cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 11

ESM 11.0.3 not showing any events, alerts

Hello,

today we updated ESM to 11.0.3 and ESM does not show any new events, alerts etc... We have combo box 5600.

/var/log/messages shows:

Jul 17 19:12:46 McAfee libJobServer.so[2262]: KafkaConsumer failed to consume from kafka broker 127.0.0.1:9092
Jul 17 19:12:47 McAfee IPSDBServer[10947]: Local: Message timed out
Jul 17 19:12:48 McAfee healthmon[3558]: Unknown Healthmon ID for V=1,S=3,@=2752,Process zookeeper is not running.
Jul 17 19:12:49 McAfee IPSDBServer[10947]: Alerts loaded to bus: Count=0, Resend Count=876962, last_time_event: 0
Jul 17 19:12:50 McAfee IPSDBServer[10947]: GetAlertsDirectForDatabus: Alarm source event not pushed, trying again...

and so on...

Receiver / ELM Properties shows Status: NotOK not running: kafkaconfigctl, zookeeper, brokers

Any help on this? thank you

bungie

10 Replies
Highlighted
Level 7
Report Inappropriate Content
Message 2 of 11

Re: ESM 11.0.3 not showing any events, alerts

just checked /var/log/kafkactl.log and it shows:

/usr/local/kafkaconfig/kafkaconfigctl[5704]
Jul 17 19:21:30 INFO |Starting Kafa Databus
Jul 17 19:21:30 L_ERROR 05704|/etc/NitroGuard/subscriptions_esm.conf does not exist!
Jul 17 19:22:29 INFO |This server is not ready to start the databus.
Jul 17 19:22:29 INFO |Exiting main loop.
Jul 17 19:22:29 L_INFO  05704|Waiting for broker(s) to shutdown
Jul 17 19:22:32 L_INFO  05704|Waiting for Zookeeper(s) to shutdown

if it helps...

bungie

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 11

Re: ESM 11.0.3 not showing any events, alerts

Have you logged a call with McAfee support on this?

also did you run a write command on the data sources again and do a manual rules update after the upgrade? The rules update could help as it’s where all the parsers come from.

Highlighted
Level 7
Report Inappropriate Content
Message 4 of 11

Re: ESM 11.0.3 not showing any events, alerts

No, I didn't logged a call with McAfee support, yet.

Yep both: write command & manual rules update

bungie

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 11

Re: ESM 11.0.3 not showing any events, alerts

ok, i think for that you may need to log a call to get a quicker response.  without actually being on the SIEM its difficult to troubleshoot over this forum.

Tags (1)
Highlighted
Level 7
Report Inappropriate Content
Message 6 of 11

Re: ESM 11.0.3 not showing any events, alerts

yep, I 'm aware of that, but it's not so easy let anyone access our siem, it's customer's siem, we are just supporting them. it'll be a long lasting process, so for that reason a decided to ask it here...

bungie

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 11

Re: ESM 11.0.3 not showing any events, alerts

Hi

did you fix this problem?

if not can you provide the output of the following file:

/etc/kafka/server-0.properties

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 11

Re: ESM 11.0.3 not showing any events, alerts

hi

let me know when you free.  i may have a fix for you to your problem.  i replicated the same thing and now have a resolution.

check if the GUID ID of is the same in /etc/NitroGuard/devSettings.conf is the same as /etc/NitroGuard/cluster.conf?

Highlighted

Re: ESM 11.0.3 not showing any events, alerts

Hi,

 

We have same issue same problem.   You can see  output of  /var/log/kafkactl.log file below.  Could you help me 

 

Aug 28 08:08:05 INFO |Exiting main loop.
Aug 28 08:08:05 L_INFO 01561|Waiting for broker(s) to shutdown
Aug 28 08:08:08 L_INFO 01561|Waiting for Zookeeper(s) to shutdown
Aug 28 08:08:11 INFO |Restarting service.
Aug 28 08:08:11 L_ERROR 01561|/etc/NitroGuard/subscriptions_rec.conf does not exist!
Aug 28 08:09:10 INFO |This server is not ready to start the databus.

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 11

Re: ESM 11.0.3 not showing any events, alerts

Hi Eycaglyan

 

can you review if the GUID in /etc/NitroGuard/devSettings.conf is different to the one in /etc/NitroGuard/cluster.conf?  

if it is mine was fixed by coping the GUID from /etc/NitroGuard/devSettings.conf to /etc/NitroGuard/cluster.conf and restarting the services. that is the databus service.  

so run service Databus restart.  then if you monitor the kafkactl.log file it shouldnt show the brokers or zookeepers shutdown

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community