cancel
Showing results for 
Search instead for 
Did you mean: 

One or more correlation rules were invalid

Jump to solution

I'm getting the following error:

Correlation (Could not update policy - "Error: Unable to parse the XML file." (One or more correlation rules were invalid))

How do I solve it?

1 Solution

Accepted Solutions

Re: One or more correlation rules were invalid

Jump to solution

McAfee Support suggested this on ESM:

     Do a manual rules update
     service cpservice stop
     DBCheck -d '/usr/local/ess/data/ngcp.dfl' -p 'LOCDB***********' -t '!Alert|!Connection|!Log|!Packet|!stringmap' -r
     service cpservice start

It didn't help. I also did a new manual rules update (file from 17:th march) afterwards.

Today I downloaded a new rules update file from the 24:th, and it helped - Problem solved.

Message was edited by: pnaslund on 3/28/14 5:45:35 AM CDT


Edited by Moderator to remove DB password

4 Replies

Re: One or more correlation rules were invalid

Jump to solution

You may be able to solve this by manually downloading and importing the rules file.  You will find it on the Mcafee download site, after logging in with your grant number.  If that doesn't resolve the issue, I'd suggest calling McAfee support for assistance.

Scott

Highlighted

Re: One or more correlation rules were invalid

Jump to solution

Occasionally this error message can be seen when the correlation engine is overwhelmed. The Ace is so busy that the policy will not roll out and it generates the error above. There are a couple ways to see if the correlation engine is overwhelmed. First, check to see if the events from the correlation engine are behind. If you see the most recent events are more than 20-30 minutes in the past, this could indicate it is overwhelmed. Second, if you can ssh to the ACE, look in /usr/local/ace/incoming to see how many files exist in the directory. If there are more than 25 files, this indicates it is overwhelmed.

Usually if the ACE is behind or overwhelmed, it is simply a bad correlation rule that is causing alot of extra overhead on the box. If you call into support, they can help you identify whcih rule may be causing the issue and help you get it resolved.

Message was edited by: spetting on 3/19/14 12:27:52 PM CDT

Re: One or more correlation rules were invalid

Jump to solution

McAfee Support suggested this on ESM:

     Do a manual rules update
     service cpservice stop
     DBCheck -d '/usr/local/ess/data/ngcp.dfl' -p 'LOCDB***********' -t '!Alert|!Connection|!Log|!Packet|!stringmap' -r
     service cpservice start

It didn't help. I also did a new manual rules update (file from 17:th march) afterwards.

Today I downloaded a new rules update file from the 24:th, and it helped - Problem solved.

Message was edited by: pnaslund on 3/28/14 5:45:35 AM CDT


Edited by Moderator to remove DB password

bkile1
Level 7
Report Inappropriate Content
Message 5 of 5

Re: One or more correlation rules were invalid

Jump to solution

I have found the ..."ssh to the ACE, look in /usr/local/ace/incoming to see how many files exist in the directory. If there are more than 25 files, this indicates it is overwhelmed" to be the best starting point.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center