The McAfee web page touts 8 TB storage for a combo box. Why is that local storage prominently displayed if it cant be used and you have to buy even more storage to store logs? What exactly is that 8 TB being used for?
That 8 TB storage is used for the ESM database to store the parsed and correlated data. Raw logs that are handled by the ELM part of the combo box need to be stored on seperate storage. This can be cifs/nfs/san/iscsi/das
i understand that it can be done with external storage. 8 TB is just a lot of storage that doesnt seem to be used. And why show it on the web page of such a large local storage when you then still have to go out and buy more storage to store your logs.
Maybe i phrased myself wrong. The 8 TB storage is used fully by the ESM. It stores all events that are parsed by the receiver. Events are stored until the disk is full. Then the first partition will be deleted and reused for new events. So for the ESM you don't need external storage (but you can to expand on the 8 TB if you need to keep events for a longer period).
For the ELM on a combbox, external storage is required. Only a seperate/dedicated ELM can store local raw logs on the machine itself.
The way that I understood it is that the ELM is for your long term, forensically sound raw logs (for legal and compliance purposes). You would want those kept separate from the device in case of a failure. I have a dedicated ELM and still have to keep my logs external to the device. RBV was right when he said that 8TB is fully available to the ESM which is going to be your live data that has been modified (parsed and normalized).
only problem i have with that, McAfee support has admitted that they wont use anything near that whole size.
Care to share a case number so we can correct that support agent?
The 8TB will absolutely be used - that's why we install it. If you don't want 8TB of db on tap, you can always purchase the 4600 unit, it only has 3TB onboard storage.
Storing your logs on the device is of course "technically" possible - but it would degrade the performance measurably. Since most people are buying ESM because of its performance, this is of course not something we advise, or support.
Your 8TB storage gets you 2,500 records a second ingestion rate, and 30 day reports of data within 180seconds. That's why it's there.