cancel
Showing results for 
Search instead for 
Did you mean: 
poezie
Level 9
Report Inappropriate Content
Message 1 of 5

Auto Learn with ERC Data Sources

Jump to solution

Hi


Has anyone managed to ever get the auto learn feature working on the data sources for the ERC ?

I have tried to get this working both on syslog and WMI and neither have been successful. If anyone has managed to successfully implement this please could you share your wisdom as I am out of ideas ?

Thanks

1 Solution

Accepted Solutions
aszotek
Level 10
Report Inappropriate Content
Message 2 of 5

Re: Auto Learn with ERC Data Sources

Jump to solution

Sure, have used it to deploy few dozens of data sources (all forwarded by Splunk).

It's big mess at the moment, as auto-learn is very basic, it doesn't remove duplicates nor existing data sources, so going through the list is bigger pain every time.

4 Replies
aszotek
Level 10
Report Inappropriate Content
Message 2 of 5

Re: Auto Learn with ERC Data Sources

Jump to solution

Sure, have used it to deploy few dozens of data sources (all forwarded by Splunk).

It's big mess at the moment, as auto-learn is very basic, it doesn't remove duplicates nor existing data sources, so going through the list is bigger pain every time.

rth67
Level 12
Report Inappropriate Content
Message 3 of 5

Re: Auto Learn with ERC Data Sources

Jump to solution

Depending on what version you are on, we ran in to a bug where we had to get a small piece of code and run it on each receiver to get Auto-Learn to work. I don't recall the specifics behind why it stopped working, but if there is a bug, we usually find it.

Like mentioned, Auto-Learn can sometimes return unexpected results, or provide false information about what a data source type is.  It can help in identifying data sources that are sending you logs, if your LAN/WAN and Server teams (Unix/Linux) already know where they need to send logs, but fail to let you know they brought a new device online.

Highlighted
rth67
Level 12
Report Inappropriate Content
Message 4 of 5

Re: Auto Learn with ERC Data Sources

Jump to solution

From my closed SR -

Engineer found a bug. If there are any data sources that were disabled when they upgraded, the system would not create a certain file for the disabled datasources, because they are disabled.
However, the Autolearn function is looking for that file, and since the disabled data sources do not have it, the Autolearn function stops running because it can not find the file.

Re: Auto Learn with ERC Data Sources

Jump to solution

Hi,

I have a syslog-ng which relays the logs of our equipments. I setup the syslog-ng and then activate 'AutoLearn'.

I can see the most of the equipments.

- How can I add the equipments not retrived ?

- I 'Remove' an equipment which was detected by 'AutoLearn', and I don't see it. Is it possible to get back it ?

- How can I get the real IP@ of the host and not the syslog-ng IP@ as SourceIP ?

Thanks

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator