Up
Previous Next

Sheriff CSMâ„¢

Event Storage Best Practices

Sheriff CSM stores events in a database and refers to as SQL Storage. Sheriff CSM also stores the normalized log data as Raw Logs on disk for forensic and compliance purposes as well as archival searches. You can forward Raw Logs to a separate Sheriff CSM Logger for remote storage and to reduce the load on the Sheriff CSM All-in-One.

The databases on the Sheriff CSM Server are responsible for:

  • SIEM event and alarm storage
  • Asset inventory storage
  • Sheriff run-time configurations

Note: Sheriff CSM stores security events in two databases, sheriff and sheriff_siem, and stores other data in various different databases. The Database section in Configuration > Deployment > Sheriff Center > System Detail only shows the size of the Sheriff database and Sheriff SIEM database respectively, not the full database.

Sheriff CSM calculates the sizes from the data stored in the database. It is different from running CLI commands such as du in /var/lib/mysql, which calculates folder sizes instead.

In order to avoid filling up the Sheriff CSM databases or disk space, and to avoid any potential performance issues, AT&T Cybersecurity recommends the following best practices:

Note: You should determine the configuration values or frequency based on environment, security, performance, and compliance requirements.

Sheriff Vigilante Limitations: The Sheriff CSM SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.
Topic revision: r10 - 17 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.