Currently, we do not allow local disk as a Storage Device for any of the ELM VM's. In fact, only the hardware appliances that are only running an ELM can have local disk storage. However, all ELM models offer a NAS connection capability. (CIFS or NFS share) This is the route you will need to go. We require that the external storage is at least 504GB. 500 GB is allocated for the ELM Database and the rest for log storage. 4GB is the smallest storage pool that can be created. We do recommend a larger amount of space than 4 GB for the strage pools so that the ELM can grow if needed. Below are the instructions out of our user manual describing how to setup a storage device.
To add a storage device that will be assigned to a storage pool, you need to define the parameters needed to communicate with this device.
1. Access the Storage Pool screen (ELM Properties> Storage Pool), which lists the existing storage devices and storage pools.
2. Click on the Add button to the right of the list of storage devices. Add Storage Device dialog opens.
Warning:Using CIFS with Samba server versions greater than 3.2 could result in data loss.
A. Windows 7 requires you to use"HomeGroup" file sharing, which will work with other Windows 7computers but not with Samba. To use a Windows 7 computer as a CIFS share, you will need to disable "HomeGroup" file sharing.
a) Access the Network and Sharing Center by opening the Windows 7 Control Panel.
b) Click on the Network and Internet link
c) Click on the Network and Sharing Center link.
d) Click on Change advanced sharing settings. Make sure you have network discovery, file and printer sharing, and public folder sharing enabled in the Home or Work profile (also ,make sure that Home or Work is labeled as your current profile).
e) Go to the folder you want to share using CIFS (try the public folder first) and right click on it.
f) Select Properties and click on the Sharing tab.
g) Click on Advanced sharing and put a check mark in Share this folder.
h) If desired, change the share name and click on the Permissions button. Make sure you have permissions set as you desire (a checkmark in Change = writeable). If you've enabled password-protected shares, you'll have to tweak settings here to make sure that your Ubuntu user is included for permission.
4. Type in a name for this device in the Name field.
5. Select the maximum amount of data that you want to store on this device in the Max size field.
6. Fill in the remaining fields, which will vary based on the device type selected.
a. If the device type is CIFS, ensure that you do not use commas in the password field
7. OK to save the settings. The device information will be added to the device table.
* The size of a storage device cannot be decreased. It can only be left as is or increased.
If you have any troubles setting up a storage device, please create a service request on our service portal and we will be happy to help you with the issue.
McAfee Corporate Online Support (Service Portal): https://mysupport.mcafee.com
Message was edited by: spetting on 11/8/12 5:29:15 PM CST
This local storage is especially useful on partners making PoCs like us. I see that ESMELMREC VM is 500 gb disk size (virtual disk) if that disk was bigger (say at least 520 gb) then I think we can add local storage to storage pool to show the functionality of ELM (raw logs) without stating prospective clients to provide us a storage about 600 gb (just to be safe) since VM has already 500 gb. Currently if we are to make a PoC to the customer I use VM if possible and
1) I add a NFS,CIFS
2) Use Migrate DB to that NFS,CIFS
3) Add Storage Pools of different sizes.
Sometimes customers can't provide 500+ GB share and it is better if we had this option as Mcafee Resellers.
Yes - it is true. Currently I provide three (VM) POCs and in every of them customers has a trouble with NAS storage - they would prefer to share more storage on their SAN\DAS infrastructure.
As Omerfsen said - it would be very useful to enable ELM funcionality on the local VM storage in the Time Bomb combo machines. Notice that at this time to provide POC we need around 1,5TB storage for ELM purposes: Virtual machine has 500GB, next 500GB we need to move ELM Management database, and next 100-500GB for events...
Why it is strictly needed to move ELM database outside combo local storage?
As part of the SIEM VM strategy McAfee is considering creating a VM ELM with local storage in 2013. This is in no way a guarantee that we will release such a solution and our roadmap is subject to change.
Thank you for information - we will wait for that feature
I understand, that ELM at this time require external storage, but - today I was asked by potential customer about possibility to increase ESM (VM combo) local storage - does it impossible at this time too? Customer is testing VM combo now, and is asking me about that.
AFAIK, it's possible to increase local storage of ESM on combo virtual appliance.
First, you have use vSphere client to increase size of virtual disk. Then, you need to reboot VM and boot it with Parted Magic ISO. Use partition editior to increase the size of a partition.
Hope support guys can share you a tech note document to do this.
I guess - that solution is fully supported? Did you try to do it in production environment?
Well... I have no idea if it's fully supported solution.
Only for POC or testing environment would be fine.