Showing results for 
Search instead for 
Did you mean: 

SIEM Implementation Planning

Hi All,

My Company has purchased ne SIEM Appliance (ETM 5600-ELM). I am looking for help in planning implementation of SIEM Appliance. My question is, where or in which Zone I should place the appliance. Management wants to monitor LAN, WAN, Applicationd, DMZ (ALL) using this appliance. Please suggest further. Also suggest if any exact documentation is there for planning implementation if SIEM Appliance.

Thanks & Regards


7 Replies

Re: SIEM Implementation Planning

Actually depends, there are many things to be considered and maybe one of them will be the network traffic generated.

Due to the fact that there are multiple methods for data collection you should decide what will be your way forward.

If you have some more specific questions please let me know so we could assist

Re: SIEM Implementation Planning

This might be an excellent question to consult with your networking admins on. In a regulated environment you may have many different zones where servers and/or appliances exist. They (network admins) will likely be able to tell you where to best place it. Likely it will end up in a management network zone/internal core/server zone. The placement of the receivers is more critical as they are the work horses of getting and receiving your events.


Re: SIEM Implementation Planning

I believe they are using Combo Device which all in one so all of the traffic will be passing to that device over the network which is not the best

Level 12
Report Inappropriate Content
Message 5 of 8

Re: SIEM Implementation Planning

Did they just purchase the one combo appliance, so your ESM, ELM, and Receiver are all in one box?

If so - I hope you have a small environment, and a low data retention time frame.

How many Data Sources do you estimate you will have? Data Sources being the individual Servers (Windows/Unix/AIX/Linux), Firewalls, IPS, Switches/Routers, etc. that you will be collecting logs for?

We have individual appliances, with our ESM, ELM, ACE (2 of them - Real-time and Historical), APM, DSM, and several receivers are in one VLAN which has now been moved behind Firewall Segmentation. We also have a Receiver in the DMZ, as well as at our DR site, and the DR DMZ, and 4 receivers at other remote locations with large operations.

We also have a separate smaller implementation in the UK due to EU Privacy issues, with the ESM, ELM, ACE and Receiver's in a Firewall Segmented VLAN. Remote Branch locations have minimal servers to monitor and should not be a concern on bandwidth.

Level 9
Report Inappropriate Content
Message 6 of 8

Re: SIEM Implementation Planning

Wow, you have a tough job and I feel for you....   Did the person(s) buying the SIEM just go " Let's get this magic quadrant product and get Anis to go implement? "  Sounds like there has been no planning at all which is a must prior to purchasing something like this.

The buyer should have required a team of "the security guy" plus any the top folks from Network, System Admin, and CISO/ISSO to help with the purchase of this nature.

Not even sure slicing up VLAN's for all you want to cover this is going to cut it. Are you just doing SYSLOG for most things other than applications? you could possibly route the segemeny syslog servers to your single ESM combo box.... but how many EPS ( Events Per Second ) will that generate?

You might want to do some more research yourself which could possibly lead to suggesting the purchase a few receivers and an ADM in addition to what you have to cover what you sated above.

I wish you luck.


Re: SIEM Implementation Planning

Hey there!!! I feel your pain, as management seems to think you plug it in, turn it on and your done. However, having been in those shoes, I ran into many issues, as I have a environment with 3 separate data centers, branches in 4 countries, and 5 states and could not find any real help. Not even from professional services, as my company didn't pay for that type of support. There many considerations that need to be made, however it's actually pretty simple to get up and running, and build on that. So, the initial setup is important, and you want to start out on the right path.

Ultimately, I created my own deployment plan by utilizing:

I could provide more assistance, however you seem to missing a VERY important component. Where is your receiver? You need at the very least a receiver and and ESM to have your "SIEM".

Re: SIEM Implementation Planning

Hey pepelepuu,

Can you please share your deployment plan (high level) if possible?


More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community