The McAfee SIEM is configured, by default, to index only ports 1-1024. Non-indexed ports do not show in searches. McAfee best practice is to enable indexing for all ports.
What is the downside of enabling indexing for all ports?
Moved to SIEM forum there is a better chance of an answer there
From memory, it will negatively impact the receiver. Why don't you enable as you go?