cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 1 of 5

Auto Learn with ERC Data Sources

Jump to solution

Hi


Has anyone managed to ever get the auto learn feature working on the data sources for the ERC ?

I have tried to get this working both on syslog and WMI and neither have been successful. If anyone has managed to successfully implement this please could you share your wisdom as I am out of ideas ?

Thanks

1 Solution

Accepted Solutions
Highlighted
Level 10
Report Inappropriate Content
Message 2 of 5

Re: Auto Learn with ERC Data Sources

Jump to solution

Sure, have used it to deploy few dozens of data sources (all forwarded by Splunk).

It's big mess at the moment, as auto-learn is very basic, it doesn't remove duplicates nor existing data sources, so going through the list is bigger pain every time.

View solution in original post

4 Replies
Highlighted
Level 10
Report Inappropriate Content
Message 2 of 5

Re: Auto Learn with ERC Data Sources

Jump to solution

Sure, have used it to deploy few dozens of data sources (all forwarded by Splunk).

It's big mess at the moment, as auto-learn is very basic, it doesn't remove duplicates nor existing data sources, so going through the list is bigger pain every time.

View solution in original post

Highlighted
Level 12
Report Inappropriate Content
Message 3 of 5

Re: Auto Learn with ERC Data Sources

Jump to solution

Depending on what version you are on, we ran in to a bug where we had to get a small piece of code and run it on each receiver to get Auto-Learn to work. I don't recall the specifics behind why it stopped working, but if there is a bug, we usually find it.

Like mentioned, Auto-Learn can sometimes return unexpected results, or provide false information about what a data source type is.  It can help in identifying data sources that are sending you logs, if your LAN/WAN and Server teams (Unix/Linux) already know where they need to send logs, but fail to let you know they brought a new device online.

Highlighted
Level 12
Report Inappropriate Content
Message 4 of 5

Re: Auto Learn with ERC Data Sources

Jump to solution

From my closed SR -

Engineer found a bug. If there are any data sources that were disabled when they upgraded, the system would not create a certain file for the disabled datasources, because they are disabled.
However, the Autolearn function is looking for that file, and since the disabled data sources do not have it, the Autolearn function stops running because it can not find the file.

Highlighted

Re: Auto Learn with ERC Data Sources

Jump to solution

Hi,

I have a syslog-ng which relays the logs of our equipments. I setup the syslog-ng and then activate 'AutoLearn'.

I can see the most of the equipments.

- How can I add the equipments not retrived ?

- I 'Remove' an equipment which was detected by 'AutoLearn', and I don't see it. Is it possible to get back it ?

- How can I get the real IP@ of the host and not the syslog-ng IP@ as SourceIP ?

Thanks

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community