cancel
Showing results for 
Search instead for 
Did you mean: 

One or more correlation rules were invalid

Jump to solution

I'm getting the following error:

Correlation (Could not update policy - "Error: Unable to parse the XML file." (One or more correlation rules were invalid))

How do I solve it?

1 Solution

Accepted Solutions

Re: One or more correlation rules were invalid

Jump to solution

McAfee Support suggested this on ESM:

     Do a manual rules update
     service cpservice stop
     DBCheck -d '/usr/local/ess/data/ngcp.dfl' -p 'LOCDB***********' -t '!Alert|!Connection|!Log|!Packet|!stringmap' -r
     service cpservice start

It didn't help. I also did a new manual rules update (file from 17:th march) afterwards.

Today I downloaded a new rules update file from the 24:th, and it helped - Problem solved.

Message was edited by: pnaslund on 3/28/14 5:45:35 AM CDT


Edited by Moderator to remove DB password

4 Replies

Re: One or more correlation rules were invalid

Jump to solution

You may be able to solve this by manually downloading and importing the rules file.  You will find it on the Mcafee download site, after logging in with your grant number.  If that doesn't resolve the issue, I'd suggest calling McAfee support for assistance.

Scott

Highlighted

Re: One or more correlation rules were invalid

Jump to solution

Occasionally this error message can be seen when the correlation engine is overwhelmed. The Ace is so busy that the policy will not roll out and it generates the error above. There are a couple ways to see if the correlation engine is overwhelmed. First, check to see if the events from the correlation engine are behind. If you see the most recent events are more than 20-30 minutes in the past, this could indicate it is overwhelmed. Second, if you can ssh to the ACE, look in /usr/local/ace/incoming to see how many files exist in the directory. If there are more than 25 files, this indicates it is overwhelmed.

Usually if the ACE is behind or overwhelmed, it is simply a bad correlation rule that is causing alot of extra overhead on the box. If you call into support, they can help you identify whcih rule may be causing the issue and help you get it resolved.

Message was edited by: spetting on 3/19/14 12:27:52 PM CDT

Re: One or more correlation rules were invalid

Jump to solution

McAfee Support suggested this on ESM:

     Do a manual rules update
     service cpservice stop
     DBCheck -d '/usr/local/ess/data/ngcp.dfl' -p 'LOCDB***********' -t '!Alert|!Connection|!Log|!Packet|!stringmap' -r
     service cpservice start

It didn't help. I also did a new manual rules update (file from 17:th march) afterwards.

Today I downloaded a new rules update file from the 24:th, and it helped - Problem solved.

Message was edited by: pnaslund on 3/28/14 5:45:35 AM CDT


Edited by Moderator to remove DB password

bkile1
Level 7
Report Inappropriate Content
Message 5 of 5

Re: One or more correlation rules were invalid

Jump to solution

I have found the ..."ssh to the ACE, look in /usr/local/ace/incoming to see how many files exist in the directory. If there are more than 25 files, this indicates it is overwhelmed" to be the best starting point.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community