Would anyone be able to confirm what happens with log events from a device once you delete this device?
- I understand that if you delete a data source in ESM the data gets orphaned and you are no longer able to query or report against it;
- What happens with events sent to ELM? Do they get purged as well?
Deleting a data source will remove all associated data from the ESM database. The ELM retains that data for the data retention you have configured. However, the data will not be searchable with the associated data source removed.
In this scenario, McAfee recommends that you disable the data source and hide it so it is no longer in the tree. It will no longer collect data, but will still be searchable in the ELM. To hide disabled data sources, click Options in the top of NitroView, and de-select the Show disabled data sources option.
When you mean "not searchable in ELM":
Although I understand without FTI the consumption of this data could be very painful, I would imagine that the raw events stored in ELM would still be searchable?
By the way: When you mean "disabled", what are you exactly referring to? Looking at the McAfee SIEM interface all I could find were the "Add" and "Delete" data source buttons. Couldn't find any reference to "disable data source" anywhere.
According to this KB article, those events won't be searchable anymore hence the reason why we recommend to just disable data sources.
You can enable or disable data source from the "policy editor" (icon on the top left), then choose "data sources" on the left and in action, change to "disabled".
From within the datasource itself just untick the parsing and that's it. Or you can disable the parsers from the policy editor i believe you will achieve the same effect.