cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mehmetemin
Level 7
Report Inappropriate Content
Message 1 of 23

No Data seen at ESM

Jump to solution

Hi,

I have an issue at SIEM Allinone combo box ESM version 9.6 MR6

We can not see any logs at ESM (last 2 days)

I see that when we get events and the flows through the web ui an information occurs at Status tab that says: "Error retrieving events: Error:The requested job already exists: 1 jobs running.

And i check the /var/log/messages

a flood says :         Packet Read failed with r = 112, ObjectID = ..... , IPSID= .....

What is packet read failed with r= meaning?

Do you have any idea about the problem?

Thanks.

1 Solution

Accepted Solutions
sssyyy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 23

Re: No Data seen at ESM

Jump to solution

The ESM DB may be having issue creating partitions in the past time and having to insert both new events and older events at the same time. Try adjust the get events and flows setting and restrict it to "do not insert events/flows if time stamp is older then one day". Restart the box and see what happens.

View solution in original post

22 Replies
xded
Level 12
Report Inappropriate Content
Message 2 of 23

Re: No Data seen at ESM

Jump to solution

This is normally a support case for McAfee. But you can try this one -> Logon via ssh and write this command: Service cpservice stop after this Service cpservice start.

If this don't work please call the McAfee Support.

mehmetemin
Level 7
Report Inappropriate Content
Message 3 of 23

Re: No Data seen at ESM

Jump to solution

Hi

I've already opened a case about this

I've rebooted the system but no changes occured.

Thanks.

xded
Level 12
Report Inappropriate Content
Message 4 of 23

Re: No Data seen at ESM

Jump to solution

I had the same issue about that but i don't remember about the database rebuild command after service cpservice stop. The rebuild command was the issue in my environment.

mehmetemin
Level 7
Report Inappropriate Content
Message 5 of 23

Re: No Data seen at ESM

Jump to solution

Hi

I've stopped the auto interval check cause of the lots of events waiting and trying again and again.

I see the util. with sar -d 3 3 command.

when i disabled the auto check interval the utilz. decreased the %12 from %98

then i tried the retrieve logs on the ESM (get events and flows) utilz increased again %98 (note: downloaded 100000 events but i couldn't see the logs on the ESM web ui)

maybe i should wait for all the processes become normal.

kmc
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 23

Re: No Data seen at ESM

Jump to solution
mehmetemin
Level 7
Report Inappropriate Content
Message 7 of 23

Re: No Data seen at ESM

Jump to solution

Hi

Thanks for your support.

i think the problem is retrieving events on the dashboard.

I can see the changings on datasources' in and out folders.

and i also can do elm search.(today and yesterday events) but i cannot see the events at the dashboard when i want to see esm current day.

BR

sssyyy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 23

Re: No Data seen at ESM

Jump to solution

The ESM DB may be having issue creating partitions in the past time and having to insert both new events and older events at the same time. Try adjust the get events and flows setting and restrict it to "do not insert events/flows if time stamp is older then one day". Restart the box and see what happens.

View solution in original post

mehmetemin
Level 7
Report Inappropriate Content
Message 9 of 23

Re: No Data seen at ESM

Jump to solution

Hi ​;

where can i see the don't insert and get events option?

Thanks

BR

sssyyy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 23

Re: No Data seen at ESM

Jump to solution

System Properties > Database > Data Retention > Restrict insertion of > Don't insert data older than ... "1 hour".

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community