cancel
Showing results for 
Search instead for 
Did you mean: 

Windows Data Source Events Issue

Running ESM 9.6 all in one. No events from any Windows data sources show in dashboard. I see the data come in /var/log/data/inline/thirdparty.logs/##/in/data* and then go away but nothing in the dashboard.

Events from Linux Syslog come in and show up in the dashboard no problem. 

Already followed steps below with no luck.

https://kc.mcafee.com/corporate/index?page=content&id=KB82387

My thought process is they are not being put into the db for some reason but not sure on the next tshoot steps. Any ideas?

2 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Windows Data Source Events Issue

Hi arc33333.

try checking the next directory

cd /var/log/data/inline/thirdparty.logs/##/out/       (the directory of the parsed events.)

du -h      (checking the amount of data stored in that directory.)

if you see there a big amount of data, could be you have really a problem with the data base of the ESM.

or with the services communicating with the ERC.

 

a second option is to press in the ESM on the "live stream" button (upper left)

and view the live events coming from that source

if you see events - it means its parsing it good.

just check the date in the events, could be the events are old events and because that the ESM is storing it in old data records.

it could be a output of lots of reasons, but start with this.

 

Best Regards👍👍👍

David.

McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: Windows Data Source Events Issue

Two other items that may be worth looking into.

Restriction of Historical Event Inserts Under ESM Properties -> Database -> Database Settings (Sorry if this is incorrect, I do not have access to a 9.6 device, however one of the settings under there should have it)

If it is set to restrict historical inserts, the data will come to the receiver, get parsed, go to the receiver DB and the ESM will not pull it.

If this is not set, then you may be receiving historical data and need to change your time frame based on the events coming in (possibly just set to all time to see)

Lastly, depending on how you are collecting windows data, it may potentially be a misformatting of data for the WMI parser. Are you collecting via credentialed pull request from WinRM, or are you using a third party agent to push the data?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator