ESM vs. ESM Express
Starting with ESM and ESM 6.9.1, they share the same code base and have the same documentation set. The differences are based on license and are summarized below:
|ESM Express EE7600||ESM Appliance E7600||ESM Software|
|Maximum EPS||2,500||10,000||Limited only by HW|
|Active/Passive HA||Not supported||Available for purchase||Available for purchase|
|Dual feed HA||Available for purchase||Can be used but requires purchasing a second production appliance||Available for purchase|
|Threat detector||Not available||Available for purchase||Available for purchase|
|Actors and an AD connector||Not supported||Unlimited|
Unlimited (EPS based license)
Available for purchase (core and GB/d licenses)
|Risk insight||Not supported||Available for purchase||Available for purchase|
|Upgrade and migration||License only upgrade to ESM appliance||Not applicable||Not applicable|
First of all thanks a lot for this helpful comparison and I hope I could find answers to below inquires:
1) What is the difference between the ESM Express EE7600 and the ESM Appliance E7600 with regards to the following:
- available disk space / maximum storage
- online/offline retention (days)
2) When converting ESM Express license to ESM license on the same box, will it be able to handle more than 2500 eps up to 10,000 EPS?
3) Can we get more online/offline retention periods with ESM software over ESM appliance? or is it necessary to buy ADP logger in any case to have retention periods more than 90 days as this is limited by the ESM code base which is the same on software or appliance flavors?
4) In general when we prefer ESM software over ESM appliance? when we need salable solution for future growth, like to get more than 10,000 EPS or are there any other reasons?
(1) HW specs: ESM Express and ESM appliance share the same HW. See specs here.
(2) When converting ESM Express to an ESM appliance the license can be upgraded to up to 10K EPS.
(3) ESM SW supports up to 12TB of compressed storage. ESM Appliance is signification more limited (see specs reference above). Note that an ADP license is still required when migrating to an ESM appliance.
(4) I would personally always go for SW. It is more flexible. Customers prefer an appliance due to procurement preference or in order not to actively manage to OS.
Thanks a lot Ofer for the clarifications.
Regarding point# 3, just want to confirm that if I need retention periods over 3 months, I can get ESM SW and use my own storage up to 12 TB, in that case in the ArcSight Command Center I will have the option to select retention period of 180 days for example (while in ESM Appliance or ESM Express Appliance I will be limited by maximum 90 days due to the Storage limit of 1.2 TB compressed logs which is 10 times less than the ESM SW case).