cancel
Showing results for 
Search instead for 
Did you mean: 
bungie
Level 7
Report Inappropriate Content
Message 1 of 11

ESM 11.0.3 not showing any events, alerts

Hello,

today we updated ESM to 11.0.3 and ESM does not show any new events, alerts etc... We have combo box 5600.

/var/log/messages shows:

Jul 17 19:12:46 McAfee libJobServer.so[2262]: KafkaConsumer failed to consume from kafka broker 127.0.0.1:9092
Jul 17 19:12:47 McAfee IPSDBServer[10947]: Local: Message timed out
Jul 17 19:12:48 McAfee healthmon[3558]: Unknown Healthmon ID for V=1,S=3,@=2752,Process zookeeper is not running.
Jul 17 19:12:49 McAfee IPSDBServer[10947]: Alerts loaded to bus: Count=0, Resend Count=876962, last_time_event: 0
Jul 17 19:12:50 McAfee IPSDBServer[10947]: GetAlertsDirectForDatabus: Alarm source event not pushed, trying again...

and so on...

Receiver / ELM Properties shows Status: NotOK not running: kafkaconfigctl, zookeeper, brokers

Any help on this? thank you

bungie

10 Replies
bungie
Level 7
Report Inappropriate Content
Message 2 of 11

Re: ESM 11.0.3 not showing any events, alerts

just checked /var/log/kafkactl.log and it shows:

/usr/local/kafkaconfig/kafkaconfigctl[5704]
Jul 17 19:21:30 INFO |Starting Kafa Databus
Jul 17 19:21:30 L_ERROR 05704|/etc/NitroGuard/subscriptions_esm.conf does not exist!
Jul 17 19:22:29 INFO |This server is not ready to start the databus.
Jul 17 19:22:29 INFO |Exiting main loop.
Jul 17 19:22:29 L_INFO  05704|Waiting for broker(s) to shutdown
Jul 17 19:22:32 L_INFO  05704|Waiting for Zookeeper(s) to shutdown

if it helps...

bungie

McAfee Employee rlourenc
McAfee Employee
Report Inappropriate Content
Message 3 of 11

Re: ESM 11.0.3 not showing any events, alerts

Have you logged a call with McAfee support on this?

also did you run a write command on the data sources again and do a manual rules update after the upgrade? The rules update could help as it’s where all the parsers come from.

bungie
Level 7
Report Inappropriate Content
Message 4 of 11

Re: ESM 11.0.3 not showing any events, alerts

No, I didn't logged a call with McAfee support, yet.

Yep both: write command & manual rules update

bungie

McAfee Employee rlourenc
McAfee Employee
Report Inappropriate Content
Message 5 of 11

Re: ESM 11.0.3 not showing any events, alerts

ok, i think for that you may need to log a call to get a quicker response.  without actually being on the SIEM its difficult to troubleshoot over this forum.

Tags (1)
bungie
Level 7
Report Inappropriate Content
Message 6 of 11

Re: ESM 11.0.3 not showing any events, alerts

yep, I 'm aware of that, but it's not so easy let anyone access our siem, it's customer's siem, we are just supporting them. it'll be a long lasting process, so for that reason a decided to ask it here...

bungie

McAfee Employee rlourenc
McAfee Employee
Report Inappropriate Content
Message 7 of 11

Re: ESM 11.0.3 not showing any events, alerts

Hi

did you fix this problem?

if not can you provide the output of the following file:

/etc/kafka/server-0.properties

McAfee Employee rlourenc
McAfee Employee
Report Inappropriate Content
Message 8 of 11

Re: ESM 11.0.3 not showing any events, alerts

hi

let me know when you free.  i may have a fix for you to your problem.  i replicated the same thing and now have a resolution.

check if the GUID ID of is the same in /etc/NitroGuard/devSettings.conf is the same as /etc/NitroGuard/cluster.conf?

Re: ESM 11.0.3 not showing any events, alerts

Hi,

 

We have same issue same problem.   You can see  output of  /var/log/kafkactl.log file below.  Could you help me 

 

Aug 28 08:08:05 INFO |Exiting main loop.
Aug 28 08:08:05 L_INFO 01561|Waiting for broker(s) to shutdown
Aug 28 08:08:08 L_INFO 01561|Waiting for Zookeeper(s) to shutdown
Aug 28 08:08:11 INFO |Restarting service.
Aug 28 08:08:11 L_ERROR 01561|/etc/NitroGuard/subscriptions_rec.conf does not exist!
Aug 28 08:09:10 INFO |This server is not ready to start the databus.

 

Highlighted
McAfee Employee rlourenc
McAfee Employee
Report Inappropriate Content
Message 10 of 11

Re: ESM 11.0.3 not showing any events, alerts

Hi Eycaglyan

 

can you review if the GUID in /etc/NitroGuard/devSettings.conf is different to the one in /etc/NitroGuard/cluster.conf?  

if it is mine was fixed by coping the GUID from /etc/NitroGuard/devSettings.conf to /etc/NitroGuard/cluster.conf and restarting the services. that is the databus service.  

so run service Databus restart.  then if you monitor the kafkactl.log file it shouldnt show the brokers or zookeepers shutdown

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community