cancel
Showing results for 
Search instead for 
Did you mean: 

Windows Data Source Events Issue

Running ESM 9.6 all in one. No events from any Windows data sources show in dashboard. I see the data come in /var/log/data/inline/thirdparty.logs/##/in/data* and then go away but nothing in the dashboard.

Events from Linux Syslog come in and show up in the dashboard no problem. 

Already followed steps below with no luck.

https://kc.mcafee.com/corporate/index?page=content&id=KB82387

My thought process is they are not being put into the db for some reason but not sure on the next tshoot steps. Any ideas?

2 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Windows Data Source Events Issue

Hi arc33333.

try checking the next directory

cd /var/log/data/inline/thirdparty.logs/##/out/       (the directory of the parsed events.)

du -h      (checking the amount of data stored in that directory.)

if you see there a big amount of data, could be you have really a problem with the data base of the ESM.

or with the services communicating with the ERC.

 

a second option is to press in the ESM on the "live stream" button (upper left)

and view the live events coming from that source

if you see events - it means its parsing it good.

just check the date in the events, could be the events are old events and because that the ESM is storing it in old data records.

it could be a output of lots of reasons, but start with this.

 

Best Regards👍👍👍

David.

Highlighted
McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: Windows Data Source Events Issue

Two other items that may be worth looking into.

Restriction of Historical Event Inserts Under ESM Properties -> Database -> Database Settings (Sorry if this is incorrect, I do not have access to a 9.6 device, however one of the settings under there should have it)

If it is set to restrict historical inserts, the data will come to the receiver, get parsed, go to the receiver DB and the ESM will not pull it.

If this is not set, then you may be receiving historical data and need to change your time frame based on the events coming in (possibly just set to all time to see)

Lastly, depending on how you are collecting windows data, it may potentially be a misformatting of data for the WMI parser. Are you collecting via credentialed pull request from WinRM, or are you using a third party agent to push the data?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community