cancel
Showing results for 
Search instead for 
Did you mean: 

SIEM upgrade from 9.3.2 to 9.4.1

Following the upgrade from McAFee ESM (SIEM) from version 9.3.2 to version 9.4.1 while the upgrade appears to have gone off without a hitch.  I am having a problem with the Data Sources in that they are showing no data or events and ALL have amber flags next to them, with the exception of the NetFlow sources.  When I perform a tcpdump on the console to check and see if I am, in fact, receiving inputs from the end devices (via SysLog).  I appears to be an issue with the ELM.  I am running the version of ESM as the combined ESM, ELM receiver.

I have tried deleted all the data sources and reimporting them, I have tried making a change to a single data source and rediscovering, I have tried shutting down all the collectors and restarting.  Finally I have tried several reboots.  No luck, and ideas from the community?

13 Replies

Re: SIEM upgrade from 9.3.2 to 9.4.1

Hi kwharris,

Did you write the data sources after the upgrade, It's solved issue for us.

Go to --> Receiver--> Receiver Properties --> Write the data sources settings to receiverCommunities.jpg

Once it's done roll out the policy again and this should fix the issue.

Regards,

Vinaya

Re: SIEM upgrade from 9.3.2 to 9.4.1

Re: SIEM upgrade from 9.3.2 to 9.4.1

Try Manual rule update and rollout of the policy.

Within the event log of the Receiver do you see any error messages as it might be related to the processes not running

rcavey
Level 9
Report Inappropriate Content
Message 5 of 14

Re: SIEM upgrade from 9.3.2 to 9.4.1

We just hit this problem also after the upgrade to 9.4.1.  Go into the policy editor and roll out the policy there is a checkbox at the bottom left of the window labeled "Rollout policy to all devices now" .....  Do that and that should get you moving again.

9.4.1_policy.png

Re: SIEM upgrade from 9.3.2 to 9.4.1

So here is where I am at, it appears that the "parsersctl" process is not starting, viewed this when I issued "NitroStarted" command while root..  I have tried all the information above.  I have also tried NitroStop -nod and NitroStart- nod as well as "killall collectorsctl" until I know that all the collectors are down and attempt to restart.  Also, tried a another reboot after upgrade.  This provides me nothing toward progress, please see additional log output, not sure if this is related to the fact that the parsers are not starting.

ESM_error.jpg

Re: SIEM upgrade from 9.3.2 to 9.4.1

Okay,

First if you have custom parsers disable them.

second will be the possibility of corrupted datasource config this can be resolved easy by disabling the datasources one by one and running NitroStart once it starts the last disabled source is the problem.

Afterwards just go to that source open it and save it an it should work.

Re: SIEM upgrade from 9.3.2 to 9.4.1

Did you fix it now i'm having similar issue

Re: SIEM upgrade from 9.3.2 to 9.4.1

Alexander,

     Yes it does appear to have fixed the issue.  Though the recover process is a quite tedious, it appears that effectively I needed to rebuild the data source DB.  First I had to de-select every data source, then write the changes.  Then needed issue a NitroStop -nod  and the issue a NitroStart -nod to re-add devices, I need to do this on an individual basis while issuing a "NitroStarted" between each to make surer all the collector daemons came up cleanly.

     Process was issue NitroStart -nod (add and write each device - do not write to all), the NitroStop -nod (wait for process to complete), then issue a NitroStart -nod then when that is complete issue "NitroStarted" to see status of collectors.  From the console after issuing each NitroStarted-nod and NitroStop -nod commands used "Alt+ <left arrow>" to view /var/log/messages to see the effects of the commands.

Re: SIEM upgrade from 9.3.2 to 9.4.1

Hi kwharris,

Actually i've advised you for some/most of the steps but following the same algorithm doesn't solve it and also i've got NItroFlow not running.

Will let you know how it goes.