i just installed mcafee esm 11.4.1. But roll out does not work in datasources that i added. i get the following error. can you help me please?
Could not update policy - "Error: Could not execute command on device" (NotOk Failed testing asp rules (global_lookup_table_file - -1
Have you done a rules update? Is the write out failing or the roll out of policy failing? If it is just the policy roll out do you have any custom rules enabled? If you do try disabling them. Then try rolling out again.
I didn't write out any rules. NGCP user did not have admin authority, even if I added it, then it is deleted. I turned on a different user with admin authority and then didn't get a roll out error when adding datasources. I want to update and install the rule updates version, but when I upgrade from 11.4.1 to 11.4.3, it still remains at 11.4.1 and does not accept rule updates 11.4.3. What's the reason? Do I need to do a different operation before updating the rule after the upgrade?
I'm struggling to understand your statements about what's happening:
"NGCP user did not have admin authority" - unless you've renamed it (in which case, use the renamed superuser account not a new one called "NGCP") the NGCP account is the superuser. It is always an admin.
"when I upgrade from 11.4.1 to 11.4.3, it still remains at 11.4.1 and does not accept rule updates 11.4.3."
Rule updates and SIEM Upgrades are quite different processes and uses completely different files. The Rule update file for one version will not work on a different version, you would need to use a rule update file which matches your installed version. We recommend using the online rule update process if possible but if you need to use manual upgrades and are not running the latest version of SIEM please contact support for a rule update file.
Administrator rights did not come as 'enable' in the NGCP user, as in the photo below. Is that normal?
yes, I have different files for rule updates and upgrades.Rule update was not made after esm upgrade and continues to appear as siem 11.4.1. should I take another action?
Yes the screenshot provided is normal.
"continues to appear as siem 11.4.1." I do not understand what you mean by this.