You must know why it is better to setup multiple Storage Rules rather than just using one.
Using multiple archives by creating multiple Storage Rules, is a method of getting the most performance out of the SSIM.
Each archive has an input memory queue separate from the other archives.
Each Storage Rule also uses a separate thread to process events.
This allows quicker processing of events for archiving purposes.
For further performance improvement the different archives can be stored on multiple disks which allows multiple disk writes to occur at the same time. This is a primary benefit of Multi-path functionality with a SAN. To use Muti-path, you must have SSIM 4.7.1.
Using multiple archives can also speed up your queries as you only have to query a sub-set of events.
Note that there is a maximum of 16 storage rules that can be set.
Symantec Security Information Manager (SSIM) 4.6 or Later.
This is machine translated content
Login to Subscribe
Please login to set up your subscription.
Didn't find the article you were looking for? Try these resources.