cancel
Showing results for 
Search instead for 
Did you mean: 
soji
Level 7
Report Inappropriate Content
Message 1 of 5

SIEM:-ELM synchronizing Error with ESM

Hi,

Faced an issue with ELM its not synchronizing with ESM and Can't take the access to ELM through SSH and can't ping, seems to be get hanged, So just restart the ESM and its seems to be working fine.The below is the log  form the ESM regarding the Issue, help me to figure out the cause for the issue.

Local ESM (144115188075855872),Critical,Blacklist,Error in SSH communication. 0Loss of communication to the Device (10.120.2.127:22). mux_client_request_session: read from master failed: Broken pipe -- ssh: connect to host 10.120.2.127 port 22: No route to host. 

After Restarting ELM the log

Local ESM (144115188075855872) Informational,Authentication,Error in SSH communication. The subsystem has recovered.

Thank you

Soji

4 Replies

Re: SIEM:-ELM synchronizing Error with ESM

did you restart the ELM or ESM? i think you will need to look at the logs of the device you restarted to see if there was anything pointing to an issue.

soji
Level 7
Report Inappropriate Content
Message 3 of 5

Re: SIEM:-ELM synchronizing Error with ESM

I restarted the ELM sorry typo err.

And the log which i shown above is from the ESM device regarding ELM as its lost synchronizing with ELM.

And the ELM having this error logs mostly this:-

06/28/2015 10:15:09,,ELM01 (144117387099111424),,,Log retrieval failed from device (SSH connection failed)

06/28/2015 10:20:08,,ELM01 (144117387099111424),,,Log retrieval failed from device (SSH connection failed)

06/28/2015 10:25:10,,ELM01 (144117387099111424),,,Log retrieval failed from device (SSH connection failed)

06/28/2015 10:30:10,,ELM01 (144117387099111424),,,Log retrieval failed from device (SSH connection failed)

06/28/2015 10:35:10,,ELM01 (144117387099111424),,,Log retrieval failed from device (SSH connection failed)

06/28/2015 10:40:11,,ELM01 (144117387099111424),,,Log retrieval failed from device (SSH connection failed)

Re: SIEM:-ELM synchronizing Error with ESM

that tells you nothing, as you mentioned yourself the ELM was unreachable until a restart, so the ESM could probably also not reach it.

you might be able to find something in the logging of the actual ELM, but i can't tell you exactly where and what? personally i would say if it doesn't happen again ignore it. if it does happen again contact support, they know where to look.

Re: SIEM:-ELM synchronizing Error with ESM

Soji,

For future reference, first thing you do when encountering this is to:

1. Review the status of the device via the ESMGUI.

2. Attempt to open a seperate SSH session, via putty or something similar to each device in question.

3. For each successful login, immediately open you live logs

- tailf /var/log/messages

4. Look at the message as you are attempting an ssh session from the other device

Your messages above point to a number of possibilities. So, I recommend applying the OSI model and work your way up. Do this by asking yourself questions,

example, can an SSH session be established to the device from a deffrent host?

Can I see the device(ping it)?

Is is in the ESMGUI?

can the device make an ssh connect somewhere else?

Because folks make changes on firewalls or switches without communicating it, check to make sure that port 22 is actually opened, accessible etc...

Most times I've run into this, I simply had to re-key the device.

Hope this helps... Godd Luck

Joe P.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator