cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
aygitci
Level 7
Report Inappropriate Content
Message 1 of 8
‎12-03-2014 10:21 AM

McAfee SIEM components communication

Jump to solution

Hi,

In this classic McAfee SIEM architecture, can someone confirm the flows between components (standalone) when handling an event :

In the picture above, I have doubts regarding the order of the sequence when a log/event is received and parsed by the ERC.

The next steps is not clear :

     - the event is stored in ELM -> sent to ESM -> Correlated by ACE ?

or

     - the event is stored in ELM -> sent to ACE for correlation -> sent to ESM ?

and

     - is the event non-parsed sent to ELM for storage or for other purpose ? or this step doesn't exist ?

     - when an alarm is triggered by the ESM, this one is stored in the ESM or the ELM ?

Thanks very much

Regards

AyGitci

0 Kudos
Reply
1 Solution

Accepted Solutions
mcgarl1
Level 9
Report Inappropriate Content
Message 2 of 8
‎12-03-2014 01:38 PM

Re: McAfee SIEM components communication

Jump to solution

Hi Ay,

The steps are as follows:

  1. Raw log events are sent to the receiver from the data sources
  2. The raw logs are sent directly to the ELM from the receiver
    1. Parsed event are sent to the ESM
  3. The ESM send these parsed events to the ACE for Correlation

See my diagram below:

SIEM Architecture.PNG

View solution in original post

Reply
7 Replies
mcgarl1
Level 9
Report Inappropriate Content
Message 2 of 8
‎12-03-2014 01:38 PM

Re: McAfee SIEM components communication

Jump to solution

Hi Ay,

The steps are as follows:

  1. Raw log events are sent to the receiver from the data sources
  2. The raw logs are sent directly to the ELM from the receiver
    1. Parsed event are sent to the ESM
  3. The ESM send these parsed events to the ACE for Correlation

See my diagram below:

SIEM Architecture.PNG

View solution in original post

Reply
spamidi
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 8
‎12-15-2014 07:33 PM

Re: McAfee SIEM components communication

Jump to solution

Hello,

Thank you for your answer. On the workflow for the Parsed events, once the events are collected by the collector process and parsed by the parser process, the parsed events are inserted into the Receiver's database.  Based on the polling interval (10 mins) by default, the ESM will retrieve the events and flows by querying the Receiver database and then inserts them into the database running on the ESM.

Thank you.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Reply
itzamlan
Level 7
Report Inappropriate Content
Message 4 of 8
‎08-29-2016 02:37 PM

Re: McAfee SIEM components communication

Jump to solution

but there is connection in between the ELM and ESM also, while querying ELM search information from the ESM.

0 Kudos
Reply
kmc
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 8
‎08-30-2016 05:45 AM

Re: McAfee SIEM components communication

Jump to solution

One more thing the ESM will pull events from receiver and receiver never pushes the events to ESM, additionally the ESM will push events to the correlation even though it's hosted on the Receiver.

​ yes there is AES encrypted connection between ESM and ELM as well.

Regards,

KMC

0 Kudos
Reply
itzamlan
Level 7
Report Inappropriate Content
Message 6 of 8
‎08-30-2016 01:16 PM

Re: McAfee SIEM components communication

Jump to solution

​ how does the parsing happens while pulling logs from ELM? As ELM contains the raw logs. Or is it like the ELM contains the raw logs as well as the parsed logs, serving as a kind of backup/repository to the ESM?

0 Kudos
Reply
kmc
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 8
‎08-31-2016 12:49 AM

Re: McAfee SIEM components communication

Jump to solution

I believe parsing is not happens ween you pulling/Searching logs from ELM.

ELMs collect and store raw logs for compliance purposes and raw log search only. ELMs can also perform full text indexing of stored logs. ELMs also provide a forensically sound audit trail of logs and its actually optional for the overall system.

0 Kudos
Reply
andy777
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 8
‎09-06-2016 02:55 PM

Re: McAfee SIEM components communication

Jump to solution 
how does the parsing happens while pulling logs from ELM? As ELM contains the raw logs. Or is it like the ELM contains the raw logs as well as the parsed logs, serving as a kind of backup/repository to the ESM?

There are essentially two copies of the data. The ESM holds the parsed and aggregated version of the original logs stored on the ELM. The ESM database has records and record-ID can represent many aggregated events. The records are tied to the events they represent in the ELM which allows for the "ELM Archive" tab to go and pull the relevant events when you are looking at an aggregated event in the ESM. The chief purpose of the ELM is to meet various compliance standards that mandate the long term storage of original logs for some period of time.

I think the solution will see expanded logging functionality in a future release. Thanks.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC