Help with ESM Express
I'm looking for some advice re ESM Express options. I have a two tier security network with Zone A and Zone B (Zone B being the lower security). I plan to have a connecter in the lower tier that will forward logs (from exsternal customer networks) into the higher security zone direct to ESM Express.
My question is I also have devices within my zones that I want to monitor that are a mixture of Windows and Linux devices. The devices in Zone B I plan to send the logs to the Connecter and forward them on, for the higher security zone that accommodates the ESM Express appliance is it recommended I have a second connecter there to forward logs or shall I just send local devices direct to the appliance?
A few things to consider:
- Forwarding from one connector to another is a perfectly valid approach - this is fine and acceptible and not license controlled at all. If you have the resources it works well and is scalable.
- You should ensure that you are attaching network zones at the connector layer - this way you are enforcing the mapping of the logical network zone / mapping at collection time for the lower connector, but ensure that you have defined the network zones for the upper connector. This way you make sure the log data comes in tagged correctly and from the correct zone. That makes it simpler and easier to work with when you come to do logical rules or to increase prioritization / impact scoring for the log data.
- As a guide, its better to have as few hops through connectors as possible - this is because you are adding delay in the process and while I am not suggesting that a second or two delay will impact much, its still a delay and we should always look to keep this to a minimum. As a result, direct links through are good and simple and multiple destinations are fine.
Personally for me? I would use connector to connector and then into Express. Its simple, easy and as long as you scale the secondary one that is doing the receving of the data correctly (remember it has its own log sources as well as the forwarded data) then its fine. Simple and easy.