cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee SIEM 9.5.0 Alarms issue

After upgrading to 9.5.0 MR4 20150511 - We have noticed a main function of ESM not functioning properly.

Alarms are triggered based on correlation rules/field matches/internal event match/etc.

Actions are to: Log event and send a message to specified users

Some alarms send a message and some do not. This is very sporadic. It turns out that there is a bug in current latest version of the SIEM. BZ #1072749

We have also created an escalation tasks which gets triggered after 2 minutes and also sends a message hoping this would be a workaround. 5/10 times our alarms send out a message via email. Other 5 times, it does not.

Has anyone seen this issue? If so, do you have a consistent workaround?

P.S: There is nothing wrong with our alarms criteria or anything as such. Alarms were working perfectly fine before the upgrade.

12 Replies
exbrit
Level 21
Report Inappropriate Content
Message 2 of 13

Re: McAfee SIEM 9.5.0 Alarms issue

Moved to SIEM for faster handling.

---

Peter

Moderator

japie
Level 9
Report Inappropriate Content
Message 3 of 13

Re: McAfee SIEM 9.5.0 Alarms issue

Hi Zulu_Baba

We have the exact same issue with 9.5.0 MR4.

Ref: SR: <4-8619802951>

We had to go through 2x upgrade cycles to addresses various bugs that kept popping up agfter each upgrade.

80% of our priv group monitoring alerts but the other 20% just does not work and the data is there etc.

Cheers,

Japie

Re: McAfee SIEM 9.5.0 Alarms issue

Hi Japie,

We upgraded from 9.4.2 to 9.5 so we didn't have to go through any of the upgrade cycles. As of right now, the issue is still persisting. If you come across any workaround that may be beneficial to share; please do so

Thanks,

Z

penoffd
Level 10
Report Inappropriate Content
Message 5 of 13

Re: McAfee SIEM 9.5.0 Alarms issue

Not sure if it will help or is an option, but we found that the MR5 patch cures a number of issues in the SIEM.  This may be one of them....

Dan

Re: McAfee SIEM 9.5.0 Alarms issue

We have been told that this issue is fixed in MR6 and there is no release date for MR6 yet. I am always hesitant to jump to the latest version, knowing that there a ton of bugs in every new release

Re: McAfee SIEM 9.5.0 Alarms issue

MR5 has significant fixes for both memory and performance.  Since the release of 8.5.x, there has been a concerted effort to provide long term stability and performance. I can;t give a date for MR6, as it has to go through QA.

Re: McAfee SIEM 9.5.0 Alarms issue

We are also having sporadic watchlist, alarm, and rules issues with 9.5.0 MR4 (SR # <4-10352845161>).  Our issues get magically fixed overnight for no reason.  I've got a McAfee engineer checking things out in my support case, though I imagine the end result will be a recommendation to upgrade to MR5.

Re: McAfee SIEM 9.5.0 Alarms issue

I would recommend MR6.  MR5 solves many of the issues you are describing, such as watchlist and rules.

Re: McAfee SIEM 9.5.0 Alarms issue

The problem with upgrading to the newest (least tested) version is always introducing new bugs.  We've definitely had our share of that through the past couple years of upgrades, where updates might break everything.

Of course, right now we run into these situations where things break anyway, so what do we have to lose...

I'll wait to hear back on my case to see if an upgrade is recommended by the support engineer.

Thanks