cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Rule message showing 0

Hi Team,

I am getting Rule message-0 for many events and for many data sources in SIEM. When I am clicking on show rule -- it shows "Error not found".

Kindly help how to edit that rule so that i can get Rule message name.

Thanks in advance.

Regards,

8 Replies
acommons
Level 11
Report Inappropriate Content
Message 2 of 9

Re: Rule message showing 0

You may want to look at KB83649 "SIEM rule message names appear as '0' after a rule purge":

https://kc.mcafee.com/corporate/index?page=content&id=KB83649&snspd-0115

My not be applicable but  could give you some leads.

cheers,

Andrew

proxima
Level 10
Report Inappropriate Content
Message 3 of 9

Re: Rule message showing 0

Hi,

Probably the rule which you are looking for was deleted. In the most cases 0 in the rule name appear only then the data source (or auto learn) rule was deleted/purged. it will be visible again when the logs come to your system and parsed with the same asp rule which correspond to the deleted rule - also all rule names will change the name to proper data source rule.

But off course you must have proper asp rule...

Regards

MK

Re: Rule message showing 0

Hi MK,

Thanks for your reply.

Is there any way to configure data source rule so that it start parsing again.

Also logs are coming as Rule message as 0 for many data sources.

Need your help in resolving this issue as I am new in Nitro SIEM.

Thanks...

itgfcsys
Level 9
Report Inappropriate Content
Message 5 of 9

Re: Rule message showing 0

I've run into this recently, We found that it was related to the policy and roll-out status. we had rules titled 0, the partial names, and finally the full name after some updates. Tried a manual rule update and that seemed to resolve our issue.

proxima
Level 10
Report Inappropriate Content
Message 6 of 9

Re: Rule message showing 0

Nice to hear that

Regards

MK

Re: Rule message showing 0

Hi,

Thanks for reply.

I tried doing manual rule updates and rolled out the policy.

But no luck.

Regards,

itgfcsys
Level 9
Report Inappropriate Content
Message 8 of 9

Re: Rule message showing 0

I've just run into the 0 rule name again, it was definitely incremental and consistent with a rule updates, but we did find some missing rules, Im not sure if the two sets of symptoms are related.

Re: Rule message showing 0

Hi Andrew and MK,

Thanks for the reply.

@ MK,

Is there any way to configure data source rule so that it start parsing again.

Also logs are coming as Rule message as 0 for many data sources.

Need your help in resolving this issue as I am new in Nitro SIEM.

Thanks...

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community