Monday, February 16, 2015

McAfee SIEM Q&A

You should also add to your maintenance tasks, "Exporting your DataSources". As a foot note, all datasources are defined in a file named thirdparty.conf with the following format for each datasource:

# Data source configuration for ERC-2600
# Applied: 02/12/2015 18:20:19
# ESM:
# ESM buildstamp: 9.4.2 20150127184901
# Receiver:
# Receiver buildstamp: 9.4.2 20150127184901
[DataSource Name Displayed in ESM System Tree]
id=2
ipsid=144182258301927424
created=1387472852
# Windows Event Log - WMI
type=43
type_orig=43
disabled=no
ip_address=192.168.1.8
collector=wmi
parser=wmi
protocol=wmi
elm_logging=yes
parsing=yes
hostname=server01.joeslab
pool=ELM-StoragePoolNAme
use_rpc=no
wmi_interval=600
wmi_logs=Active Directory Web Services,Application,DFS Replication,Directory Service,DNS Server,HardwareEvents,Internet Explorer,Key Management Service,Security,System,Windows PowerShell
wmi_password=U2FsdGVkX18OTHISISNOTAREALPASSWORDPm+NonX01kRUzi6FS0c7Iw==
wmi_username=daminname\ServiceAcct
wmi_version=0
device_status_traps=no
override=


Q  If I were to restore from a (Full backup of data), then would all the Event Summary's, Flow Summary's, Flow Distributions, Restore?
A. Yes. All of these are essentially database tables.
Q.When a (Full backup of data) is done, is there any compression on that data?
A. Yes, not certain about the ratio.
Q. Is there a good way of estimating how much space to allocate for a remote full backup?
A. No, because that is dependent on too many variables, Speak with your SAN or storage engineers as well.
Q. Backup location options for remote locations are: CIFS or NFS, I assume a CIFS or NFS share can be setup on a SAN?
A. Yes
Q. When a (Full backup of data) is done, does that include the ESM database, active partitions, inactive partitions?
A. Yes and No. Yes, to all active data. No because, When an active partition reaches its maximum size, it becomes
inactive and is deleted.
Q. Does it make sense to still conduct Full backups of data when we have an ELM, (seems redundant)?
A. Yes. They are two completely different things. The ELM holds RAW, unparsed data. The data on an ESM is "Relational" and parsed.
Q. I'm a bit confused on the relationships between:
  ○ System Properties>System Information>Backup and Restore
  ○ System Properties>Database>Archival
  ○ System Properties>Database>Data Storage
A. The relationship is
○ Backup & Restores - Tell the system how and where to backup, and where to find backups for restoring
○ Archival - Tell ESM how, and where to store archived data, and also where or not you want archived data to be included in views.
○ Data Storage - The easiest explanation is to say "Data Connections". For example, If you has a DAS (Directly Attached Storage), SAN connection, or iSCSI storage devices, you might have active partitions configured on to the DAS, backup to the SAN and store archive  on the isci
Q.  Is there a recommendation on sizing inactive partitions?
A. Not really. It depends on the environment, and configuration. Note this can affect queries, as this ultimately states how much data to keep on hand, or on the system before archiving. When you open a view and define a time period of say "All", it will query data on the system AND Archived data. You type of connection to external storage contributes to this decision as well.
Hope this helps!
PePeLePuu
The Dancing Engineer!!!!

No comments:

Post a Comment