cancel
Showing results for 
Search instead for 
Did you mean: 
mason.c
Level 7

Receiver WMI polling old log

Jump to solution

Hi,

May I know the receiver can pull back the wmi history log during data source is disconnected? For example, the wmi log event happen between data source changed ip address and revert to original.

Mason

0 Kudos
1 Solution

Accepted Solutions
proxima
Level 10

Re: Receiver WMI polling old log

Jump to solution

Hi,

Yes, it can do that. For all data pulled via WMI (and not only WMI... sql for example also etc) ERC storing bookmark. So if ERC will not be able to pulled events from data source it will try again and again... every time since bookmark file entries (epoch timestamp) . ofcourse you can change this value, for pulling some historical events (for example).

To do that please check: KB79152 

McAfee KnowledgeBase - How to reset the WMI bookmark on SIEM Receiver

Regards

MK

3 Replies
abanaru
Level 11

Re: Receiver WMI polling old log

Jump to solution

Good question. Just tested in my environment by disabling the network card of a windows server and enabling it after 30 minutes. The configured pooling interval for that data source is 5 minutes.

The result was that none of the events were lost, so yes, it can pull back WMI history.

I guess the ERC will store the sequence number of the last pulled WMI event.

0 Kudos
proxima
Level 10

Re: Receiver WMI polling old log

Jump to solution

Hi,

Yes, it can do that. For all data pulled via WMI (and not only WMI... sql for example also etc) ERC storing bookmark. So if ERC will not be able to pulled events from data source it will try again and again... every time since bookmark file entries (epoch timestamp) . ofcourse you can change this value, for pulling some historical events (for example).

To do that please check: KB79152 

McAfee KnowledgeBase - How to reset the WMI bookmark on SIEM Receiver

Regards

MK

mason.c
Level 7

Re: Receiver WMI polling old log

Jump to solution

receiver can pull the history wmi log but need to remind that when the disconnection time over the wmi log rotation time, you still have chance to lost the log.

0 Kudos