Showing results for 
Show  only  | Search instead for 
Did you mean: 

Data Source is Not Collect


I've got two data sources that dsrate :AV is empty since 10 days.

I've got traffic inboud ERC from both data sources

What can I do? Is there any command from command line that I could run?


3 Replies
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Data Source is Not Collect


if i understand good your problem.. you have 2 data sources (in your case - AV)

that hare producing events and logs, and the receiver is collecting them fine.

but in the ESM they don't show up.



2 Most popular reasons:

1- Parsing problems - in the Data source Editor configure to Show unknown events.

2- filtering configuration - in the filter policy disable all your filters and check if its working.


Best regards👍👍👍



Re: Data Source is Not Collect

The way I'm understanding the issue is the data is coming inbound to the ERC, which could be verified by tcpdump, but the data isn't making it to the ESM.

As an alternate potential parsing issue from the comment above - I would also suggest making sure data isn't stuck in the folder waiting to be picked up and parsed by the receivers. I've run into issues in the past where the data is coming in, but is just sitting in the folder allocated to the data source after altering a rule.

All you need to do to check the folder under "/var/log/data/inline/thirdparty.logs/###/" in a receiver where ### is the VIPS ID assigned to the data source. Go down the file hierarchy from here and look into the "in" folder. If a bunch of files starting with "data" followed by numbers, you may need to roll out a policy update on the receivers to get them moving.

Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Data Source is Not Collect

The McAfee knowledge base has a good article on the steps that should be taken when debugging a non-reporting data source.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community