cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

EPO SIEM Collector Policies not enforcing

I have recently come to an issue in which the policies for my SIEM collector are not applying even though the correct policies reflect on the system summary. I will set the policy and inheritance on a workstation and log in in only to find that no settings have been set on program. I have tried uninstalling and reinstalling both the product and the agent with the same result. I am using:

Epo 5.10

MA 5.7.2

SIEM Collector 11.3

All packages and extensions associated have been assigned.

EPO will deploy the products and agents with no issue; it just wont enforce policy settings.

I am currently in the process of rolling back to 5.9 to see if that will change anything. 

Any insight would be greatly appreciated.

6 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: EPO SIEM Collector Policies not enforcing

Masvc log on the client will show any errors enforcing policies as well as the server log on epo/agent handlers might show errors.  Is the agent communicating?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: EPO SIEM Collector Policies not enforcing

I checked the log location you specified and can't find anything that would indicate an issue in enforcing the policy. I get the standard received and enforced SIEMCOLL1000 policy with no logs stating an issue. The issue I find is that while I installed SIEMCOLL1100 and it reflects in the extensions and master repo, the client side agent still refers to the product as SIEMCOLL1000. Is that an issue youre familiar with?

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: EPO SIEM Collector Policies not enforcing

What build/version of siem collector client is checked into master repository vs what is installed on the client?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: EPO SIEM Collector Policies not enforcing

I checked in the collector client into my epo - 11.3 and the product code for it is siemcoll1000.  The extension product code may be different, so I wouldn't think that is a problem.  I am not familiar with siem enough to know where to get the extension - I can't find it in downloads.  It may be like some other appliances where the extension is obtained from the appliance itself.  Try creating a new policy based on mcafee default as a test, make desired changes, then assign it to the system to see if they are applied.  Also make sure there are no policy assignment rules that override the system tree assignment.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: EPO SIEM Collector Policies not enforcing

Master Repository and client both reflect 11.3 on the product while the extension is at 11.0. I reverted back to 11.0 on the master to test but still having the same issues. I tried creating a new policy based on the default but still no luck. The SIEM collector works fine when configured manually on the client itself; it just wont get the settings from the policy. This issue is replicated across all clients in my network.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: EPO SIEM Collector Policies not enforcing

You need to get either an extension for 11.3 or revert your client on the system to 11.0.  I would suggest contacting siem team for that extension.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community