cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7

Why cant the local SIEM storage be used to hold logs?

The McAfee web page touts 8 TB storage for a combo box. Why is that local storage prominently displayed if it cant be used and you have to buy even more storage to store logs? What exactly is that 8 TB being used for?

6 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 7

Re: Why cant the local SIEM storage be used to hold logs?

That 8 TB storage is used for the ESM database to store the parsed and correlated data. Raw logs that are handled by the ELM part of the combo box need to be stored on seperate storage. This can be cifs/nfs/san/iscsi/das

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 7

Re: Why cant the local SIEM storage be used to hold logs?

i understand that it can be done with external storage. 8 TB is just a lot of storage that doesnt seem to be used. And why show it on the web page of such a large local storage when you then still have to go out and buy more storage to store your logs.

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 7

Re: Why cant the local SIEM storage be used to hold logs?

Maybe i phrased myself wrong. The 8 TB storage is used fully by the ESM. It stores all events that are parsed by the receiver. Events are stored until the disk is full. Then the first partition will be deleted and reused for new events. So for the ESM you don't need external storage (but you can to expand on the 8 TB if you need to keep events for a longer period).

For the ELM on a combbox, external storage is required. Only a seperate/dedicated ELM can store local raw logs on the machine itself.

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 7

Re: Why cant the local SIEM storage be used to hold logs?

only problem i have with that, McAfee support has admitted that they wont use anything near that whole size.

esher72
Level 9
Report Inappropriate Content
Message 6 of 7

Re: Why cant the local SIEM storage be used to hold logs?

The way that I understood it is that the ELM is for your long term, forensically sound raw logs (for legal and compliance purposes). You would want those kept separate from the device in case of a failure. I have a dedicated ELM and still have to keep my logs external to the device. RBV was right when he said that 8TB is fully available to the ESM which is going to be your live data that has been modified (parsed and normalized).

SafeBoot
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: Why cant the local SIEM storage be used to hold logs?

only problem i have with that, McAfee support has admitted that they wont use anything near that whole size.

Care to share a case number so we can correct that support agent?

The 8TB will absolutely be used - that's why we install it. If you don't want 8TB of db on tap, you can always purchase the 4600 unit, it only has 3TB onboard storage.

Storing your logs on the device is of course "technically" possible - but it would degrade the performance measurably. Since most people are buying ESM because of its performance, this is of course not something we advise, or support.

Your 8TB storage gets you 2,500 records a second ingestion rate, and 30 day reports of data within 180seconds. That's why it's there.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community