Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 3

Windows Data Source Events Issue

Running ESM 9.6 all in one. No events from any Windows data sources show in dashboard. I see the data come in /var/log/data/inline/thirdparty.logs/##/in/data* and then go away but nothing in the dashboard.

Events from Linux Syslog come in and show up in the dashboard no problem. 

Already followed steps below with no luck.

My thought process is they are not being put into the db for some reason but not sure on the next tshoot steps. Any ideas?

2 Replies
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Windows Data Source Events Issue

Hi arc33333.

try checking the next directory

cd /var/log/data/inline/thirdparty.logs/##/out/       (the directory of the parsed events.)

du -h      (checking the amount of data stored in that directory.)

if you see there a big amount of data, could be you have really a problem with the data base of the ESM.

or with the services communicating with the ERC.


a second option is to press in the ESM on the "live stream" button (upper left)

and view the live events coming from that source

if you see events - it means its parsing it good.

just check the date in the events, could be the events are old events and because that the ESM is storing it in old data records.

it could be a output of lots of reasons, but start with this.


Best Regards👍👍👍


Former Member
Not applicable
Report Inappropriate Content
Message 3 of 3

Re: Windows Data Source Events Issue

Two other items that may be worth looking into.

Restriction of Historical Event Inserts Under ESM Properties -> Database -> Database Settings (Sorry if this is incorrect, I do not have access to a 9.6 device, however one of the settings under there should have it)

If it is set to restrict historical inserts, the data will come to the receiver, get parsed, go to the receiver DB and the ESM will not pull it.

If this is not set, then you may be receiving historical data and need to change your time frame based on the events coming in (possibly just set to all time to see)

Lastly, depending on how you are collecting windows data, it may potentially be a misformatting of data for the WMI parser. Are you collecting via credentialed pull request from WinRM, or are you using a third party agent to push the data?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community