Documentation Center
AlienVault® USM Appliance™

Event Storage Best Practices

Applies to Product: USM Appliance™ AlienVault OSSIM®

USM Appliance stores events in a database and refers to as SQL Storage. USM Appliance also stores the normalized log data as Raw Logs on disk for forensic and compliance purposes as well as archival searches. You can forward Raw Logs to a separate USM Appliance Logger for remote storage and to reduce the load on the USM Appliance All-in-One.

The databases on the USM Appliance Server are responsible for:

  • SIEM event storage
  • Asset inventory storage
  • AlienVault run-time configurations

The USM Appliance Logger is responsible for:

  • Long-term storage
  • Indexing logs for full-text searches
  • Cryptographically signing logs
  • Allowing access to events as raw text
  • Allowing the forensic analysis of event
  • Fulfilling compliance requirements for log archiving and management

In order to avoid filling up the USM Appliance database and/or disk space, and to avoid any potential performance issues, AlienVault recommends the following best practices:

Note: You should determine the configuration values or frequency based on environment, security, performance, and compliance requirements.

AlienVault OSSIM Limitations: The USM Appliance SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.