I recently added a new Advanced Correlation Engine to my ESM and it is not generating any correlation. I did enable the "rule correlation" from the "Correlation Management" menu and the device logs seem to indicate that it is sending correlation data to the ESM:
But nothing shows in the dashboard. Then I manually try to get new data, I see this :
Other than added the ACE to the ESM, keying it and enabling the correlation rule, do I have to do anything else to enable event correlation ?
A couple other suggestions:
The policies were all pushed out and the date and time are all the same.
The only events i see were the one generated by my logons to the ESM. Do i need to put anything in the "Filter" area of the rule correlation or the checkbox "Use Event Data" will take care of that ?
I do get this error message whenever I do a "sync device" :
Failed to retrieve the data source settings. Error: Unable to sync with the device. Verify that the device does not have any child devices. (ER236). Please view the Help contents for troubleshooting information as applicable.Message was edited by: bblanchard on 4/8/14 1:35:14 PM CDT
I'm confused by what you say around the only events you see were generated by your ESM logins. These events you're mentioning: are they indvidual login events, or are they correlated events? Are the ESM logins really the only events you see? Are there other events for other data sources coming into ESM? Obviously, if there are no events coming in, then there is not much for the correlation engine to work with, and you won't see any correlated events. Alternately, I wonder if you may be operating under an account with limited visibility, and may not have permission to see the events coming in from other data sources and the ACE.
The sync device error is a bit troubling. Might be worth a call to McAfee Support to get some expert troubleshooting advice.