Showing results for 
Search instead for 
Did you mean: 

SIEM upgrade from 9.3.2 to 9.4.1

Following the upgrade from McAFee ESM (SIEM) from version 9.3.2 to version 9.4.1 while the upgrade appears to have gone off without a hitch.  I am having a problem with the Data Sources in that they are showing no data or events and ALL have amber flags next to them, with the exception of the NetFlow sources.  When I perform a tcpdump on the console to check and see if I am, in fact, receiving inputs from the end devices (via SysLog).  I appears to be an issue with the ELM.  I am running the version of ESM as the combined ESM, ELM receiver.

I have tried deleted all the data sources and reimporting them, I have tried making a change to a single data source and rediscovering, I have tried shutting down all the collectors and restarting.  Finally I have tried several reboots.  No luck, and ideas from the community?

13 Replies

Re: SIEM upgrade from 9.3.2 to 9.4.1

Hi kwharris,

Did you write the data sources after the upgrade, It's solved issue for us.

Go to --> Receiver--> Receiver Properties --> Write the data sources settings to receiverCommunities.jpg

Once it's done roll out the policy again and this should fix the issue.



Re: SIEM upgrade from 9.3.2 to 9.4.1

Re: SIEM upgrade from 9.3.2 to 9.4.1

Try Manual rule update and rollout of the policy.

Within the event log of the Receiver do you see any error messages as it might be related to the processes not running

Level 9
Report Inappropriate Content
Message 5 of 14

Re: SIEM upgrade from 9.3.2 to 9.4.1

We just hit this problem also after the upgrade to 9.4.1.  Go into the policy editor and roll out the policy there is a checkbox at the bottom left of the window labeled "Rollout policy to all devices now" .....  Do that and that should get you moving again.


Re: SIEM upgrade from 9.3.2 to 9.4.1

So here is where I am at, it appears that the "parsersctl" process is not starting, viewed this when I issued "NitroStarted" command while root..  I have tried all the information above.  I have also tried NitroStop -nod and NitroStart- nod as well as "killall collectorsctl" until I know that all the collectors are down and attempt to restart.  Also, tried a another reboot after upgrade.  This provides me nothing toward progress, please see additional log output, not sure if this is related to the fact that the parsers are not starting.



Re: SIEM upgrade from 9.3.2 to 9.4.1


First if you have custom parsers disable them.

second will be the possibility of corrupted datasource config this can be resolved easy by disabling the datasources one by one and running NitroStart once it starts the last disabled source is the problem.

Afterwards just go to that source open it and save it an it should work.

Re: SIEM upgrade from 9.3.2 to 9.4.1

Did you fix it now i'm having similar issue

Re: SIEM upgrade from 9.3.2 to 9.4.1


     Yes it does appear to have fixed the issue.  Though the recover process is a quite tedious, it appears that effectively I needed to rebuild the data source DB.  First I had to de-select every data source, then write the changes.  Then needed issue a NitroStop -nod  and the issue a NitroStart -nod to re-add devices, I need to do this on an individual basis while issuing a "NitroStarted" between each to make surer all the collector daemons came up cleanly.

     Process was issue NitroStart -nod (add and write each device - do not write to all), the NitroStop -nod (wait for process to complete), then issue a NitroStart -nod then when that is complete issue "NitroStarted" to see status of collectors.  From the console after issuing each NitroStarted-nod and NitroStop -nod commands used "Alt+ <left arrow>" to view /var/log/messages to see the effects of the commands.

Re: SIEM upgrade from 9.3.2 to 9.4.1

Hi kwharris,

Actually i've advised you for some/most of the steps but following the same algorithm doesn't solve it and also i've got NItroFlow not running.

Will let you know how it goes.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community