cancel
Showing results for 
Search instead for 
Did you mean: 

ERC receives events, but ESM shows nothing

Good Morning,

Recently we have run into an issue where one of our two HA receivers for the McAfee ESM has apparently stopped completing the operation of sending digested logs to the ESM. While watching the data sources of the ESM for new data being received and digested - we have noticed that the ESM was receiving nothing for hours. Ultimately we had to fail-over to the other receiver sitting in standby and luckily that one was working correctly.

While we have filed a ticket with support, I was wondering if anyone else has run into similar issues where a receiver would act like it was reading and writing events - but nothing was coming in on the ESM. My first thought would be there is something wrong with the communication channel to the ESM, but that doesn't seem to be any interference or changes that would have caused this.

We are currently running 10.2 on the SIEM systems.

4 Replies

Re: ERC receives events, but ESM shows nothing

Hi Ddulay94,

 

We're also experiencing this kind of problem using same version of yours, had McAfee Support already addressed this issue?

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: ERC receives events, but ESM shows nothing

Hi,

i dont' know the issue.. but i know what the support is going to say to you,

"upgrade to 11.1.3 "

because for HA Environments 11 is recommended.

 

Best Regards👍👍👍

David.

Re: ERC receives events, but ESM shows nothing

I've asked several times about upgrading to 11.x version of the SIEM only to be told to avoid it unless we plan to utilize the clustering capability.

Regarding the results of the ticket, we ended up opening a call home session with McAfee support to review the issues in the background. Apparently the database had become corrupted on one of the devices and needed to be rebuilt.

It's been a while since this occurred, but according to the conversation there was no indicator that a database issue existed according to DBCheck - but corruption definitely existed.

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: ERC receives events, but ESM shows nothing

WOW thanks' for updating.

Thats' very unusual... Not seeing the DB errors in the DB.

Good to know that everything is possible.. 🙂

 

Best Regards👍👍👍

David.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community