After upgrading to 9.5.0 MR4 20150511 - We have noticed a main function of ESM not functioning properly.
Alarms are triggered based on correlation rules/field matches/internal event match/etc.
Actions are to: Log event and send a message to specified users
Some alarms send a message and some do not. This is very sporadic. It turns out that there is a bug in current latest version of the SIEM. BZ #1072749
We have also created an escalation tasks which gets triggered after 2 minutes and also sends a message hoping this would be a workaround. 5/10 times our alarms send out a message via email. Other 5 times, it does not.
Has anyone seen this issue? If so, do you have a consistent workaround?
P.S: There is nothing wrong with our alarms criteria or anything as such. Alarms were working perfectly fine before the upgrade.
We have the exact same issue with 9.5.0 MR4.
Ref: SR: <4-8619802951>
We had to go through 2x upgrade cycles to addresses various bugs that kept popping up agfter each upgrade.
80% of our priv group monitoring alerts but the other 20% just does not work and the data is there etc.
We upgraded from 9.4.2 to 9.5 so we didn't have to go through any of the upgrade cycles. As of right now, the issue is still persisting. If you come across any workaround that may be beneficial to share; please do so
We have been told that this issue is fixed in MR6 and there is no release date for MR6 yet. I am always hesitant to jump to the latest version, knowing that there a ton of bugs in every new release
MR5 has significant fixes for both memory and performance. Since the release of 8.5.x, there has been a concerted effort to provide long term stability and performance. I can;t give a date for MR6, as it has to go through QA.
We are also having sporadic watchlist, alarm, and rules issues with 9.5.0 MR4 (SR # <4-10352845161>). Our issues get magically fixed overnight for no reason. I've got a McAfee engineer checking things out in my support case, though I imagine the end result will be a recommendation to upgrade to MR5.
The problem with upgrading to the newest (least tested) version is always introducing new bugs. We've definitely had our share of that through the past couple years of upgrades, where updates might break everything.
Of course, right now we run into these situations where things break anyway, so what do we have to lose...
I'll wait to hear back on my case to see if an upgrade is recommended by the support engineer.