1 of 1 people found this helpful
Thank you for your answer. On the workflow for the Parsed events, once the events are collected by the collector process and parsed by the parser process, the parsed events are inserted into the Receiver's database. Based on the polling interval (10 mins) by default, the ESM will retrieve the events and flows by querying the Receiver database and then inserts them into the database running on the ESM.
but there is connection in between the ELM and ESM also, while querying ELM search information from the ESM.
One more thing the ESM will pull events from receiver and receiver never pushes the events to ESM, additionally the ESM will push events to the correlation even though it's hosted on the Receiver.
itzamlan yes there is AES encrypted connection between ESM and ELM as well.
kmc how does the parsing happens while pulling logs from ELM? As ELM contains the raw logs. Or is it like the ELM contains the raw logs as well as the parsed logs, serving as a kind of backup/repository to the ESM?
I believe parsing is not happens ween you pulling/Searching logs from ELM.
ELMs collect and store raw logs for compliance purposes and raw log search only. ELMs can also perform full text indexing of stored logs. ELMs also provide a forensically sound audit trail of logs and its actually optional for the overall system.
how does the parsing happens while pulling logs from ELM? As ELM contains the raw logs. Or is it like the ELM contains the raw logs as well as the parsed logs, serving as a kind of backup/repository to the ESM?
There are essentially two copies of the data. The ESM holds the parsed and aggregated version of the original logs stored on the ELM. The ESM database has records and record-ID can represent many aggregated events. The records are tied to the events they represent in the ELM which allows for the "ELM Archive" tab to go and pull the relevant events when you are looking at an aggregated event in the ESM. The chief purpose of the ELM is to meet various compliance standards that mandate the long term storage of original logs for some period of time.
I think the solution will see expanded logging functionality in a future release. Thanks.