cancel
Showing results for 
Search instead for 
Did you mean: 

SIEM Performance Baseline

Has anyone created a baseline for the performance of their SIEM that goes beyond EPS and event distribution? I'm looking for metrics like:

  1. Does the amount of time to run reports change noticeably after performing an upgrade to the system or after adding/deleting data sources?
  2. Does running a query take longer to complete as time goes on between upgrades?
  3. Does reporting in general start having issues over time?

Any feedback or other metric suggestions would be greatly appreciated.

Thanks,

LT

4 Replies

Re: SIEM Performance Baseline

Hi I also wanted to know how to set up performance monitors like dashboards, reports for measuring and monitoring the performance of McAfee Nitro to alert when there is an anomaly. Where I can find this information??
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: SIEM Performance Baseline

Assuming you have an enterprise management tool capable of reading SNMP data. If you take a look at the MIB, there's a lot of good data in that can be added to tools that support it. There's things like incoming event rate, flow rate, CPU loads, HDD performance. Tracking this data over time can give you an good indicator as to when things start slowing down. All you have to query is the ESM for this, it already collects this data from all other devices for you.

Brent

Re: SIEM Performance Baseline

Hi Brenta,
I am grateful for your response. Your reply brought me into thinking of solution. Do you have any sample queries that I can run in ESM. Second, are you telling to pull SNMP to third party to read the performance? Third, I did not get whats MIB at all.
My requirement is simple,
How ESM is performing?
How many more Data sources it can ingest? or my solution is already Dead?
Which receiver/Datasource is logging extreme level of events?
How to track quiet Data sources which arent logging from long time.
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: SIEM Performance Baseline

So a MIB is a definition of what data is available via SNMP. You can download the ESMs MIB in the ESM Settings -> SNMP Configuration -> View MIB (near the bottom). Most network teams already have some sort of SNMP tool for monitoring things like switches and routers, so it is fairly likely your enterprise has one available.

Exporting this data to a tool that can graph it overtime is extremely valuable to get an idea as to what is happening as data sources are on boarded over time, and as the ESM's database generally fills up to retention.

It is very difficult to tell how many more data sources you can add. There are a lot of factors, such as; how many people are using the GUI on a daily basis, what kind of hardware the SIEM has at it's disposal, size and complexity of parsers, correlation rules, etc...

You can get an idea of Event Rate per second by data source by creating a "Bar Chart" with the built in query "Collection Rate Per Minute." There also exists a "Last Event Time" report In the ESM settings pane. ESM Settings -> System Information (default screen) -> View Reports -> Event Time.

Hope that helps.

Brent

Brent
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community