We have a plan to do upgrade our old SIEM 9.6 (ESM, ERC, ACE and ELM VMs) to 11.x.
What is the best way to do it:
1) Try to perform upgrade procedures on existing system via 9.6 - 10.0 - 11.x or
2) Deploy new fresh SIEM 11.x system and then export rules, alarms, WLs and so on from SIEM 9.6 and import them into SIEM 11
If there's no data inside the 9.6 SIEM that you need, you have a pretty great opportunity that does not come up that often, which is to ensure everything is normalized inside the new environment and make sure any legacy rules, devices, etc... are cleaned out.
Depending on how big your device tree is, and if you need the residual data would be the primary determining factors on how to procede.
really depends on your situation:
- if you got events and config to keep > upgrade as per recommended path
- if you ain't got anything to keep > reimage device straight to newest version
Also, if you are working with physical appliances, remember you have to reimage via DVD and configure network settings via physical monitor and keyboard, etc.