Showing results for 
Search instead for 
Did you mean: 

How can I disable aggregation for specific data source?


Can anybody to explain me how can I disable aggregation for specific data source.

I have data source of custom application and I want to disable aggregation for all events from this data source.

How can I do?

I use SIEM 9.5 MR4.

Second scenario:

How can I disable aggregation for data source that use McAfee Collector Utility as a data source for events from MS SQL database.

There is no ASP rules where I can disable aggregation. I can only disable aggregation on data-sources in Policy Manager, but number of new data sources constantly grows. How can I disable this manner?

Has anybody solve this problem?

KB84753 is not solution for this problem. I have tested it, but without any success.

Thank you.

Kind Regards,


1 Reply

Re: How can I disable aggregation for specific data source?

HI Tomas,

Actually the KB works but it's not for single event.

If this is ASP which i assume it is then you could remove the filter from signature-id and apply filter for your device id.

This way the policy for that device will be aggregation turned off.

Also by going into policy editor under Data Sources tab you can filter by device id and disable aggregation for these events in general.

Solution is tested and works.

In case that you are observing different behavior please log a case with McAfee as it might be a product problem.