Showing results for 
Show  only  | Search instead for 
Did you mean: 

SIEM Foundations: Enable Correlation

No ratings

Rule-based Event Correlation can be performed on an ACE appliance (preferred) or any available McAfee Event Receiver. When an ACE is in use in your SIEM design, a Rules-based Correlation Engine should be enbled by default. 

To verify Rules-based correlation is enabled on the ACE:

  1. Expand the ACE in your system tree, and verify that there is a Rule Correlation engine enabled.  The screenshot below shows a properly configured ACE. 
  2. If your Rule Correlation engine is not enabled, Open up ACE Properties and select Correlation Management.
  3. Ensure the Enabled button is selected for your Rule Correlation engine, and then Write the configuration to your ACE.

In an environment where no ACE is available, it is possible to enable rule-based correlation directly on a Receiver appliance, via the instructions below.  It is always preferred to run correlation on an ACE appliance; there are several drawbacks to running correlation on a Receiver:

  • Correlation imposes a performance penalty of ~20% on a typical receiver.  This may impact your ability to parse events under high load.
  • The following correlation modes are not supported on a Receiver appliancce:
    • Flow-based correlation
    • Risk-based correlation
    • Deviation-based correlation
    • Historical correlation..

To enable Rules-based correlation on an Event Receiver, in environments with no ACE:

  1. Click on any available Event Receiver from the System Tree.
  2. Click the Add Data Source button from the Actions Toolbar. The Add Data Source window will open.
  3. From the Data Source Vendor drop down, select McAfee.
  4. From the Data Source Model drop down, select Correlation Engine.
  5. Enter a Name for this Correlation Data Source.
  6. Click OK.
  7. A dialog box will open indicating that Data Source Settings have changed and must be applied to the Event Receiver. Click Yes.
  8. When the Data Source Settings have been written to the Event Receiver, a dialog box will provide confirmation. Click Close.
  9. Since each Data Source must have a policy applied, the Rollout window will appear. It is a requirement that policy be properly rolled out to the Event Receiver and all corresponding Data Sources after making any changes. Click OK.

« previousoutlinenext »


I have a ESM all in one Box. When I try to enable the Correlation Data Source I get the following Error:

Only one Correlation data source allowed per receiver. (ER273).

I currently do not have a correlation Engine configured. Any idea?

Version history
Revision #:
1 of 1
Last update:
‎08-10-2014 08:58 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community