Event Storage Best Practices

Applies to Product: USM Appliance™ LevelBlue OSSIM®

USM Appliance stores events in a database and refers to as SQL Storage. USM Appliance also stores the normalized log data as Raw Logs on disk for forensic and compliance purposes as well as archival searches. You can forward Raw Logs to a separate USM Appliance Logger for remote storage and to reduce the load on the USM Appliance All-in-One.

The databases on the USM Appliance Server are responsible for:

  • SIEM event and alarm storage
  • Asset inventory storage
  • LevelBlue run-time configurations

Note: USM Appliance stores security events in two databases, alienvault and alienvault_siem, and stores other data in various different databases. The Database section in Configuration > Deployment > LevelBlue Center > System Detail only shows the size of the LevelBlue database and LevelBlue SIEM database respectively, not the full database.

USM Appliance calculates the sizes from the data stored in the database. It is different from running CLI commands such as du in /var/lib/mysql, which calculates folder sizes instead.

The USM Appliance Logger is responsible for:

  • Long-term storage
  • Indexing logs for full-text searches
  • Cryptographically signing logs
  • Allowing access to events as raw text
  • Allowing the forensic analysis of event
  • Fulfilling compliance requirements for log archiving and management

In order to avoid filling up the USM Appliance databases or disk space, and to avoid any potential performance issues, LevelBlue recommends the following best practices:

Note: You should determine the configuration values or frequency based on environment, security, performance, and compliance requirements.

AlienVault OSSIM Limitations: The USM Appliance SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.