cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Re: SIEM upgrade from 9.3.2 to 9.4.1

Alexander,

     While I am running ESM version 9.4.1 and it appears to be working (or accepting data from the syslog inputs) what I am puzzled ab out is why is it now working.  After going through the process of adding each data source individually none of them failed.  I expected to see some problems, unless what I did was to rebuild the data source DB, question would then be why didn't that work when I just imported the data sources via a CSV file I had created.  Punderous.

     None-the-less I need to still figure out how I can upgrade from 9.3 to 9.4 cleanly without the need of the process above.  Guess that is a question for McAfee support.

Highlighted
Level 9
Report Inappropriate Content
Message 12 of 14

Re: SIEM upgrade from 9.3.2 to 9.4.1

Hi Folks

We ran into the same issue over the weekend upgrading from 9.4 to 9.4.1 HF2

McAfee support provided the following fix  for 9.4.1 bug 1013935.

You need to log  a support call in which they will verify the device data on ESM/ERC.

Cheers,

Japie

Highlighted

Re: SIEM upgrade from 9.3.2 to 9.4.1

Hi Friends. Did anybody encountered with SIEM (ENMELM combo) appliance upgrade from 9.3.2 to 9.4.2 with DAS storage attached? What is proper workflow? The problem is we attached our DAS to ELM, and after update our appliance from 9.3.2 to 9.4.2  it seems to be attached to ESM.

Highlighted
Level 9
Report Inappropriate Content
Message 14 of 14

Re: SIEM upgrade from 9.3.2 to 9.4.1

For upgrades.. I say they are "full of it" about custom rules; we've never disabled our custom rules.. ever.  Just force a rules update and policy roll out  BUT make sure your are in the receiver properties data sources screen and not the "global properties" and if the "Write" is not highlighted just un-check one logging check mark for a single data, then check it again.  Once you do that "Write" now highlighted, when the policy rollout screen comes up check the box at the bottom left then click OK.  We've been upgrading the ESM(s) followed immediately with a manual Rule update, then moving on to upgrading the remainder of devices.

I'd say if you can,  skip 9.4.1(we were not impressed with that release) and go right to 9.4.2 release 2(11182014 ) but beware if you are running HA receivers..... We did a few upgrades to 9.4.2 release 2  yesterday and HA fell on it's face.  Our combo box went very smooth though.

I just wish we could upgrade the HA receivers without loosing events.... so some reason the ELM gets the data but processing is off until the policy rollout happens.  sad.....

Happy Holidays everyone.

  -Bob

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community