1 2 Previous Next 10 Replies Latest reply on Jan 19, 2016 9:19 AM by rth67

    How ELM redundancy works ?

    azeddine

      Hello,

      I have updated our SIEM to the version 9.4.2 , and lately I've configured the ELM redundancy, please if you have a document  about how ELM redundancy works,  thank you to share it with me.

      Thank you in advance.

      Best regards,

        • 2. Re: How ELM redundancy works ?
          azeddine

          Hello Scott,

          Thank you for your response and also for the document.

          I have followed the same document to configure the ELM redundancy. I look for a document that gives more detail about how the ELM redundancy works.

           

          Best regards,

          Azeddine

          • 3. Re: How ELM redundancy works ?
            markie_mark

            Hello Azeddine,

             

            My understanding is that in the past you could have a single ELM unit it keeps the data in a single mirror pool on the device - should it become unavilable then the ESM will cache the messages until it can come online again.  So if you were to have two units it would be the time to get the storage (such as a NAS or other) online and paried with the ESM unit.

             

            I believe that in 9.4.2, and with the supporting documentation provided by Scott, you can define a standby ELM that is that the primary ELM which recieves all events frpm the ESM.  The primary ELM in turn scnyronises with the secondary ELM.  Should the primary ELM become inactive through the ESMi you can switch to the secondary, or to facilitate a maintenaince on the primary ELM.

             

            Best Regards,

             

            Mark

            • 4. Re: How ELM redundancy works ?
              azeddine

              Hello Mark,

              Thank you for your response.

              Yes, in version 9.4.2, the ELMs are configured in Active /standby mode. just i want to know if the principal ELM become down, the ESM switches automatically to the second ELM ?

              and what the situation when can switch between ELMs ?

               

              Regards,

              Azeddine

              • 5. Re: How ELM redundancy works ?
                markie_mark

                Hello Azeddine,

                 

                The failover is not automatic, the ELM messages are queued on the ESM until the standby node becomes active (or the primary node comes back online.

                 

                You can switch between the ELM manually if you need to perform a maintenaince on the primary unit such as repairing a disk or similar activity.

                 

                Hope this helps

                 

                Mark

                • 6. Re: How ELM redundancy works ?
                  azeddine

                  Hello Mark,

                  Thank you for your Response.

                   

                  Best Regards,

                  Azeddine

                  • 7. Re: How ELM redundancy works ?
                    rcavey

                    @Mark --  Are you sure about that? ( meaning the ESM holding the data )   Currently, the receivers hold all the raw data which is shipped off to ELM when the space or time threshold is reached. Sure the events go to the ESM but the ELM is only receiving the raw data, not the "events".  Why would McAfee now ship the data to the ESM and then to the ELM?

                    What I envision is the ESM will configure the receivers as to which ELM is the Active device and the data will be shipped off to the proper Storage Pool.   What I hope McAfee has done is...  a syncing of the both ELM's data after the standby comes online, then after the switch back between roles --OR-- the ELM search feature being smart enough as to find the data on the correct ELM storage pool. I'd like the first of those options to happen but we'll see.

                     

                    @

                    • 8. Re: How ELM redundancy works ?
                      markie_mark


                      Welp - sorry yes I meant the reciever obviously

                      • 9. Re: How ELM redundancy works ?
                        rcavey

                        @Scott  ---  I have not seen any other instructions but the release notes are soooo weak.

                         

                        So yesterday we enabled redundancy and figured out things eventually. We got through our data storage and the primary ELM is sending the data over to the backup storage pool. When I left there was 130GIG of ~1.2TB sync'd over.  We now need to undo and resolve a Management DB mirror setup that somehow is different from our other environments.  Will report more next week.

                        1 2 Previous Next