Currently the setup is like in the above diagram in which we have around 20+ Windows Servers and 300+ Syslog devices in the environment. In the setup we are using ERC -1250 Model appliances and ESM, ELM are setup as virtual machines. All are running on 9.5.0 MR4.
Following are my inquiries:
Site 1 - Active
Site 2 - Active
Note :This design has a draw back of both ERC's polling windows servers for event logs, this would put extra load on the network and as well as the Windows Servers.
1 How to introduce one ELM into this setup ??
2 Can I migrate ELM from one SITE to the other with the same database ??
3 In case of network failure how to achieve data logging Synchronization between the two sites ??
Moved to SIEM for better support