System requirements

All McAfee SIEM appliances communicate via high-speed network infrastructure. Make sure your environment supports McAfee ESM. ESMs should be on a 1GBps network minimum and remote ERCs that cross the WAN should have at least 100 Mbps. The minimum requirements for individual devices vary based on your environment. See the specification sheet for your device.

Data Streaming Bus (DSB) VM requirements

  • 32 cores
  • 96-GB RAM
  • 6-TB disk space
  • Ubuntu 18.04 Azure VMs

Supported VM platforms

  • Amazon Web Services (AWS)
  • Hyper-V VM
  • Linux KVM
  • Microsoft Azure
  • Oracle Cloud Infrastructure (OCI)
  • VMware ESXi
  • Xen Hypervisor

Third-party consumers

The Data Sharing and Message Forwarding features require an open port on the militarized network mapped to port 9092. This enables third-party consumers to access Data Streaming Bus public topics.

Required ports (all used ports)

  • 22 - TCP - all devices
  • 9092 - Kafka - McAfee Event Receiver, McAfee ACE, McAfee Application Data Monitor, DBM, Data Streaming Bus
  • 1210 - Snowflex(server) gossip
  • 1211 - Snowflex - ESMs
  • 1212 - Snowman - ESMs
  • 1119 - EDB Secure - ESMs
  • 8103 - Snowclient/jdbc gossip - ESMs
  • 8104 - Snowclient/jdbc response - ESMs
  • 2181 - Databus management port (internal communications only)

Required ports for a non-clustered environment behind a firewall

For non-clustered ESM environments, whether the environment consists of combination appliances or discrete appliances, only these need to be open:

  • 22 - TCP - all devices
  • 9092 - Kafka - McAfee Event Receiver, McAfee ACE, McAfee Application Data Monitor, DBM, Data Streaming Bus
  • 1119 - EDB Secure - ESM-to-ESM communication. Not required to be open on the firewall.
  • 2181 – Zookeeper port. Internal communication port within a receiver and ACE. If a DSB is installed, this port is accessed cross-DSB.

Required ports for a clustered environment behind a firewall

For environments where ESMs are clustered and might cross a firewall, these additional ports must be open:

  • 1210 - Snowflex(server) gossip
  • 1211 - Snowflex - ESMs
  • 1212 - Snowman - ESMs
  • 8103 - Snowclient/jdbc gossip - ESMs
  • 8104 - Snowclient/jdbc response - ESMs
  • 443 - ESM-to-ESM communication