Q. What is the difference between the (Events) and (Event Logs)?
A. These are actually tables, in the SIEM database that have their own separate retention policies etc. In general, best practice dictates that you at a minimum backup the Events, and events logs. You'd want to have these available for reference during cause analysis activities. I believe they are Alerts, Connections and uhhh. Can't remember the other one.
Q. If I only backed up the (ESM settings), and we suffered an ESM meltdown. Would a recovery of the (ESM settings)
to a new ESM restore: data sources, rules, custom rules, alarms, views, zone configurations, asset sources, system profiles, etc...?
A. Yes, theoretically. However, in a lab environment, I've had to re-key all the devices after restoring.
Note: A standard backup saves all configuration settings, including those for policy. When you add a new ESM device, Backup & Restore is enabled to backup every 7 days. You can back up events, flows, and logs received by the system. The first backup of event, flow, or log data saves only data from the start of the current day. Subsequent backups save data starting at the time of the last backup.
Amending to previous post:
You should also add to your maintenance tasks, "Exporting your DataSources". As a foot note, all datasources are defined in a file named thirdparty.conf with the following format for each datasource:
# Data source configuration for ERC-2600
# Applied: 02/12/2015 18:20:19
# ESM buildstamp: 9.4.2 20150127184901
# Receiver buildstamp: 9.4.2 20150127184901
[DataSource Name Displayed in ESM System Tree]
# Windows Event Log - WMI
wmi_logs=Active Directory Web Services,Application,DFS Replication,Directory Service,DNS Server,HardwareEvents,Internet Explorer,Key Management Service,Security,System,Windows PowerShell
Q If I were to restore from a (Full backup of data), then would all the Event Summary's, Flow Summary's, Flow Distributions, Restore?
A. Yes. All of these are essentially database tables.
Q.When a (Full backup of data) is done, is there any compression on that data?
A. Yes, not certain about the ratio.
Q. Is there a good way of estimating how much space to allocate for a remote full backup?
A. No, because that is dependent on too many variables, Speak with your SAN or storage engineers as well.
Q. Backup location options for remote locations are: CIFS or NFS, I assume a CIFS or NFS share can be setup on a SAN?
Q. When a (Full backup of data) is done, does that include the ESM database, active partitions, inactive partitions?
A. Yes and No. Yes, to all active data. No because, When an active partition reaches its maximum size, it becomes
inactive and is deleted.
Q. Does it make sense to still conduct Full backups of data when we have an ELM, (seems redundant)?
A. Yes. They are two completely different things. The ELM holds RAW, unparsed data. The data on an ESM is "Relational" and parsed.
Q. I'm a bit confused on the relationships between:
○ System Properties>System Information>Backup and Restore
○ System Properties>Database>Archival
○ System Properties>Database>Data Storage
A. The relationship is
○ Backup & Restores - Tell the system how and where to backup, and where to find backups for restoring
○ Archival - Tell ESM how, and where to store archived data, and also where or not you want archived data to be included in views.
○ Data Storage - The easiest explanation is to say "Data Connections". For example, If you has a DAS (Directly Attached Storage), SAN connection, or iSCSI storage devices, you might have active partitions configured on to the DAS, backup to the SAN and store archive on the isci
Q. Is there a recommendation on sizing inactive partitions?
A. Not really. It depends on the environment, and configuration. Note this can affect queries, as this ultimately states how much data to keep on hand, or on the system before archiving. When you open a view and define a time period of say "All", it will query data on the system AND Archived data. You type of connection to external storage contributes to this decision as well.
Hope this helps!
The Dancing Engineer!!!!