Knowledge Center

When to use a Full System backup, a Settings Only backup, and an Incremental backup with Enterprise Security Manager
Technical Articles ID:   KB85742
Last Modified:  7/16/2018


McAfee SIEM Enterprise Security Manager (ESM) 9.6.x, 9.5.x, 9.4.x
McAfee SIEM Event Receiver (Receiver) 9.6.x, 9.5.x, 9.4.x


There are different types of backup available to a SIEM administrator: Full System backup, Settings Only backup, and Incremental backup. This article describes the different types of backup and scenarios for use.
  • Settings Only backups - the best choice if you need to back up everything except events
    • Collects all users, reports, dashboards, Receiver data sources, templates, alarms, filters, watchlists, and user created content.
    • Small single compressed file; can be saved locally to the ESM.
    • Can run quickly while you wait.

  • Full System backups - the best choice for disaster recovery, or prior to an upgrade
    • Collects everything a settings only backup collects, and also collects dashboard events.
    • Full System backups cannot be saved to the ESM; you must set up a CIFS or NFS location to save the backup.
    • Takes several hours, and requires an ESM service restart that will impact service.
    • Uses at least as much space as your database. For example, if your ESM uses 7 TB of space, your backup will need at least that much available.

      NOTE: You can estimate the amount of space needed by totaling the values of a through e, as shown below:
      •   a = size of  /usr/local/ess/data/ 
      •   b = size of  /data_hd/usr/local/ess/data/
      •   c = size of  /index_hd/usr/local/ess/data/
      •   d = size of /Das1_hd/usr/local/data/  (this will apply only if you have a Direct Attached Storage (DAS) device connected to your ESM)
      •   e = add 10% to (a+b+c+d)

        Here is an example:
        Location Size
        a (/usr/local/ess/data/) 1 TB
        b (/data_hd/usr/local/ess/data/) 2 TB
        c (/index_hd/usr/local/ess/data/) 11 TB
        d (/Das1_hd/usr/local/data/) 20 TB

        The sum of these locations is 34 TB, 10% of which is 3.4 TB.
        So in this example, the grand total of space required for the backup (sum of a+b+c+d+10%) rounded up is 37.5 TB. This estimate takes into account overhead required for temporary files that are created during the backup procedure.

  • Incremental backups
    • Use incremental backups with full system backups.
    • After a full system backup is collected, future full backups will collect only the information that has changed; resulting in faster and smaller backups. 
    • All backup files are required for disaster recovery, including the original full backup and all incremental backups.
    • There is a limitation of 300 GB for incremental backups, as this copy is created locally before being moved across the remote location. This limitation was implemented from 9.6 MR3. To learn more, see KB87993.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.