SNS ProTip for SIEM: Troubleshooting Data Sources with No Events

Version 1

    To help you maximize your SIEM deployment, McAfee SNS ProTips deliver troubleshooting, best practices and how-to tips with links to in-depth KnowledgeBase resources.

    The inability to collect events from a data source can affect visibility and reduce compliance for data retention and logging. Occasionally after you add a new data source to the SIEM Event Receiver 9.x, no events are received or you might notice that an existing data source that was working stops sending data.

    This can be caused by a variety of issues, including an issue with the SIEM policy, the parser process being unable to decode the raw logs into events, or the events not being inserted into the ESM/s database.

    For a complete list of causes and solutions, see KB82387 - How to troubleshoot when no events are received from a new data source.

    You can also use this article to troubleshoot existing data sources that are not receiving events.

    For more resources, visit the McAfee KnowledgeBase and search for SIEM-related KBs and visit the McAfee SIEM Community: https://community.mcafee.com/community/business/siem.