Ready to upgrade? Let's get started.

Plan Your Upgrade

Before performing your upgrade, follow the steps below or use our guided flow wizard by clicking on the robot icon in the bottom right and searching for "SIEM Upgrade Wizard".

Step 1

Ensure your hardware is not end of life and is valid to perform the upgrade to 11.4.x. McAfee strongly recommends using Gen 5 Hardware or higher for optimal performance.

Step 2

Start by conducting a thorough planning exercise by reviewing the upgrade steps in the Installation Guide. If your current version is 10.4 or lower, check the port requirement details.

Step 3

Assess internally your current network and systems architecture, and ensure participants and stakeholders possess a high-level understanding of the McAfee ESM platform reviewing the product guide.

Step 4

Perform an assessment of your current production environment configuration to provide guidance and recommendations for your upgrade. The following steps are demonstrated in this video.

  • 4.1. Download the Upgrade Advisor file.
    • Log on to the McAfee download site with your grant number and email address.
    • From the My Products page, select SIEM Management Solutions under Filters.
    • Click McAfee Enterprise Security Manager.
    • Click the Upgrade Advisor file to download it.
  • 4.2. Install the Upgrade Advisor information file related to the version you are looking to upgrade to
  • 4.3. From the navigation menu, click Upgrade Advisor.
  • 4.4. Click the link below the log status window to update the list of available upgrade versions.
  • 4.5. Click Check Upgrade to <version> and select an upgrade version.
  • 4.6. Click Check.
  • 4.7. Progress and status appear in the Log Status field.

The log status appears. A green status indicates all checks were OK. Red indicates that a previous upgrade compatibility check returned errors. Resolve all reported issues.

IMPORTANT: Failure to resolve issues before starting the upgrade may causes the upgrade to fail.

Disk Space

As general rule all devices need to have 55GB free space before upgrading.

ELM, ELMREC and ENMELM do require 150GB free space each.

Virtual machines will need 55GB free space before upgrading.

Health Flags

Commonly yellow flags mean inactivity. May also indicate alarms to be sync'd or a Write action pending.

Red flags usually indicate more serious conditions and usually lead you to the System log.

Best practices is to be "flag free" so serious issues aren't obscured by a datasource inactivity.

General Status

Verify connectivity and assure all devices report status OK.

Clear all long running queries in ESM task managers.

Perform a status check from the GUI for every device, to ensure that key processes in the system are running.

Port Requirements

Note the ports, source/target ip and protocols that need to be allowed by firewall rules.

*If you are upgrading from 10.x versions, it's imperative you check and understand the port requirements to assure a smooth upgrade process.

Not following the documentation may lead to a failing upgrade.

Deploy

To successfully upgrade your system, there are three major steps to follow.

Step 1

Download upgrade files using your grant number from the McAfee download site.

*Required: After downloading the files, validate their checksums against the ones provided on the McAfee download site to ensure its integrity.

Step 2

Upload files to ESM under ESM file maintenance by following the steps below.

  1. Got to System Properties > File Maintenance.
  2. At the top where it says Select File Type: choose Software Update Files.
  3. Click the Upload Button.
  4. Browse to the upgrade files.

Step 3

Proceed with the upgrade by following the steps in the Installation/Upgrade Guide.

*IMPORTANT NOTE:
  • Make sure device status is OK before proceeding to the next device.
  • Not following the documentation and performing the pre-upgrade requisites may lead to a failed upgrade.

