I am very new to ESM, so this may be obvious - I have integrated ESM (local receiver built in) with ePO5.1, and the connection works fine, listing all of the installed products. I can go to device properties | device management | manual refresh, and the refresh is successful. The device status is still showing as inactive, however, and also advising there are no events to display - there are definitely VSE events contained within ePO as I triggered an EICAR and EICAR-PUO test and can see the events under the relevant endpoint system information.
I am assuming there is a very simple step I am missing - forgive me if this is in the documentation, I am jumping around between different sections at present!
Thanks in advance!
One common cause of this issue is an ePO database name with special characters in it ("-" is a common offender). Try putting square brackets around the DB name in the ePO device config:
Thanks for swift response - DB name is epo_servername, so there are no special characters in use. So the use of special characters will result in a successful connection, but the device will show as inactive in ESM?
Yes, it's possible. In this context, "inactive" means that the ESM hasn't seen any new events from a data source within the period of time defined by the (configurable) inactivity timer. Special characters can interfere with some of the SQL queries the Receiver makes on the database, resulting in no data coming back. The connection tests that occur when the ePO data source is configured do not reveal this condition. It's worth a try. If the brackets don't help, I'd recommend a call to McAfee Support.
Still no luck, but just want to ensure that this isnt simply a case of RTM on my part!
I updated the DB name to include the square brackets, and test connection was again successful.
Looking at Page 34 of the 9.3.0 Product Guide, to define inactivity threshold for a device, I need to go to System Properties | System Information | Events, Flows & Logs - the problem is that when I go to System Properties, there is no 'System Information' option, and I cannot see anything relevent in any of the options.
Is this actually a case of RTM - I need to configure something else that will give me the 'System Information' option? Happy to be told to go away and read more :-)
Hmmm - interesting.
System Properties | System Information | Events, Flows & Logs | Inactivity Settings - I can see all devices I have configured.
System Properties | System Information | Events, Flows & Logs | Show Devices (for download settings for each device) - is only showing the Local Receiver. I am assuming that this is not meant to be the case?
No, what you're seeing is exactly right. "Devices" in this context means SIEM appliances. The settings here allow you to configure how the ESM pulls logs that have been collected by each SIEM Receiver, correlated events that have been generated by the ACE, or other appliances in your environment.
What you see under Inactivity Settings are "Data Sources" in McAfee ESM-ese. The data sources are grouped by the device that is doing log collection.
ok... page 56 of the Product Guide: "Configure options for indexing specific fields of data in the database. If data is not indexed, it's stored but is not displayed in most query results."
System Properties | Database | Settings | Indexing, the index options revolve around MAC address and ports - the test events I am looking for are simply 2 x VSE events (EICAR and EICAR-PUO) and a few VSE Access Protection events that triggered (for some reason) on a HIPS install. Doesnt look logical to me, but this is likely due to my current full lack of understanding... I will keep on digging!
Well, the event receiver appears to be working fine, as I set up a new WMI data source (which is actually the ePO server), and seeing a number of events including account logons etc (enabled auditing in gpedit). Interestingly, I am seeing 'would be blocked by access protection rule' events, so I am assuming that VSE is feeding the Windows event log also.
Quick question on this, however - following the ESM online help, I simply configured a WMI data source, tested the connection (success) and saved. That is all. So now I am just wondering what the Windows agent is for (WindowsEventCollectorInstaller_x86_9.13.27208.420 and Setup_x86_9.13.27208.420) - is this agent configured to collect other items from the server on which it is installed? The README file advises "To add the local agent, you must install a WMI agent on your Windows box. The installer is available by calling McAfee Support at 800-937-2237." - are these installers the agent to which it refers? I am trying to find further documentation for this at present.
Anyhoo - as I am getting logs from one data source configured on the ERC, I am assuming that there is either an issue here, or I have not configured/mis-configured something somewhere! As said, I am relatively new to this, so I will update this post when I get things up and running in case anybody runs into a similar issue!