System requirements

All McAfee SIEM appliances communicate via high-speed network infrastructure. Make sure your environment supports McAfee ESM.

These minimum requirements are for dedicated resources, not shared resources.

Supported VM platforms

  • Amazon Web Services (AWS)
  • Hyper-V VM
  • Linux KVM
  • Microsoft Azure
  • Oracle Cloud Infrastructure (OCI)
  • VMware ESXi
  • Xen Hypervisor

Network bandwidth and latency requirements

ESMs should be on a 1GBps network minimum and remote ERCs that cross the WAN should have at least 100 Mbps. The minimum requirements for individual devices vary based on your environment.

Maximum network latency is 200 ms.

VM RAM requirements

  • ELM - 8 GB
  • ERC - 8 GB
  • ACE - 32 GB
  • DSB - 96 GB

Data Streaming Bus (DSB) VM requirements

  • 32 cores
  • 6-TB disk space
  • Ubuntu 18.04 Azure VMs

Third-party consumers

The Data Sharing and Message Forwarding features require an open port on the militarized network mapped to port 9092. This enables third-party consumers to access Data Streaming Bus public topics.

Required ports (all used ports)

All ports are TCP. All devices must allow two-way established connections.

  • 22 - TCP - all devices
  • 9092 - Kafka - McAfee Event Receiver, McAfee ACE, McAfee Application Data Monitor, DBM, Data Streaming Bus
  • 1210 - Snowflex(server) gossip
  • 1211 - Snowflex - ESMs
  • 1212 - Snowman - ESMs
  • 1119 - EDB Secure - ESMs
  • 8103 - Snowclient/jdbc gossip - ESMs
  • 8104 - Snowclient/jdbc response - ESMs
  • 2181 - Databus management port (internal communications only)

Required ports for a non-clustered environment behind a firewall

For non-clustered ESM environments, whether the environment consists of combination appliances or discrete appliances, only these need to be open:

All ports are TCP. All devices must allow two-way established connections.

  • 22 - TCP - all devices
  • 9092 - Kafka - McAfee Event Receiver, McAfee ACE, McAfee Application Data Monitor, DBM, Data Streaming Bus
  • 1119 - EDB Secure - ESM-to-ESM communication. Not required to be open on the firewall.
  • 2181 – Zookeeper port. Internal communication port within a receiver and ACE. If a DSB is installed, this port is accessed cross-DSB.

Required ports for a clustered environment behind a firewall

For environments where ESMs are clustered and might cross a firewall, additional ports must be open.

All ports are TCP. All devices must allow two-way established connections.

  • 1210 - Snowflex(server) gossip
  • 1211 - Snowflex - ESMs
  • 1212 - Snowman - ESMs
  • 8103 - Snowclient/jdbc gossip - ESMs
  • 8104 - Snowclient/jdbc response - ESMs
  • 443 - ESM-to-ESM communication