Monday, February 16, 2015

McAfee SIEM Q&A Part 2

Q.  What is the difference between the (Events) and (Event Logs)?

A. These are actually tables, in the SIEM database that have their own separate retention policies etc. In general, best practice dictates that you at a minimum backup the Events, and events logs. You'd want to have these available for reference during cause analysis activities. I believe they are Alerts, Connections and uhhh. Can't remember the other one.


Q.  If I only backed up the (ESM settings), and we suffered an ESM meltdown. Would a recovery of the (ESM settings)

          to a new ESM restore: data sources, rules, custom rules, alarms, views, zone configurations, asset sources, system profiles, etc...?

A. Yes, theoretically. However, in a lab environment, I've had to re-key all the devices after restoring. 

Note: A standard backup saves all configuration settings, including those for policy. When you add a new ESM device, Backup & Restore is enabled to backup every 7 days. You can back up events, flows, and logs received by the system. The first backup of event, flow, or log data saves only data from the start of the current day. Subsequent backups save data starting at the time of the last backup.

No comments:

Post a Comment