cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Mcafee SIEM

Jump to solution

Dear,

I have a queries regarding mcafee SIEM 

 

1. If we need to setup a virtual machine with 32 cores, Do we need to buy 4 x 8 cores licence to make that machine functional ?

 

2. What is the relationship for Cores VS EPS ? How many cores will be supporting how many EPS in this new model ?

 

3. What about that licencing model now ? We have licencing model based on EPS, for upto 5000 EPS.Is it completely changing with this EOL or will be working parallel to this new core based licensing model ?

 

Basically need to understand this change completely.

 

 

2 Solutions

Accepted Solutions
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Mcafee SIEM

Jump to solution

Hi, great Questions

1 big answer.

 

McAfee1.PNG

McAfee2.PNG

Best regards 👍👍👍

David.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Mcafee SIEM

Jump to solution

The EPS counts are only estimations. It is licensed by device, not by ESP like QRadar or Splunk with it's data index amount. You are free to use the hardware as efficiently or as inefficiently as you wish.

Depending on the types of events, you can greatly exceed the 5000 estimation or fall far short. It really depends how efficent you make everything operate.

Brent
5 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Mcafee SIEM

Jump to solution

Hi, great Questions

1 big answer.

 

McAfee1.PNG

McAfee2.PNG

Best regards 👍👍👍

David.

Re: Mcafee SIEM

Jump to solution
Thanks David for you answer. Can please clear me more about the licensing of 5000 EPS on VM??
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Mcafee SIEM

Jump to solution

The EPS counts are only estimations. It is licensed by device, not by ESP like QRadar or Splunk with it's data index amount. You are free to use the hardware as efficiently or as inefficiently as you wish.

Depending on the types of events, you can greatly exceed the 5000 estimation or fall far short. It really depends how efficent you make everything operate.

Brent

Re: Mcafee SIEM

Jump to solution
Thanks a lot Brent.
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: Mcafee SIEM

Jump to solution

If you are looking for a suggestion on what to get to get started with. I am going to guess you have at least a medium size enterprise considering you are looking at running it yourself and not at a MSP.

I would suggest a getting the following:

  • 8-core ESM VM
  • 8-core Event Receiver VM
  • 8-core ACE VM
  • 8-core ELM VM

It is basically everything you need to get started. 8-cores goes quite far if you do things like disabling hyper-threading and such. To get the most out of the cores, get CPUs with large L2 caches.

I don't recall the VMs limiting memory, so even though the licensing document says 16GB I believe you can assign it whatever you want, and it will just use it. In reality memory is never the limiting factor it always ends up being disk I/O on the ESM. Having a nice mix of disk types would be important, some fast stuff for the ESM and some slower disks for the ELM stroage. The ACE and Event Receiver and not that disk hungry.

Brent
McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.