cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jamesmac
Level 10
Report Inappropriate Content
Message 1 of 6

Another problem with Collector

This has been causing grief for a while... it's a collector with clients, and I cannot get it to talk to the SIEM (v11.1.3; no, I'm not ready to upgrade right now).

This is the debug log that follows on from installing the newest version of Collector. After initial entries I see this:

<135> Jul 07 07:52:24 localhost ma_client DIAG 0 McAfeeAgent::log failed to open registry McAfee\Agent\, error <2>
<135> Jul 07 07:52:24 localhost ma_client DIAG 0 McAfeeAgent::log failed to open registry McAfee\Agent\, error(2), waiting for registry key to be re-established
<135> Jul 07 07:52:24 localhost ma_client DEBUG 0 McAfeeAgent::log pause for registry key to be re-established

It just repeats the same cycle every 15 seconds

I know that people have seen this error with other McAfee products (notably a version of Client Proxy), but don't think anyone came to conclusions on why. Any bright ideas?

Kind regards

James

5 Replies
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Another problem with Collector

Those messages just mean collector can't talk to the epo agent.  They willl not prevent communication with the receiver.  How are you identifying a communication issue between SIEM Collector and the receiver?

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
jamesmac
Level 10
Report Inappropriate Content
Message 3 of 6

Re: Another problem with Collector

Hi @lratcliffe , this can't be to do with ePO - because the customer doesn't have one. It's a straight-up stand-alone install of SIEM Collector.

Problem identified by CLI access:

  • ping tells me the device is up
  • tcpdump shows me no traffic being sent across

In addition, traffic was coming across previously, no changes made to firewalls, so not a firewalling issue.

However, using the removal tool and a second reinstall of the collector did result in traffic flowing across from the WEF server. I don't yet see any logs from the clients, although the customer has specifically set WEF forwarding on.

 

Cheers

James

lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Another problem with Collector

I agree - I was saying the log entries you highlighted are unrelated to the issue seen:
<135> Jul 07 07:52:24 localhost ma_client DIAG 0 McAfeeAgent::log failed to open registry McAfee\Agent\, error <2>

ma_client is the code in SIEM Collector which communicates with the ePO agent (commonly referred to as McAfee Agent.

We need to see other log entries to see the actual problem.  If you're identifying no communication at all from SIEM Collector to the receiver yet ping works this could indicate that the SIEM Collector does not have any enabled configurations or is bound to an invalid network interface.

When running the configuration client the collector should continually attempt communication so check the port is set correctly and it's using the right source network interface.  If you still see no traffic in tcpdump, check wireshark on the source machine to ensure you're seeing outbound traffic from it.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
jamesmac
Level 10
Report Inappropriate Content
Message 5 of 6

Re: Another problem with Collector

Hi Luke,

I have Collector back now - though as I said it's not forwarding from the clients. Someone elsewhere on here said that Collector's a temperamental beast... 🙁

But the tips about not having not having enabled configurations or being bound to an invalid network interface are useful.

I can't see how we would have altered the network settings in the first place, so how would you check if the configurations are enabled or not? 

lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Another problem with Collector

Either from the ui or from config.xml.  In the UI there's an enable button in the top-right hand corner of each host group, host and client.  Unless all 3 are enabled (group,host and client) then SIEM Collector has no configuration to work with.

In the config.xml file there's an 'Enabled="true"' block for each element to show it's enabled.

WEF forwarded events are a challenging configuration - if you have enabled WEF forwarding on the client configuration, then SIEM Collector will automatically separate the forwarded logs into individual streams for each host machine - using the FQDN (typically) of that machine as the host id.  We attempted to explain this behaviour in KB77092 - so this will mean that you need a separate client datasource on the receiver for every single host that is forwarded via WEF and if any of them do not exist, this causes errors and significantly impacts performance.

If you do not tick the WEF forwarding option, then all events will end up in one datasource on the SIEM - which can make it very hard to isolate logs for individual machines, but is a much simpler setup.

 

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community