According to data flow used by McAfee SIEM, there are few points of delay. I try to list what I know below:
(1) For agent likes Windows Agents, events will be sent in a timely manner, 5 minutes interval. This value isn't configurable.
(2) ESM will pull event & flow from Receiver every 10 minutes by default. This value is configurable. You can change it in "System Properties -> Events, Flows & Logs". The least value is 1 minute.
(3) ELM will pull raw log from Receiver if size of raw log file for that data source exceed 5 MB or wait for 12 hours. This condition isn't configurable.
For (1), you can avoid it by using agent-less if possible. Syslog is real-time in this case. There is a setting for interval value for file transfer & WMI retrival method.
For (3), things would be OK for busy data sources. If those ones do not give us enough information we have no choice but wait 12 hours, anyway.
Only thing configuration left is (2). I'm not sure what's side effect if we change this value to 1 minute. IMHO, aggregation ratio will be reduced. Is 1 minute is practical value? Any other side effect? Please share your thought & experience!!
One more question: Any plan in near-future to change this architecture? Are they in the roadmap??
ParinyaMessage was edited by: parinya.ekparinya on 1/22/13 2:20:22 AM CST
Thank you very much for information.
Is there any reference regarding ELM time window above?
I haven't seen it in Release Note or ESMI User Guide, anyway.
For (2), do you have any experience or useful information sharing about practical value for events pulling interval?
Did you ever get any further with this?
We are starting to see some use cases where a reduced lag is desirable and I have been looking at the 10 minute interval and wondering whet the effects of reducing this would be.
Does anyone have experience with this?