Showing results for 
Search instead for 
Did you mean: 

Parent-Client datasources via SIEM Collector 11

Hi all,

I was wondering if Parent-Client datasources can be used for SIEM collector 11 datasources?

Under my receiver I would create a parent datasource called WINDOWS_COLLECTOR_EVENTLOG with the following settings:


The design would be to add all servers under WINDOWS_COLLECTOR_EVENTLOG, and if there server has multiple roles it will be added as well to for example parent data source WINDOWS_COLLECTOR_DHCP, this to catch if there's multiple types of datasources from 1 host. Our SIEM consultant told us that we could use non-routable IP addresses for parent data sources, so that's how we're currently setting up things..

Then at the clients tab I would like to add multiple servers, but to test I started with 1 data source:


for reference, the config on the server itself for the collector:


When it is added like this it's not working. When I work without the fictional IP on the parent (so just add it as a plain data source) it does work. What am I doing wrong to add collector sources as a client data source?

I tried leaving the host blank in the parent source but that also doesn't seem to help.Can I work only with parent client if this server does all the event collecton for all servers?



1 Reply
Level 9
Report Inappropriate Content
Message 2 of 2

Re: Parent-Client datasources via SIEM Collector 11

I think you want the Parent / Client relationship instead of the Parent / Child. The Parent / Child set up still takes up against your overall allowed number of data sources on the Event Receiver, while the Parent / Client does not.

The way I have set up my environments is as such:

Parent: Logcollection-wmi (using the WMI / MEF parent data source profile)

Clients: All of my wmi logs from all of my hosts report here. Example below.


IP: Server A IP Address

Host ID: ServerA-wmi


Parent: Logcollection-iis (using the IIS / MEF parent data source profile)

Clients: All IIS related logs report to this parent. Example below.


IP: ServerA IP Address

Host ID: ServerA-iis

So, Server-A has two separate SIEM data source profiles in sends logs to - IIS and WMI. Hope this makes sense or helps you figure out your issue.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community