cancel
Showing results for 
Search instead for 
Did you mean: 
mehmetemin
Level 7

No Data seen at ESM

Jump to solution

Hi,

I have an issue at SIEM Allinone combo box ESM version 9.6 MR6

We can not see any logs at ESM (last 2 days)

I see that when we get events and the flows through the web ui an information occurs at Status tab that says: "Error retrieving events: Error:The requested job already exists: 1 jobs running.

And i check the /var/log/messages

a flood says :         Packet Read failed with r = 112, ObjectID = ..... , IPSID= .....

What is packet read failed with r= meaning?

Do you have any idea about the problem?

Thanks.

0 Kudos
1 Solution

Accepted Solutions
sssyyy
Level 12

Re: No Data seen at ESM

Jump to solution

The ESM DB may be having issue creating partitions in the past time and having to insert both new events and older events at the same time. Try adjust the get events and flows setting and restrict it to "do not insert events/flows if time stamp is older then one day". Restart the box and see what happens.

22 Replies
xded
Level 12

Re: No Data seen at ESM

Jump to solution

This is normally a support case for McAfee. But you can try this one -> Logon via ssh and write this command: Service cpservice stop after this Service cpservice start.

If this don't work please call the McAfee Support.

0 Kudos
mehmetemin
Level 7

Re: No Data seen at ESM

Jump to solution

Hi

I've already opened a case about this

I've rebooted the system but no changes occured.

Thanks.

0 Kudos
xded
Level 12

Re: No Data seen at ESM

Jump to solution

I had the same issue about that but i don't remember about the database rebuild command after service cpservice stop. The rebuild command was the issue in my environment.

0 Kudos
mehmetemin
Level 7

Re: No Data seen at ESM

Jump to solution

Hi

I've stopped the auto interval check cause of the lots of events waiting and trying again and again.

I see the util. with sar -d 3 3 command.

when i disabled the auto check interval the utilz. decreased the %12 from %98

then i tried the retrieve logs on the ESM (get events and flows) utilz increased again %98 (note: downloaded 100000 events but i couldn't see the logs on the ESM web ui)

maybe i should wait for all the processes become normal.

0 Kudos
kmc
Level 12

Re: No Data seen at ESM

Jump to solution
0 Kudos
mehmetemin
Level 7

Re: No Data seen at ESM

Jump to solution

Hi

Thanks for your support.

i think the problem is retrieving events on the dashboard.

I can see the changings on datasources' in and out folders.

and i also can do elm search.(today and yesterday events) but i cannot see the events at the dashboard when i want to see esm current day.

BR

0 Kudos
sssyyy
Level 12

Re: No Data seen at ESM

Jump to solution

The ESM DB may be having issue creating partitions in the past time and having to insert both new events and older events at the same time. Try adjust the get events and flows setting and restrict it to "do not insert events/flows if time stamp is older then one day". Restart the box and see what happens.

mehmetemin
Level 7

Re: No Data seen at ESM

Jump to solution

Hi ​;

where can i see the don't insert and get events option?

Thanks

BR

0 Kudos
sssyyy
Level 12

Re: No Data seen at ESM

Jump to solution

System Properties > Database > Data Retention > Restrict insertion of > Don't insert data older than ... "1 hour".

0 Kudos