I've installed the all-in-one ESM, receiver, logger virtual appliance and now I'm playing around with it. I've tried adding epo as a source of events, but it just shows up as inactive. I can tell you that I have plenty of threat, audit, client and server events.
This is how it's configured:
Testing the connection to the data source shows up as successful. Also, for the Microsoft Event log I can schedule a pull internval (default 10 minutes), but here I don't have that option.
Any help is greatly appreciated!
That configuration looks good and it looks like the client data sources have been created too so there is a conection to the epo DB. You did not mention the version of ESM that you are running and if its a version prior to 9.1.3 you may have found a bug which is fixed in 9.1.3. Also, if you look at the Status of the device from ESM > Properties is there an error for epo not running?
My recommendation is to log this problem as a support ticket and we can work with you to address this problem and get it resolved ASAP.
bumping this old thread beacause I'm experiencing a similar problem. I successfully added ePo source to McAfee ESM (virtual aplliance v9.1.3) somewhat two weeks ago. The client data sources have been created but the ESM is retrieving an unsatisfying number of events from ePo. For instance I'm not getting any events from McAfee DLP. I'm interested in general what I can get out of ePo but I'm especially focused on DLP.
1. Which events are supposed to be retrieved by the ESM? I have lots of events showing up in various ePo views - should all of them be retrieved by ESM?
2. Should I configure something in ePo? (Right now I simply added the ePo source in ESM, tested the connection and retrieved client data sources).
For the moment I received two types of events from McAfee VirusScan source: 'Update successful' and 'Deployment failed'. ESM also discovered these client sources, for which I've also received nothing:
ePo Orchestrator Agent
McAfee Host Data Loss Prevention
McAfee Host Intrusion Prevention
McAfee Site Advisor
Is this done from the GUI? I have a reseller grant number and I can only the the VM options for download. I don't have any updates for download, only the 9.1.3. vm build images.
Found an update button, but it says I need to upload the files from my machine...
Georgec - if you need a hotfix for the ESM devices, you have to ask the McAfee Support about them. There is no way to download it from the Download Products portal.