ProTip for SIEM: How to Disable Advanced Syslog Parser Rules That are Not Needed

Version 2

    An issue our support engineers sometimes see is that Policy rollout is failing because of errors in custom rules. In addition, users see that Advanced Syslog Parser (ASP) parsing is slow because too many rules are being used on data sources. To correct this, users should make sure that no rules have been enabled system-wide, and that policy rules are enabled for a specific source. For information on how to do this, see KB82879 (

    For more resources, visit the ServicePortal [] and search for related content. Also, visit the McAfee SIEM Community (

    McAfee SNS ProTips help you maximize your protection with troubleshooting, best practices, how-to tips, and links to Knowledge Center resources. To unsubscribe from ProTips or change your SNS settings, visit the SNS Subscription Center [].