Highlighted
New Member.
247 views

Help with ESM Express

Hi All

I'm looking for some advice re ESM Express options. I have a two tier security network with Zone A and Zone B (Zone B being the lower security). I plan to have a connecter in the lower tier that will forward logs (from exsternal customer networks) into the higher security zone direct to ESM Express.

My question is I also have devices within my zones that I want to monitor that are a mixture of Windows and Linux devices. The devices in Zone B I plan to send the logs to the Connecter and forward them on, for the higher security zone that accommodates the ESM Express appliance is it recommended I have a second connecter there to forward logs or shall I just send local devices direct to the appliance?

Many thanks

Labels (1)
0 Likes
2 Replies
Highlighted
New Member.

Anyone??

 

Some help with this would be very usfull

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

A few things to consider:

 

  1. Forwarding from one connector to another is a perfectly valid approach - this is fine and acceptible and not license controlled at all. If you have the resources it works well and is scalable.
  2. You should ensure that you are attaching network zones at the connector layer - this way you are enforcing the mapping of the logical network zone / mapping at collection time for the lower connector, but ensure that you have defined the network zones for the upper connector. This way you make sure the log data comes in tagged correctly and from the correct zone. That makes it simpler and easier to work with when you come to do logical rules or to increase prioritization / impact scoring for the log data. 
  3. As a guide, its better to have as few hops through connectors as possible - this is because you are adding delay in the process and while I am not suggesting that a second or two delay will impact much, its still a delay and we should always look to keep this to a minimum. As a result, direct links through are good and simple and multiple destinations are fine.

 

Personally for me? I would use connector to connector and then into Express. Its simple, easy and as long as you scale the secondary one that is doing the receving of the data correctly (remember it has its own log sources as well as the forwarded data) then its fine. Simple and easy.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.