Hi everyone, first time posting to the forum. I've run into a bit of an issue on McAfee ESM 10.3. This was a recent upgrade from 9.5 to 9.6.3 and then to 10.3. Of course during the upgrade I didn't see any issues and our maintenance has since expired. The problem I am seeing now is that only Device Health alarms (such as status changed from active to idle on a device). I am not seeing any correlation activity it would seem. If I looke at my receivers, they have events coming in without issue. They are correctly keyed at this point and seem to at least be communicating. I've restarted all pieces including the ESM itself as well as the ACE, ELM, and both Receivers we have. Nothing in the logs seems to really point at what the problem is. My guess is that it would be something with the ACEas it is showing out of sync, however, when I try to sync with the ESM I receive the error:
Failed to retrieve the data source settings. Error: Unable to sync with the device. Verify that the device does not have any child devices. (ER236). Please view the Help contents or contact Support for troubleshooting information as applicable.
However, this error itself doesn't really point me in the right direction. I've exhausted my search capabilities and can't really seem to find anything that points to there being an issue. I've tried removing and readding the ACE, but it still didn't seem to help.
I am still not able to sync the device to the ESM. I've tried to allow the public key on the ACE for the ESM so that it should be able to communicate over SSH without issue, but still nothing is coming up. Any help would be appreciated. There has to be some sort of disconnect between either the receivers and the ELM or possible the ELM and the ACE, or the ACE and the ESM. I'm just not entirely sure. I would assume the flow is handled in that manner?
1. Rekey the ACE(s), but it sounds like they are keyed ok 2. Write out all of your data sources. Check to see if write is available. If so, click it. a. ERC data sources, asset sources, vulnerability assessment b. ACE Correlation Management and Risk Correlation Scoring 3. Do another Manual Rules Update 4. Force Policy out to all data sources
Thanks for the response. Yes, I've definitely rekey'd all of the devices and ensured that they were located in the known hosts file and all of that. I've written out data sources and checked the correlation management. My problem may lie in the fact that it seems I have no Risk Correlation scoring at all. I'm not sure if it got erased or what. This was an inherited system so I didn't configure any of it intiially I'm just working on reclaiming it. That's what thing I really don't know how to do on this system is how to properly right correlation scoring...