I am trying to configure a number of reports on the mcafee ESM and need suggestion on it.
1) Expected Host/Log Source Not Reporting
All systems / devices where source is not sending events
2) Log volume trend over days
Trend of all logs of all systems
Can anybody please suggest what queries will be configured.
1)For your first one there is a built in report at the ESM level that wlil give you a list of all devices sorted by the last time they send an event.
ESM Properties--> System Information-->View Reports-->Event time-->Export to CSV
2) For the second is a bit tougher. it will depend on the granularity.
I would use a distribution stacked by device type, with baseline enabled. It will give you a very good feel of the volume in your enviroment.
There are always just dials with base line that will just tell you your total volume for the time period.
I am also trying to make a report with a 'Bar Chart' that can display top 20 data sources that have generated a particular event.
for the distributions just create a new view drop in a distribution element, select destribution, click next, click stacking and type in device type id.
Just set the time period.
This is best I can do here.
Now for socgt, you want to know if a data source did something is a bit tough. The only bar chart i know of that listed device id is collection rate. if that works for you than you can just filter that down for the event id that you need.
Now depending on some datasources you may be capturing a field that is a unique identifier for that data sources, hostname, ext_device...... etc etc etc. You can just create a bar chart for that field and filter it by that sig id.