cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

SIEM Distribution Charts

Jump to solution

Can anyone tell me the difference between event distribution charts and collection rate distribution? They are "almost" pretty much the same.

Which chart should I look onto if I want to see gaps in my data, meaning there are missing log events.

1 Solution

Accepted Solutions
Highlighted

Re: SIEM Distribution Charts

Jump to solution

Event rate describes the distribution of events after they are parsed and inserted in the database.  It has no memory of how/when those events got to us.

Collection rate describes how the events come into the SIEM.  Events may come to us in bursts, may have latency between the time they are generated and the time they are sent to the SIEM, and may come out-of-order. 

As an extreme, simplistic example, imagine that you have a data source that generates a reliable 10 events/sec.  The events are batched up and sent to the SIEM 1/hour.  At the end of the hour, once we collect, parse, and store the events for that hour, you will see that you have an event rate of a solid 10 events/sec.  The collection rate will be 0 for most of the hour, and 36,000 events/sec (10 events/sec * 60 sec/min * 60 min/hr) for the last second.

Scott

View solution in original post

3 Replies
Highlighted

Re: SIEM Distribution Charts

Jump to solution

Event rate describes the distribution of events after they are parsed and inserted in the database.  It has no memory of how/when those events got to us.

Collection rate describes how the events come into the SIEM.  Events may come to us in bursts, may have latency between the time they are generated and the time they are sent to the SIEM, and may come out-of-order. 

As an extreme, simplistic example, imagine that you have a data source that generates a reliable 10 events/sec.  The events are batched up and sent to the SIEM 1/hour.  At the end of the hour, once we collect, parse, and store the events for that hour, you will see that you have an event rate of a solid 10 events/sec.  The collection rate will be 0 for most of the hour, and 36,000 events/sec (10 events/sec * 60 sec/min * 60 min/hr) for the last second.

Scott

View solution in original post

Highlighted

Re: SIEM Distribution Charts

Jump to solution

Ohh. Nice. Thanks for your answer.

One last thing, so is there a way for the SIEM to determine if there are missing logs from the different data sources, if there is a gap in between the normalized logs?

Highlighted

Re: SIEM Distribution Charts

Jump to solution

Best practice is to use inactivity timers on your data sources to alert you to unexpected gaps in log collection.  You can configure inactivity timers as appropriate for each data source, and then use Alarms to alert you to unexpected outages.

Scott

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community