cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
DimaV
Level 10
Report Inappropriate Content
Message 1 of 10

Uknown_0 event shown in ESM

Jump to solution

Hi Everyone,

we have ESM version 11.3, we started to seen events shown as Unknown_0 instaed parsed events in the ESM.

just wanted to know if someone else had this issue and solve it?

2 Solutions

Accepted Solutions
DimaV
Level 10
Report Inappropriate Content
Message 5 of 10

Re: Uknown_0 event shown in ESM

Jump to solution

the issue was solved with a patch 13

View solution in original post

pbpillai
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 10

Re: Uknown_0 event shown in ESM

Jump to solution
9 Replies
Roman_Carreon
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: Uknown_0 event shown in ESM

Jump to solution

Depending on what patch level you have (anything from HF8 or later for 11.3.0) there is a new process running on the ESM that helps with several things called NSYNC. If NSYNC isn't running it can cause events to show up with the Unknown_0 description.

 

SSH to the ESM and try running "service nsync start" and give the system a bit of time to fill in the event named.

 

If that doesn't work or your on patch 7 or earlier, I'd go ahead and log a support ticket since the root cause may actually be on the Receiver and require manual intervention from support on its' database.

pbpillai
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 10

Re: Uknown_0 event shown in ESM

Jump to solution

.

DimaV
Level 10
Report Inappropriate Content
Message 4 of 10

Re: Uknown_0 event shown in ESM

Jump to solution

Hi,

Restart of NSYNC did not helped.

 

 

DimaV
Level 10
Report Inappropriate Content
Message 5 of 10

Re: Uknown_0 event shown in ESM

Jump to solution

the issue was solved with a patch 13

View solution in original post

Re: Uknown_0 event shown in ESM

Jump to solution

Hello,

Suddenly observing unknown_0 as rule message and all ASP rules were disabled. Can anyone please help with this. Hotfix 13 is already applied. nsync service restarted too.

Avinash_Kr
Level 8
Report Inappropriate Content
Message 7 of 10

Re: Uknown_0 event shown in ESM

Jump to solution

Tied but still doesnt work. Wer on 11.3 HF 15. 

Any thingk else we can try ?

pbpillai
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 10

Re: Uknown_0 event shown in ESM

Jump to solution
pvenkatesh
Level 9
Report Inappropriate Content
Message 9 of 10

Re: Uknown_0 event shown in ESM

Jump to solution

Hi Prashnath,

We found the unknown_0 events in McAfee ESM 11.3.2 HF 3. We have done service restart for nsync in Management and Replica ESM.

 

Post restart also we could see the Unknonw_0 events from the same Receiver.

Do we have any fix / work around or is it expected in 11.3.2 HF 3?

 

Thanks
Venkatesh Poyyalisamy

lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 10

Re: Uknown_0 event shown in ESM

Jump to solution

Unknown_0 indicates that the event description hasn’t made it from the receiver to the ESM.  It could be that it wasn’t created in the first place or that it is old and so the ESM is not aware that it needs to download it.

The steps to work out what’s going on are:

  1. Get the signature id of the event from the UI
  2. Convert it to a rule id using the formula ruleID = (DSID << 32) + sigid – for example for sigid 43-123456, from the SIEM CLI: echo $(( (43<<32) + 123456))
  3. Check for this value as follows:
    nquery -d esm -q 'select * from localestring where tablefield=2564 and id=184683717184'
    nquery -d sfx -q 'select * from localestring where tablefield=2564 and id=184683717184'

    If it’s in the esm db but not sfx, it’s an nsync issue.  If it’s in neither, then check the receiver – this uses the original signature id without the DSID instead of the ruleid:
    nquery -d rec -q 'select * from eventdesc where sig_id=123456'

    Assuming it is in the receiver, if you update the time value on it to be in the future, this makes the ESM pick it up again e.g.
    nquery -d rec -q 'update eventdesc set last_time="12/17/2020 14:55:02" where sig_id=123456'
Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community