cancel
Showing results for 
Search instead for 
Did you mean: 

No data from Rule Correlation

I recently added a new Advanced Correlation Engine to my ESM and it is not generating any correlation. I did enable the "rule correlation" from the "Correlation Management" menu and the device logs seem to indicate that it is sending correlation data to the ESM:

ace1.PNG

But nothing shows in the dashboard. Then I manually try to get new data, I see this :

ace2.PNG

Other than added the ACE to the ESM, keying it and enabling the correlation rule, do I have to do anything else to enable event correlation ?

4 Replies

Re: No data from Rule Correlation

A couple other suggestions:

  • Verify you have pushed policy to your Correlation Engine.  Select the Correlation Engine in the device tree, them click the Policy Editor icon directly above it at the top left of the UI.  In the Policy Editor, select Operations / Rollout.
  • Verify date/time configuration on all your system components: ACE, ESM, Receivers, data sources.  Appliances should all be set for GMT.  Data sources should be configured with the time zone that is represented in the logs seen at the Receiver.

Scott

Re: No data from Rule Correlation

Hi Scott,

The policies were all pushed out and the date and time are all the same.

The only events i see were the one generated by my logons to the ESM. Do i need to put anything in the "Filter"  area of the rule correlation or the checkbox "Use Event Data" will take care of that ?

I do get this error message whenever I do a "sync device" :

Failed to retrieve the data source settings.  Error: Unable to sync with the device.  Verify that the device does not have any child devices. (ER236).  Please view the Help contents for troubleshooting information as applicable.

Message was edited by: bblanchard on 4/8/14 1:35:14 PM CDT

Re: No data from Rule Correlation

I'm confused by what you say around the only events you see were generated by your ESM logins.  These events you're mentioning: are they indvidual login events, or are they correlated events?  Are the ESM logins really the only events you see?  Are there other events for other data sources coming into ESM?  Obviously, if there are no events coming in, then there is not much for the correlation engine to work with, and you won't see any correlated events.  Alternately, I wonder if you may be operating under an account with limited visibility, and may not have permission to see the events coming in from other data sources and the ACE.

The sync device error is a bit troubling.  Might be worth a call to McAfee Support to get some expert troubleshooting advice.

Scott

Re: No data from Rule Correlation

Hi bblanchard,

i have get the same problem, did you find the solution for this issue ?

Regards,

Azeddine

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator