Yes, it could expand retention. No, you can't search the archive from the console of your live LEM.
The way this works would be:
- Setup the ARCHIVECONFIG command on your production LEM. This copies DB data to another server in a proprietary and encrypted format.
- Time passes...You need data from the past that is no longer on the production LEM
- Download the LEM virtual appliance from the website and spin up an eval LEM
- The LEM only needs a license to receive new data from hosts. Since this eval LEM will never need to get new data, it will never need a license. You can access the console, run nDepth searches and run Reports forever if you want
- Call support, and have them import your archived database partitions into the eval LEM
- Run your reports and searches, using the eval as a data warehouse
- When you're done (you got what you needed, the auditors are happy) blow the eval LEM away or keep it as a historical archive
Because this eval LEM won't be doing rules and correlations or processing new data, you could probably run it at something below minimum spec to conserve resources, but I'd check with support on that.
Performance - There is no measurable impact to the LEM. Searching a week of data from a month ago will be as fast as searching a week of data from a year or five years ago if the LEM disk is large enough.
Storage - Expanding the LEM's volume will cause it to use more storage...? I don't think I understand this question so much.