Fleet Admiral
Fleet Admiral
5257 views

ESM vs. ESM Express

Starting with ESM and ESM 6.9.1, they share the same code base and have the same documentation set. The differences are based on license and are summarized below:

ESM Express EE7600ESM Appliance E7600 ESM Software
Maximum EPS2,50010,000Limited only by HW
Active/Passive HANot supportedAvailable for purchaseAvailable for purchase
Dual feed HAAvailable for purchaseCan be used but requires purchasing a second production applianceAvailable for purchase
PeeringNot supportedSupportedSupported
Threat detectorNot availableAvailable for purchaseAvailable for purchase
Actors and an AD connectorNot supportedUnlimited

Unlimited (EPS based license)

Available for purchase (core and GB/d licenses)

Risk insightNot supportedAvailable for purchaseAvailable for purchase
Upgrade and migrationLicense only upgrade to ESM applianceNot applicableNot applicable
Labels (3)
Tags (2)
5 Replies
Commodore
Commodore

Hi Ofer,

First of all thanks a lot for this helpful comparison and I hope I could find answers to below inquires:

1) What is the difference between the ESM Express EE7600 and the ESM Appliance E7600 with regards to the following:

- memory

- available disk space / maximum storage

- online/offline retention (days)

2) When converting ESM Express license to ESM license on the same box, will it be able to handle more than 2500 eps up to 10,000 EPS?

3) Can we get more online/offline retention periods with ESM software over ESM appliance? or is it necessary to buy ADP logger in any case to have retention periods more than 90 days as this is limited by the ESM code base which is the same on software or appliance flavors?

4) In general when we prefer ESM software over ESM appliance? when we need salable solution for future growth, like to get more than 10,000 EPS or are there any other reasons?

BR,

Hatem

0 Likes
Fleet Admiral
Fleet Admiral

(1) HW specs: ESM Express and ESM appliance share the same HW. See specs here.

(2) When converting ESM Express to an ESM appliance the license can be upgraded to up to 10K EPS.

(3) ESM SW supports up to 12TB of compressed storage. ESM Appliance is signification more limited (see specs reference above). Note that an ADP license is still required when migrating to an ESM appliance.

(4) I would personally always go for SW. It is more flexible. Customers prefer an appliance due to procurement preference or in order not to actively manage to OS. 

0 Likes
Commodore
Commodore

Thanks a lot Ofer for the clarifications.

Regarding point# 3, just want to confirm that if I need retention periods over 3 months, I can get ESM SW and use my own storage up to 12 TB, in that case in the ArcSight Command Center I will have the option to select retention period of 180 days for example (while in ESM Appliance or ESM Express Appliance I will be limited by maximum 90 days due to the Storage limit of 1.2 TB compressed logs which is 10 times less than the ESM SW case).

0 Likes
Absent Member.
Absent Member.

Hi ,

How can I Upgrade ArcSight Express 4 to ESM Software? is it possible?

regareds

0 Likes
Absent Member.
Absent Member.

Can anyone provide a pricing for the Risk Insight module?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.