|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
USM Appliance stores events in a database and refers to as SQL Storage. USM Appliance also stores the normalized log data as Raw Logs on disk for forensic and compliance purposes as well as archival searches. You can forward Raw Logs to a separate USM Appliance Logger for remote storage and to reduce the load on the USM Appliance All-in-One.
The databases on the USM Appliance Server are responsible for:
- SIEM event and alarm storage
- Asset inventory storage
- AlienVault run-time configurations
Note: USM Appliance stores security events in two databases, alienvault and alienvault_siem, and stores other data in various different databases. The Database section in Configuration > Deployment > AlienVault Center > System Detail only shows the size of the AlienVault database and AlienVault SIEM database respectively, not the full database.
USM Appliance calculates the sizes from the data stored in the database. It is different from running CLI commands such as du in /var/lib/mysql, which calculates folder sizes instead.
The USM Appliance Logger is responsible for:
- Long-term storage
- Indexing logs for full-text searches
- Cryptographically signing logs
- Allowing access to events as raw text
- Allowing the forensic analysis of event
- Fulfilling compliance requirements for log archiving and management
In order to avoid filling up the USM Appliance databases or disk space, and to avoid any potential performance issues, AT&T Cybersecurity recommends the following best practices:
- Configure reasonable backup and storage thresholds, see Event Backup Configuration.
- Enable alarm expiration and alarm lifetime, see Alarm Backup Configuration.
- Enable logger expiration and set an active logger window, see Raw Logs Backup Configuration.
- If needed, adjust the active NetFlow window, see NetFlow Data Backup Configuration.
- If using USM Appliance All-in-One, configure a separate USM Appliance Logger to reduce its load. See Configure the USM Appliance Logger after Deployment.
- Clean up system logs or caches on a regular basis, see Purge Old System Logs.
- If desired, clear SIEM events manually. See Clear All Events from the SIEM Database.
Note: You should determine the configuration values or frequency based on environment, security, performance, and compliance requirements.
AlienVault OSSIM Limitations: The USM Appliance SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.