cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MR03
Level 9
Report Inappropriate Content
Message 1 of 14

Mcafee ELM does not display data source streams or events

I have several data sources added to Mcafee ELM on my Mcafee ESM and it has not generated data for me since 1 month, I have a physical computer and I understand that the ELM storage is not saved in the system, but when I go to the storage pool, the ELM it tells me that the storage is being saved on the system. I would like to know if you can guide me more to identify the problem of why the ELM does not show me any events from my data sources. I have a hunch that it is a space problem of the ELM because if the ELM is low on space it no longer processes any events and stops completely without deleting the old data and does not generate new data.

Please can you guide me on what is causing the ELM not to generate events in the normalized panel.

PS: I have not renewed the license yet but I doubt that this has to influence the case that the ELM does not generate events from my data sources.

PD2: when I select a data source and click on view streaming events, the ELM shows me events and data from my data sources, but when I select the ELM and click on get events and flow it doesn't show me any events in the panel normalized.

13 Replies
spamidi
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 14

Re: Mcafee ELM does not display data source streams or events

Hello,

The Physical ELM device does have local storage and storage pool(s) can be configured to use that space.

The raw logs are compressed and stored in .elm files. The index of these logs are stored in the ELM Management database. 

When you drill down events from one of the ESM Dashboard views, the ELM Archive tab in the bottom pane will attempt to fetch the raw logs by querying the ELM management database and looking up the relevant log  on the .elm files.

The other way you can retrieve the ELM log associated with a particular data source or data source is from the ELM Properties window, 

Look up these articles:

KB82518  How to find and retrieve Enterprise Log Manager data

https://kc.mcafee.com/corporate/index?page=content&id=KB82518&locale=en_US

Perform an enhanced ELM search

https://docs.mcafee.com/bundle/enterprise-security-manager-11.0.0-product-guide-unmanaged/page/GUID-...

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
MR03
Level 9
Report Inappropriate Content
Message 3 of 14

Re: Mcafee ELM does not display data source streams or events

Is there a possibility that the ELM does not generate current events for some issue with the local storage space?

spamidi
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 14

Re: Mcafee ELM does not display data source streams or events

ELM will treat the .elm files as containers and will expire any logs that are out of retention period. So as new logs come in they 'overwrite' the space used by the expired logs - effectively reusing the space.

You may want to log an SR with support and share the output of the following command:
./elm-info.sh 

The command generates a file on the /root folder which you can share with support for investigation.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
MR03
Level 9
Report Inappropriate Content
Message 5 of 14

Re: Mcafee ELM does not display data source streams or events

I understand the part of "overwrite" when the files exceed the retention time, but in my case I do not have the option of active data retention, the option I have is "save all the data that the system allows"

spamidi
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 14

Re: Mcafee ELM does not display data source streams or events

So the Data Retention setting that you refer to is from the ESM Properties dialog and is applicable for parsed data being inserted to the ESM Database. The ELM retentions is based on the retention setting configured for each storage pool when the storage pool is defined.
You can check this value for a specific storage pool by selecting the pool and click 'Edit'

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
MR03
Level 9
Report Inappropriate Content
Message 7 of 14

Re: Mcafee ELM does not display data source streams or events

thanks for your quick responses, I really appreciate it. Regarding the space in "storage groups" I notice that the ELM device does not have any storage group. I even get the below message

("The ELM admin database currently resides on the system drive along with the rest of the OS. If this drive runs out of free space, it will stop logging and existing log data They will be lost. McAfee strongly recommends moving the database to a storage device with a minimum of 500GB of free space. If your ELM is SAN-compliant, configure the SAN volumes first and then migrate the database using the option on the receiver setup tab. ")

spamidi
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 14

Re: Mcafee ELM does not display data source streams or events

Right - so that looks like your management database is on the local storage (/elm_storage/local) which is a separate disk on a Physical ELM box and should be enough for the short term if you are only going to store the management database and not use the same storage for allocating space to different storage pools.

The management database size can grow over time to fill up the disk depending on how many index partition files it has to maintain for the .elm files and for how long. 

Based on the message and what you mention, you are yet to define a storage pool..

What model of appliance is this?

Refer to the following community link for configuring ELM Storage pool:

SIEM Foundations: Define ELM Storage Pools

https://community.mcafee.com/t5/Enterprise-Documents/SIEM-Foundations-Define-ELM-Storage-Pools/ta-p/...

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
MR03
Level 9
Report Inappropriate Content
Message 9 of 14

Re: Mcafee ELM does not display data source streams or events

I have data from many data sources since 2019, can you provide me with any command to see the disk space of the physical ELM, in the console or if you know a way to see the space of the ELM via the graphical interface, could you please provide it to me?

spamidi
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 14

Re: Mcafee ELM does not display data source streams or events

Hi,

I gather when you say data from many data sources - you refer to the ESM with its parsed events. 

Like I said earlier, ELM has two components - the management database which holds index of the elm files and configuration data and second would be the elm files themselves which can be on the local storage or remote share.

If you can share a screen capture of the ELM Properties and ELM Properties Data page  - that will help me understand your config. From your earlier replies it appears the ELM Is not configured with storage pools. Without this there wont be any logging happening.

If you are certain the ELM was configured and logging was enabled for one or more data sources than please log a support SR so we can look into it.

Regarding the free space - if you can SSH to the ELM and run this command to check on disk space:

df -h

If you have ELM configured with storage pools - you can navigate to the ELM Properties page.

Refer this link for the steps:
View ELM storage usage

https://docs.mcafee.com/bundle/enterprise-security-manager-11.1.x-installation-guide/page/GUID-CA6A8...

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community