Hi all,
I have recently stated looking at our LEM installation for the Security Team. They have done some basic configuration and logging including deploying the agent and seeing what LEM can do. They have reached a point where they are being overwhelmed by the data that is being recorded from the 10 nodes with the agent installed.
We need to find a way to remove this White Noise so that they are able to see the picture much clearer whilst retaining information for a specified period of time without compromising performance.
What do we want -
Via GPO we reduce what Logs are generated on the Servers
Servers generate their logs
Using LEM we want to take a subsection of these (minus white noise)
Within LEM we want to only be able to see he events that matter to us
As it stands we are generating millions of events in seconds and on only 10 nodes.
Performance isn't great, but when you add in the 500 nodes we will be monitoring (if not 1500) the LEM appliance will grind slowly to a halt.
This may just be a training issue and not a limitation.
If any of you Experts out there are able to help I would really appreciate it, they are already talking about looking for other SIEM options, despite my protests
LEM 6.1 installed, will be upgraded once we can fix the above issues
