Is there a possibility that the ELM does not generate current events for some issue with the local storage space?

ELM will treat the .elm files as containers and will expire any logs that are out of retention period. So as new logs come in they 'overwrite' the space used by the expired logs - effectively reusing the space.

You may want to log an SR with support and share the output of the following command:
./elm-info.sh 

The command generates a file on the /root folder which you can share with support for investigation.

I understand the part of "overwrite" when the files exceed the retention time, but in my case I do not have the option of active data retention, the option I have is "save all the data that the system allows"

So the Data Retention setting that you refer to is from the ESM Properties dialog and is applicable for parsed data being inserted to the ESM Database. The ELM retentions is based on the retention setting configured for each storage pool when the storage pool is defined.
You can check this value for a specific storage pool by selecting the pool and click 'Edit'

thanks for your quick responses, I really appreciate it. Regarding the space in "storage groups" I notice that the ELM device does not have any storage group. I even get the below message

("The ELM admin database currently resides on the system drive along with the rest of the OS. If this drive runs out of free space, it will stop logging and existing log data They will be lost. McAfee strongly recommends moving the database to a storage device with a minimum of 500GB of free space. If your ELM is SAN-compliant, configure the SAN volumes first and then migrate the database using the option on the receiver setup tab. ")

Right - so that looks like your management database is on the local storage (/elm_storage/local) which is a separate disk on a Physical ELM box and should be enough for the short term if you are only going to store the management database and not use the same storage for allocating space to different storage pools.

The management database size can grow over time to fill up the disk depending on how many index partition files it has to maintain for the .elm files and for how long. 

Based on the message and what you mention, you are yet to define a storage pool..

What model of appliance is this?

Refer to the following community link for configuring ELM Storage pool:

SIEM Foundations: Define ELM Storage Pools

https://community.mcafee.com/t5/Enterprise-Documents/SIEM-Foundations-Define-ELM-Storage-Pools/ta-p/...

I have data from many data sources since 2019, can you provide me with any command to see the disk space of the physical ELM, in the console or if you know a way to see the space of the ELM via the graphical interface, could you please provide it to me?

Hi,

I gather when you say data from many data sources - you refer to the ESM with its parsed events. 

Like I said earlier, ELM has two components - the management database which holds index of the elm files and configuration data and second would be the elm files themselves which can be on the local storage or remote share.

If you can share a screen capture of the ELM Properties and ELM Properties Data page  - that will help me understand your config. From your earlier replies it appears the ELM Is not configured with storage pools. Without this there wont be any logging happening.

If you are certain the ELM was configured and logging was enabled for one or more data sources than please log a support SR so we can look into it.

Regarding the free space - if you can SSH to the ELM and run this command to check on disk space:

df -h

If you have ELM configured with storage pools - you can navigate to the ELM Properties page.

Refer this link for the steps:
View ELM storage usage

https://docs.mcafee.com/bundle/enterprise-security-manager-11.1.x-installation-guide/page/GUID-CA6A8...