Showing results for 
Show  only  | Search instead for 
Did you mean: 

No data from Rule Correlation

I recently added a new Advanced Correlation Engine to my ESM and it is not generating any correlation. I did enable the "rule correlation" from the "Correlation Management" menu and the device logs seem to indicate that it is sending correlation data to the ESM:


But nothing shows in the dashboard. Then I manually try to get new data, I see this :


Other than added the ACE to the ESM, keying it and enabling the correlation rule, do I have to do anything else to enable event correlation ?

4 Replies

Re: No data from Rule Correlation

A couple other suggestions:

  • Verify you have pushed policy to your Correlation Engine.  Select the Correlation Engine in the device tree, them click the Policy Editor icon directly above it at the top left of the UI.  In the Policy Editor, select Operations / Rollout.
  • Verify date/time configuration on all your system components: ACE, ESM, Receivers, data sources.  Appliances should all be set for GMT.  Data sources should be configured with the time zone that is represented in the logs seen at the Receiver.



Re: No data from Rule Correlation

Hi Scott,

The policies were all pushed out and the date and time are all the same.

The only events i see were the one generated by my logons to the ESM. Do i need to put anything in the "Filter"  area of the rule correlation or the checkbox "Use Event Data" will take care of that ?

I do get this error message whenever I do a "sync device" :

Failed to retrieve the data source settings.  Error: Unable to sync with the device.  Verify that the device does not have any child devices. (ER236).  Please view the Help contents for troubleshooting information as applicable.

Message was edited by: bblanchard on 4/8/14 1:35:14 PM CDT

Re: No data from Rule Correlation

I'm confused by what you say around the only events you see were generated by your ESM logins.  These events you're mentioning: are they indvidual login events, or are they correlated events?  Are the ESM logins really the only events you see?  Are there other events for other data sources coming into ESM?  Obviously, if there are no events coming in, then there is not much for the correlation engine to work with, and you won't see any correlated events.  Alternately, I wonder if you may be operating under an account with limited visibility, and may not have permission to see the events coming in from other data sources and the ACE.

The sync device error is a bit troubling.  Might be worth a call to McAfee Support to get some expert troubleshooting advice.



Re: No data from Rule Correlation

Hi bblanchard,

i have get the same problem, did you find the solution for this issue ?



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community