Post Upgrade

Download McAfee ESM 11.4.x Installation Guide         Detailed Post Upgrade Activities Video

Activity Details Additional Information
If upgrading from 10.x or lower, rekey all peripheral devices System Properties -> ESM Management -> Key Management -> Regenerate SSH Button -> Yes and close to finish This operation can take up to 30 min, it will display a message about the rekey being in process, it's completely normal and it can be ignored.
Write settings to the McAfee Event Receiver or ESM/Event Receiver combo
  1. On the dashboard, select the device in the system navigation tree, then click the Properties icon
  2. Click Data Sources tab -> Write
  3. Click Vulnerability Assessment tab -> Write
Once complete, you will see a ‘Write Successful’ message.
Write settings to the McAfee Advanced Correlation Engine (ACE)
  1. On the dashboard, select the device in the system navigation tree, then click the Properties icon
  2. Click Correlation Management -> Write
  3. If the McAfee ACE is being used in Historical Mode, click Historical -> Enable Historical Correlation -> Apply. If it's already selected, deselect it, select it again, then click Apply
 
Apply rules update
  1. Get the latest file from our Download page.
  2. On the system navigation tree, select the ESM device, then click the Properties icon.
  3. System Information -> Rules Update -> Manual Update -> Browse to the update file, click Upload, then click OK
Select a Receiver. Open the Policy Editor. Rollout rules to all datasource. Repeat for each Receiver in the environment. See KB83046 for further reference.
Roll out policies Policy Editor -> Rollout Icon -> The Rollout page appears -> Rollout policy to all devices now -> To schedule the rollout for later, click Edit.  
ESM: Write out Cluster settings System Properties -> Clustering -> Write Button -> Yes and close to finish Message of Success on the operation is required to continue.

Optimize

#1 Check Flags
  • Check individual devices to see what their flag status is/what it says.
  • Make sure you understand why you have any inactive flags. Are they expected? If not, please ensure the data source is collecting data.
  • Watch this video on health flags and how they can impact ESM performance.
#2 Dashboard Views
  • Verify you are receiving data and that it looks accurate.
    • Create Distribution chart for last 30 days to check that it looks normal.
    • Watch this video on creating and analyzing views.
  • Check custom views, verify they are still there and working as expected.
  • Make your "Default System View" whatever makes the most sense for you while keeping efficiency in mind.
    • You can set this to a blank view if you want.
    • Try Event Summary & Event Distribution instead of the normal default view (8 queries instead of 30~).
    • Check this by setting up a "fast" default summary view and log out and back in to view the difference.
    • Watch this video on creating fast default system views.
  • Make sure “Refresh Views” is disabled.
  • Watch this video on dashboard views and how they can impact ESM performance.
#3 Task Manager
  • Check for Views taking a long time to load.
  • View details of long queries to find things like REGEX or other poorly optimized queries.
  • Watch this video on how to use the Task Manager to optimize ESM performance.
#4 Alarms
  • Are your alarms optimized for short precise queries?
  • Do you have extremely short conditions, 1 minute? If so, consider using a longer time period.
    • You're asking the system to check this alarm 1440 times per day if it's set to 1 minute.
    • You can see how this can quickly compound with many users running other queries. Every report, view, alarm etc. is competing for system resources.
  • Prioritize your alarms
    • Priority 1 = 5-10 minutes intervals
    • Priority 2 = 20-30 minutes intervals
#5 Reports
  • Disable any reports you don't need or aren't using.
  • Optimize when your reports run.
    • Schedule these to run during non peak hours (Ex… 1:00 AM when less users in the SIEM)
    • Stagger as often as possible. (i.e., Fast ones first hour, slow one's next hour, Slowest one the next hour)
#6 ELM
  • ELM Properties > ELM Configuration > Migrate DB
    • Is the space allocated correctly?
    • Is the database in the right location?
    • Watch this video on Migrating ELM DB.
  • Storage Pools
    • Do these look right?
    • Do you have all the space allocated that you need?
    • Do you need to add network storage?
    • Watch this video on ELM storage pools.
  • Retention
    • ELM Properties > ELM Management > View Statistics > ELM Usage tab
    • Check estimated time remaining to exhaust available storage.
    • This tells you by volume how long your retention will be.
    • Watch this video on ELM usage & Retention.
#7 Further Resources

Have More Questions?