We're about to do a SIEM full backup for the whole database of the ESM. This will cover approximately 6TB.
Will there be a compression for this?
Another thing we are concerned is the backup time period. Can it reach more than 3 days?
I understand that all events will be coming in to the Receiver and until the ESM is available, it will consume hard drive space. How can I monitor this? Will the df -h command suffice?
It depends partially on what you are backing up to, a Redundant SIEM, SAN Storage (SSD, Fiber Channel, iSCSI, SATA), NFS or CIFS Share, DAS? Speed of the network / switches backing up over (LAN or WAN)?
We replaced our Primary ESM last year, did a Full Backup to the Redundant, then did a copy to the new / replacement X3, at the time we had over 4TB of data on the ESM itself (did not have to backup / copy the data on the attached DAS as the new ESM would be attached to same).
As I recall it took a little over a day for each copy / backup.
You can use the df - h to monitor the space on your Receiver's.