Up
Previous Next

Sheriff CSM™

Event Storage Best Practices

Sheriff CSM stores events in a database and refers to as SQL Storage. Sheriff CSM also stores the normalized log data as Raw Logs on disk for forensic and compliance purposes as well as archival searches. You can forward Raw Logs to a separate Sheriff CSM Logger for remote storage and to reduce the load on the Sheriff CSM All-in-One.

The databases on the Sheriff CSM Server are responsible for:

• SIEM event and alarm storage
• Asset inventory storage
• Sheriff run-time configurations

Note: Sheriff CSM stores security events in two databases, sheriff and sheriff_siem, and stores other data in various different databases. The Database section in Configuration > Deployment > Sheriff Center > System Detail only shows the size of the Sheriff database and Sheriff SIEM database respectively, not the full database.

Sheriff CSM calculates the sizes from the data stored in the database. It is different from running CLI commands such as du in /var/lib/mysql, which calculates folder sizes instead.

In order to avoid filling up the Sheriff CSM databases or disk space, and to avoid any potential performance issues, AT&T Cybersecurity recommends the following best practices:

• Configure reasonable backup and storage thresholds, see Event Backup Configuration.
• Enable alarm expiration and alarm lifetime, see Alarm Backup Configuration.
• If needed, adjust the active NetFlow window, see NetFlow Data Backup Configuration.
• Clean up system logs or caches on a regular basis, see Purge Old System Logs.
• If desired, clear SIEM events manually. See Clear All Events from the SIEM Database.

Note: You should determine the configuration values or frequency based on environment, security, performance, and compliance requirements.

Sheriff Vigilante Limitations: The Sheriff CSM SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.