From the SLM and other Sentinel documentation for Hardware Requirements
"You must set up the networked storage location to an external
multi-drive SAN or network-attached storage (NAS)."

Coming from the well under 100EPS perspective.

This is a rather silly hard requirement for 'archival' (i.e.
non-current but we still need to keep) data. We should be able to
allocate a LUN/Datastore/vmdk as a local mount point and continue.
Other parts of the documentation indicate that this can be done without
NFS or CIFS, so I think we can clean up this part to better reflect
this which will help those of us coming into all this SIEM 'fun' for
the first time. If SLM didn't support (as I found buried in the docs)
direct mount points, I was looking at creating that mount point,
bringing it up as an NFS resource, then having SLM look at that NFS

I think the confusion comes from the choice of labels for Current vs
Archival data as there is no logical reason that Archival MUST BE
always put on some other system (we have SAN replication and off site
storage of backups to cover protective needs). I can understand that it
is perhaps more practical in pre-virtulization times for large systems
to have the Archival data on another system, but that is certainly not
the case now on smaller end of the market. Perhaps is it time to
change those labels to more accurately reflect the function rather than
the technology. Current data vs Archive data should do the trick,
perhaps with local/network in brackets as a transition.

Andy Konecny in Toronto
Andy's Profile: