cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

What happens with events when you delete a data source from ESM?

Hi there,

Would anyone be able to confirm what happens with log events from a device once you delete this device?

- I understand that if you delete a data source in ESM the data gets orphaned and you are no longer able to query or report against it;

- What happens with events sent to ELM? Do they get purged as well?

Cheers

8 Replies

Re: What happens with events when you delete a data source from ESM?

Hello,

Deleting a data source will remove all associated data from the ESM database. The ELM retains that data for the data retention you have configured. However, the data will not be searchable with the associated data source removed.

In this scenario, McAfee recommends that you disable the data source and hide it so it is no longer in the tree. It will no longer collect data, but will still be searchable in the ELM. To hide disabled data sources, click Options in the top of NitroView, and de-select the Show disabled data sources option.

Source:

McAfee KnowledgeBase - How to work with deleted data sources

Re: What happens with events when you delete a data source from ESM?

When you mean "not searchable in ELM":

Although I understand without FTI the consumption of this data could be very painful,  I would imagine that the raw events stored in ELM would still be searchable?

By the way: When you mean "disabled", what are you exactly referring to? Looking at the McAfee SIEM interface all I could find were the "Add" and "Delete" data source buttons. Couldn't find any reference to "disable data source" anywhere.

Cheers

Re: What happens with events when you delete a data source from ESM?

Hello,

According to this KB article, those events won't be searchable anymore hence the reason why we recommend to just disable data sources.

You can enable or disable data source from the "policy editor" (icon on the top left), then choose "data sources" on the left and in action, change to "disabled".

Mehdi

Re: What happens with events when you delete a data source from ESM?

I don't see those options when I follow your steps mbenali. When I open the policy editor, "data sources" is not an option.

Re: What happens with events when you delete a data source from ESM?

From within the datasource itself just untick the parsing and that's it. Or you can disable the parsers from the policy editor i believe you will achieve the same effect.

Re: What happens with events when you delete a data source from ESM?

What about logging? If I uncheck logging, will its the data still be searchable in the ELM?

Re: What happens with events when you delete a data source from ESM?

Yep but the new logs(if any) will not be stored within the ELM.

Re: What happens with events when you delete a data source from ESM?

Thanks Alexander!

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community