Having big issues with setting up this ERC 9.6 MR4. Still no luck.
My client want to Auto Learn all the data sources. I have noticed that even all the Auto Learn setup as '0' it will automatically disable. Then I have to enable it again manually. Some times when it refresh it shows as Enabled. Sometimes when I enabl the MEF type then the Syslog will disable. Really not consistance all the time. Is anyone has experienced this sort of issues and what's the best way to configure the AUTO LEARN. It's NOT as easy as just enable the option. ERC not auto learn most of the times. Also my client want to auto learn all the SIEM Collector logs from all Windows boxes. Not working AT ALL.
Please anyone can give me some directions.
I'm running v9.6.0 MR5 20160901 and I'm not facing the issue.
Also ERC will only autolearn syslog sources, flows, MEF and windows only if they are forwarded as MEF or if you're forwarding them as syslog using snare or else receiver won't recognize any windows devices if you want to use WMI nor any databases.