Not sure if this is an issue with EPO or SIEM or both, but after upgrading EPO to 5.10, I am no longer receiving events on the McAfee SIEM. Testing connection to website UI is successful, but to database is not. Checked permissions of DB user. All checks out good. Even attempted login with privileged user account, no good.
I have logged into the server hosting the DB and accessed the DB with the service account that I am trying to authenticate with in the config. So I know permissions is good.
Only difference I noticed is that the DB server created a new DB with "_Events" at the end. I looks to handle all the Endpoint Security apps on EPO. Problem is that I don't believe the SIEM can handle more than one DB at a time. If that's the case, I don't think this was a well-thought plan when it came to correlating with their other products.
See errors I receive is below, regardless which DB i attempt to connect to.
From SIEM data source config:
Test connection unsuccessful. Test connect failed. (ER995). Please view the Help contents or contact Support for troubleshooting information as applicable.
From SIEM /var/message/logs:
Mar 15 14:51:17 McAfee libJobServer.so: Test connect returned with the following message: NotOk (4) Unable to query mssql server (check Database Name)
I had this same issue after upgrade to ePO to version 5.10 as well and the updating (or in my case installing) the latest version of the SIEM Extension did not resolve the issue.
My resolution was to grant the Service Account that the SIEM uses to access the ePO server, the same permissions that it had for the Primary ePO database, to the new "_Events" database that was created by the ePO 5.10 installation. This can be done in SQL Server Management Studio under Security - Logins.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.