I've got two data sources that dsrate :AV is empty since 10 days.
I've got traffic inboud ERC from both data sources
What can I do? Is there any command from command line that I could run?
if i understand good your problem.. you have 2 data sources (in your case - AV)
that hare producing events and logs, and the receiver is collecting them fine.
but in the ESM they don't show up.
2 Most popular reasons:
1- Parsing problems - in the Data source Editor configure to Show unknown events.
2- filtering configuration - in the filter policy disable all your filters and check if its working.
The way I'm understanding the issue is the data is coming inbound to the ERC, which could be verified by tcpdump, but the data isn't making it to the ESM.
As an alternate potential parsing issue from the comment above - I would also suggest making sure data isn't stuck in the folder waiting to be picked up and parsed by the receivers. I've run into issues in the past where the data is coming in, but is just sitting in the folder allocated to the data source after altering a rule.
All you need to do to check the folder under "/var/log/data/inline/thirdparty.logs/###/" in a receiver where ### is the VIPS ID assigned to the data source. Go down the file hierarchy from here and look into the "in" folder. If a bunch of files starting with "data" followed by numbers, you may need to roll out a policy update on the receivers to get them moving.
The McAfee knowledge base has a good article on the steps that should be taken when debugging a non-reporting data source.