Hi @lratcliffe , this can't be to do with ePO - because the customer doesn't have one. It's a straight-up stand-alone install of SIEM Collector.

Problem identified by CLI access:

• ping tells me the device is up
• tcpdump shows me no traffic being sent across

In addition, traffic was coming across previously, no changes made to firewalls, so not a firewalling issue.

However, using the removal tool and a second reinstall of the collector did result in traffic flowing across from the WEF server. I don't yet see any logs from the clients, although the customer has specifically set WEF forwarding on.

Cheers

James

I agree - I was saying the log entries you highlighted are unrelated to the issue seen:
<135> Jul 07 07:52:24 localhost ma_client DIAG 0 McAfeeAgent::log failed to open registry McAfee\Agent\, error <2>

ma_client is the code in SIEM Collector which communicates with the ePO agent (commonly referred to as McAfee Agent.

We need to see other log entries to see the actual problem.  If you're identifying no communication at all from SIEM Collector to the receiver yet ping works this could indicate that the SIEM Collector does not have any enabled configurations or is bound to an invalid network interface.

When running the configuration client the collector should continually attempt communication so check the port is set correctly and it's using the right source network interface.  If you still see no traffic in tcpdump, check wireshark on the source machine to ensure you're seeing outbound traffic from it.

Hi Luke,

I have Collector back now - though as I said it's not forwarding from the clients. Someone elsewhere on here said that Collector's a temperamental beast... 🙁

But the tips about not having not having enabled configurations or being bound to an invalid network interface are useful.

I can't see how we would have altered the network settings in the first place, so how would you check if the configurations are enabled or not? 

Either from the ui or from config.xml.  In the UI there's an enable button in the top-right hand corner of each host group, host and client.  Unless all 3 are enabled (group,host and client) then SIEM Collector has no configuration to work with.

In the config.xml file there's an 'Enabled="true"' block for each element to show it's enabled.

WEF forwarded events are a challenging configuration - if you have enabled WEF forwarding on the client configuration, then SIEM Collector will automatically separate the forwarded logs into individual streams for each host machine - using the FQDN (typically) of that machine as the host id.  We attempted to explain this behaviour in KB77092 - so this will mean that you need a separate client datasource on the receiver for every single host that is forwarded via WEF and if any of them do not exist, this causes errors and significantly impacts performance.

If you do not tick the WEF forwarding option, then all events will end up in one datasource on the SIEM - which can make it very hard to isolate logs for individual machines, but is a much simpler setup.