cancel
Showing results for 
Search instead for 
Did you mean: 

How to make McAfee SIEM near real-time as much as possible

Dear guys,

According to data flow used by McAfee SIEM, there are few points of delay. I try to list what I know below:

(1) For agent likes Windows Agents, events will be sent in a timely manner, 5 minutes interval. This value isn't configurable.

(2) ESM will pull event & flow from Receiver every 10 minutes by default. This value is configurable. You can change it in "System Properties -> Events, Flows & Logs". The least value is 1 minute.

(3) ELM will pull raw log from Receiver if size of raw log file for that data source exceed 5 MB or wait for 12 hours. This condition isn't configurable.

For (1), you can avoid it by using agent-less if possible. Syslog is real-time in this case. There is a setting for interval value for file transfer & WMI retrival method.

For (3), things would be OK for busy data sources. If those ones do not give us enough information we have no choice but wait 12 hours, anyway.

Only thing configuration left is (2). I'm not sure what's side effect if we change this value to 1 minute. IMHO, aggregation ratio will be reduced. Is 1 minute is practical value? Any other side effect? Please share your thought & experience!!

One more question: Any plan in near-future to change this architecture? Are they in the roadmap??

Best regards,

Parinya

Message was edited by: parinya.ekparinya on 1/22/13 2:20:22 AM CST
6 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: How to make McAfee SIEM near real-time as much as possible

For 3, it is actually a 4 hour window or 5 MB, which ever happens first.  I believe this was changed in 9.1.3. 

Re: How to make McAfee SIEM near real-time as much as possible

Dear Kara,

Thank you very much for information.

Is there any reference regarding ELM time window above?

I haven't seen it in Release Note or ESMI User Guide, anyway.

For (2), do you have any experience or useful information sharing about practical value for events pulling interval?

Best regards,

Parinya

Re: How to make McAfee SIEM near real-time as much as possible

Did you ever get any further with this?

We are starting to see some use cases where a reduced lag is desirable and I have been looking at the 10 minute interval and wondering whet the effects of reducing this would be.

Does anyone have experience with this?

cheers,

Andrew

Re: How to make McAfee SIEM near real-time as much as possible

Hi,

can someone tell us how to download the SIEM agent? can someone share it?

Regards,

Eyad

dcobes
Level 9
Report Inappropriate Content
Message 6 of 7

Re: How to make McAfee SIEM near real-time as much as possible

Eyad,

You can grab the SIEM agent from the Downloads section in the Customer Portal.

-d

rth67
Level 12
Report Inappropriate Content
Message 7 of 7

Re: How to make McAfee SIEM near real-time as much as possible

Like someone else said, it is under Downloads in the Customer Portal. It is under the "Receiver" downloads.