cancel
Showing results for 
Search instead for 
Did you mean: 
NOK
Level 7
Report Inappropriate Content
Message 1 of 4

Only Device Health Alarms

Hi everyone, first time posting to the forum.  I've run into a bit of an issue on McAfee ESM 10.3.  This was a recent upgrade from 9.5 to 9.6.3 and then to 10.3.  Of course during the upgrade I didn't see any issues and our maintenance has since expired.  The problem I am seeing now is that only Device Health alarms (such as status changed from active to idle on a device).  I am not seeing any correlation activity it would seem.  If I looke at my receivers, they have events coming in without issue.  They are correctly keyed at this point and seem to at least be communicating.  I've restarted all pieces including the ESM itself as well as the ACE, ELM, and both Receivers we have.  Nothing in the logs seems to really point at what the problem is.  My guess is that it would be something with the ACEas it is showing out of sync, however, when I try to sync with the ESM I receive the error:

Failed to retrieve the data source settings.  Error: Unable to sync with the device.  Verify that the device does not have any child devices. (ER236).  Please view the Help contents or contact Support for troubleshooting information as applicable.

However, this error itself doesn't really point me in the right direction.  I've exhausted my search capabilities and can't really seem to find anything that points to there being an issue.  I've tried removing and readding the ACE, but it still didn't seem to help. 

Any suggestions would be greatly appreciated.

Thank you in advance.

3 Replies
NOK
Level 7
Report Inappropriate Content
Message 2 of 4

Re: Only Device Health Alarms

I am still not able to sync the device to the ESM.  I've tried to allow the public key on the ACE for the ESM so that it should be able to communicate over SSH without issue, but still nothing is coming up.  Any help would be appreciated.  There has to be some sort of disconnect between either the receivers and the ELM or possible the ELM and the ACE, or the ACE and the ESM.  I'm just not entirely sure.  I would assume the flow is handled in that manner?

McAfee Employee mherr
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Only Device Health Alarms

Here are some steps you may want to take.

1. Rekey the ACE(s), but it sounds like they are keyed ok
2. Write out all of your data sources.  Check to see if write is available. If so, click it.  
    a. ERC data sources, asset sources, vulnerability assessment
    b. ACE Correlation Management and Risk Correlation Scoring
3. Do another Manual Rules Update
4. Force Policy out to all data sources

 

NOK
Level 7
Report Inappropriate Content
Message 4 of 4

Re: Only Device Health Alarms

Thanks for the response.  Yes, I've definitely rekey'd all of the devices and ensured that they were located in the known hosts file and all of that.  I've written out data sources and checked the correlation management.  My problem may lie in the fact that it seems I have no Risk Correlation scoring at all.  I'm not sure if it got erased or what.  This was an inherited system so I didn't configure any of it intiially I'm just working on reclaiming it.  That's what thing I really don't know how to do on this system is how to properly right correlation scoring...

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community