I would second your question. I myself am running on McAfee POC SIEM equipment, during POC it was more responsive than the Logrhythm POC equipment we were comparing it too We chose McAfee, but now after 3 months installed the POC equipment is being very slow. The thing that seems to speed it up is a ESM reboot. We now have ordered and expect the Production SIEM. Bit worrying. Mcafee dont seem to provide any answers.
I felt the same way. Our system seemed to have slowed down to a crawl since I updaded to 9.2.1 last May.
I just applied the newest hotfix patches (KB77812) and the system has become better and faster than ever! There a number a patches applied, everything from HA issues to Memory leaks but not one mention of performace, but it worked. Take a look at the knowledge base article and contact McAfee to get the latest install files, not all the hoffix versions are available through the customer portal and have to be requested through support.
Test, install and enjoy..
Lessons learned, from one SIEM Admin to another:
I would suggest contacting support to get the latest Hot Fix to help resolve any known issues, view the Known Issues at one of the following:
We have battled through some of the same slowness issues, and support always wanted to stop/start the cpservice to help resolve the issue (essentially reboot), but we wanted to know why that helps, and why it happens in the first place.
What type of hardware are you running? Generation 3 (Orange Nitro branded) or Generation 4 (McAfee branded)?
What model of ESM are you running, (Gen 3) 5750, X3, X5, or (Gen 4) 5600, 6000, X4, X6? The X models utilize an SSD to store the first 2 Alert (Event) and Flow partitions, as well as the Temp files that are created while populating a View, running a report, or generating a Dynamic Watchlist. The amount of RAM your system has also helps with speed. Again, newer hardware, more RAM, X Series also seem to have more RAM.
Things you can do with your views to help with speed:
Reduce the time you are looking at it, if you need to look at a week, month, quarter, year, or all, make sure you are looking at a given data source, or have appropriate filters in place if looking at everything.
Create Custom Views, remove any Dynamic Baselines from your view, and only look at Events once you have narrowed your search, not as part of your initial view.
If you have any Dynamic Watchlists, reduce how frequently they run, weekly or monthly instead of daily or more frequent. Can you improve the logic on your Dynamic Watchlist, or break it up in to multiple lists that run on different days. While the Dynamic Watchlist is running it is going to use disk I/O creating temp files on your drive.
Do you have Reports that are taking a long time to generate? If so, can you schedule them to run during off-hours with time to complete before you need to use the system, or fine tune the reports to run more efficiently? While the reports are running, they are creating temp files which is using disk I/O.
If you recently upgraded to 9.2.x from 9.0.x or 9.1.x is your database rebuild still running?
From the ESM Properties view, under Database does it say OK, or does it show “Rebuilding partitions…” with details about Alert and Flow Partitions being rebuilt?
The Background rebuild process causes over-head on your system, extra disk I/O which if you are not on an X series system is on a slow SATA drive and not on a fast SSD. The documentation states to anticipate a 20% hit during a rebuild. Depending on how much data is on your system, a rebuild could take days, weeks or even months to complete.
During a rebuild, you may want to make your Dynamic Watchlists Static, and extend the time which your ESM pulls Events & Flows from your Receivers (possibly change from 10 minutes to 12). If you can suspend any scheduled reports during the rebuild this will also reduce overhead on your system allowing the rebuild to finish faster.
The latest hotfix for 9.2.x lists a memory leak issue whch can slow down the system overtime. Which is exactly what I am seeing since my hotfix install earlier this month. (Not the 9/9 release obviously). I am assessing the new patch and even the newest 9.3.0 release.
9.2.1 GA Build Stamp: 9.2.1 20130909 Reference Number Device Area Description 31895 ESM Database Memory leak causes ESM to run extremely slowly.
I always hate when I ask a question and someone responds with "update to the newest version." It really helped us though. My views were horribly slow. I upgraded from 9.2.0 to 9.3.0 (via 9.2.1) and my old response times are back. My views for an entire year are faster now than my views for current week were before the upgrade.
I agree the "update" response is used a little too quickly latey and sopmetime they seem to simply guess your problem will be fixed in it, which is not always the case unless it is specifally called out in the patch list. I am still on the 9.2.1 builds. I upgraded to the 08/22 build on 9.2.1 to fix the "slow views" issue and another one I had with a time problem. Neither were fixed and I just updated to the 09/09 build because it listed the memory leak issue. Hope it fixes it this time. Thought I'd wait a month or two to see what hotfixs start showing up for the 9.3.0 versions. I'll be watching for updates to the hotfix KB article for the 9.3.0 to see how the new version is working out.
Thanks and glad to hear everythng is working better for ya.