrival method.

For (3), things would be OK for busy data sources. If those ones do not give us enough information we have no choice but wait 12 hours, anyway.

Only thing configuration left is (2). I'm not sure what's side effect if we change this value to 1 minute. IMHO, aggregation ratio will be reduced. Is 1 minute is practical value? Any other side effect? Please share your thought & experience!!

One more question: Any plan in near-future to change this architecture? Are they in the roadmap??

Best regards,

Parinya

Message was edited by: parinya.ekparinya on 1/22/13 2:20:22 AM CST
6 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: How to make McAfee SIEM near real-time as much as possible

For 3, it is actually a 4 hour window or 5 MB, which ever happens first.  I believe this was changed in 9.1.3. 

Highlighted

Re: How to make McAfee SIEM near real-time as much as possible

Dear Kara,

Thank you very much for information.

Is there any reference regarding ELM time window above?

I haven't seen it in Release Note or ESMI User Guide, anyway.

For (2), do you have any experience or useful information sharing about practical value for events pulling interval?

Best regards,

Parinya

Highlighted

Re: How to make McAfee SIEM near real-time as much as possible

Did you ever get any further with this?

We are starting to see some use cases where a reduced lag is desirable and I have been looking at the 10 minute interval and wondering whet the effects of reducing this would be.

Does anyone have experience with this?

cheers,

Andrew

Highlighted

Re: How to make McAfee SIEM near real-time as much as possible

Hi,

can someone tell us how to download the SIEM agent? can someone share it?

Regards,

Eyad

Highlighted
Level 9
Report Inappropriate Content
Message 6 of 7

Re: How to make McAfee SIEM near real-time as much as possible

Eyad,

You can grab the SIEM agent from the Downloads section in the Customer Portal.

-d

Highlighted
Level 12
Report Inappropriate Content
Message 7 of 7

Re: How to make McAfee SIEM near real-time as much as possible

Like someone else said, it is under Downloads in the Customer Portal. It is under the "Receiver" downloads.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community