6 Replies Latest reply on May 20, 2014 11:01 AM by rth67

    How to make McAfee SIEM near real-time as much as possible

    parinya.ekparinya

      Dear guys,

       

      According to data flow used by McAfee SIEM, there are few points of delay. I try to list what I know below:

       

      (1) For agent likes Windows Agents, events will be sent in a timely manner, 5 minutes interval. This value isn't configurable.

      (2) ESM will pull event & flow from Receiver every 10 minutes by default. This value is configurable. You can change it in "System Properties -> Events, Flows & Logs". The least value is 1 minute.

      (3) ELM will pull raw log from Receiver if size of raw log file for that data source exceed 5 MB or wait for 12 hours. This condition isn't configurable.

       

      For (1), you can avoid it by using agent-less if possible. Syslog is real-time in this case. There is a setting for interval value for file transfer & WMI retrival method.

       

      For (3), things would be OK for busy data sources. If those ones do not give us enough information we have no choice but wait 12 hours, anyway.

       

      Only thing configuration left is (2). I'm not sure what's side effect if we change this value to 1 minute. IMHO, aggregation ratio will be reduced. Is 1 minute is practical value? Any other side effect? Please share your thought & experience!!

       

       

      One more question: Any plan in near-future to change this architecture? Are they in the roadmap??

       

      Best regards,

       

      Parinya

       

      Message was edited by: parinya.ekparinya on 1/22/13 2:20:22 AM CST