We have intgrated our McAfee ePO and McAfee IPS products with our McAfee SIEM. We wanted to search for some IPS logs on the ELM and received an error "The device is not currently associated with an eLM (ER602)". So we checked if the logging option was selected or not and it was not selected. We selected it and the device updated this info and rolled out as well (in case a rollout is also advised), and the logging checkbox is checked now. An ELM search again returned the same error. Then we checked for ePO and the result is the same for ePO also. (we have distributed physical devices and virtual and combobox devices as well but all have the same problem). SIEM version is 10.2.1.
The main difference with McAfee devices and all other data sources is that, McAfee devices/data sources are added as "add device" under ESM and other data sources are added as "add data source" under receiver.
I don't think we have a problem with the configuration becasue when we want to add a McAfee device (such as ePO or IPS) under the receiver, we are warned by the GUI that the device has to be added under ESM.
Has anybody encountered the same issue, or, has anybody made an ELM search for ePO or IPS under McAfee SIEM and got what they wanted and how?
First thing I'd try is forcing a data write on the receiver (Receiver Properties -> Data Sources -> Write). If Write is greyed out, edit a data source and add then remove a character to the name or something to make it think you changed something, then you can do the write. (McAfee, please allow us to force a write without this step).
If that doesn't help, I'd also try a full policy roll out.
We made dummy changes on the editor and saved and wrote again. It did not help. Then a full rollout is also done. Unfortunately it did not help.
Thanks for the reply.
We have an active storage and we are using it for all the data sources, and we can query the ELM.
The interesting part is that, McAfee data sources are added in a different way then other sources (dc, firewall etc are added different than McAfee produts). When we click logging on McAfee devices such as ePO or NSM, we get the error.
Yes, the data sources are added in a different way, but they are still associated with an Event Receiver. On the ePO data source, can you check the connection tab for the Associated Receiver. Then can you validate that Receiver has an ELM associated to it?
Also, what error are you getting when you click the Logging?
We get the error : "The device is not currently associated with an eLM (ER602)"
This is the error we get when we select "logging" for ePO and NSM. We do not get this error when we select logging in any other data source. Other data sources work fine.
You could do a Manual Refresh of the ePO device. Open ePO Device > Device Management > Refresh
Validate the ERC to ELM connectivity. Identify the ERC the ePO is associated with. On that ERC, go to Receiver Configuration. Check the ELM IP and also attempt to Sync the ELM. Can you SSH from your ERC to the associated ELM with no issues?
The last thing I would attempt would be to force a write of all the data sources on that same ERC your ePO is associated to. Find one data source, uncheck parsing. Click Write. check parsing, Click Write.
If none of that works, I would make a call to support.