Who Me Too'd this topic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

McAfee SIEM - ESM Data lost


Hello guys,


Recently I faced it 2 times with 2 different clients.

The data disappeared after some problems and I'd like to know if you guys are facing it or have this terrible experience before.

Now I have only 5 days of data:
last 60 days, but I only have 5.JPG

and for only that I have 250GB consumed so I ask, what can files are atoring the data lost? Where is it?

df h.JPG

Look my Data folder:

McAfee-ENMELM-VM12 /usr/local/ess/data # ls

ADGroup.blob                        ExtDeviceAttr.blob                NotificationEMailGroups.data   TagSevBits.index

ADGroup.data                        ExtDeviceAttr.data                NotificationEMailGroups.index  TagUpdateException.data

ADGroup.index                       ExtDeviceAttr.index               NotificationMembers.data       TagUpdateException.index

ADGroupSM.data                      ExternalDevice.data               NotificationMembers.index      Theme.data

ADGroupSM.index                     ExternalDevice.index              NotificationUser.data          Theme.index

Access.data                         GeoLoc.data                       NotificationUser.index         ThirdPartyConfig.blob

Access.index                        GeoLoc.index                      OS.data                        ThirdPartyConfig.data

Action.data                         GetRedundantSettings.sql          OS.index                       ThirdPartyConfig.index

Action.index                        Groups.blob                       Obfuscation.blob               ThirdPartyType.data

AggException.data                   Groups.data                       Obfuscation.data               ThirdPartyType.index

AggException.index                  Groups.index                      Obfuscation.index              Timezone.blob

Alert1.blob_p35                     HCFilters.blob                    PluginData.blob                Timezone.data

Alert1.data_p35                     HCFilters.data                    PluginData.data                Timezone.index

Alert_AlertID_1.index_p35           HCFilters.index                   PluginData.index               TriggeredAlarm.blob

Alert_DstIP_1.index_p35             HealthStatusChanges.data          Plugins.data                   TriggeredAlarm.data

Alert_DstMac_1.index_p35            Hosts.data                        Plugins.index                  TriggeredAlarm.index

Alert_DstPort_1.index_p35           Hosts.index                       PortApps.blob                  TriggeredCondition.data

Alert_GUID1_1.index_p35             ICMPType.data                     PortApps.data                  TriggeredCondition.index

Alert_GUID2_1.index_p35             ICMPType.index                    PortApps.index                 UCFA2U.data

Alert_ID_1.index_p35                IPS.blob                          Ports.data                     UCFA2U.index

Alert_SigIDDstIP_1.index_p35        IPS.data                          Ports.index                    UCFC2U.data

Alert_SigIDSrcIP_1.index_p35        IPS.index                         Preprocess.blob                UCFC2U.index

Alert_SigID_1.index_p35             IPSBlob.blob                      Preprocess.data                UCFN2U.data

Alert_SrcIP_1.index_p35             IPSBlob.data                      Preprocess.index               UCFN2U.index

Alert_StaticStrings1.bloom_p35      IPSBlob.index                     PreprocessException.data       UCFName.blob

Asset.data                          IPSChange.data                    PreprocessException.index      UCFName.data

Asset.index                         IPSChange.index                   PreprocessGroup.blob           UCFName.index

AssetGroup.data                     IPSCheck.data                     PreprocessGroup.data           US.data

AssetGroup.index                    IPSCheck.index                    PreprocessGroup.index          US.index

AssetGroupXRef.data                 ItemRights.data                   Profile.data                   UpdateBlob.blob

AssetGroupXRef.index                ItemRights.index                  Profile.index                  UpdateBlob.data

AssetVendor.data                    Job.data                          Query.blob                     UpdateBlob.index

AssetVendor.index                   Job.index                         Query.data                     Usage.data

AssetVulnerability.data             LocaleString.blob                 Query.index                    Usage.index

AssetVulnerability.index            LocaleString.data                 RemoteAction.data              UserField.data

AutoCreateRule.data                 LocaleString.index                RemoteAction.index             UserField.index

AutoCreateRule.index                LocaleString_StrValue.bloom       RemoteActionAttr.data          UserFieldUse.data

AutoCreateRuleCriteria.data         Log.blob_p2                       RemoteActionAttr.index         UserFieldUse.index

AutoCreateRuleCriteria.index        Log.data_p2                       RemoteCommandAttr.blob         UserFilterList.data

Blacklist.data                      Log.index_p2                      ReportComponent.blob           UserFilterList.index

Blacklist.index                     LogCategory.data                  ReportComponent.data           UserIPSIDJoin.data

BlacklistBuffer.data                LogCategory.index                 ReportComponent.index          UserIPSIDJoin.index

BlacklistBuffer.index               MessageTemplate.blob              ReportFolder.data              UserLicense.data

CaseEvents.data                     MessageTemplate.data              ReportFolder.index             UserLicense.index

CaseEvents.index                    MessageTemplate.index             Reports.blob                   UserViewExclusion.data

CaseMgt.blob                        NDDevice.data                     Reports.data                   UserViewExclusion.index

CaseMgt.data                        NDDevice.index                    Reports.index                  User_IPS.data

CaseMgt.index                       NDDeviceAddresses.data            Rights.blob                    User_IPS.index

CaseMgt_Name.bloom                  NDDeviceAddresses.index           Rights.data                    Users.blob

CaseMgt_Notes.bloom                 NDDeviceInterface.data            Rights.index                   Users.data

CaseMgt_Viewed.bloom                NDDeviceInterface.index           RightsAssignment.data          Users.index

CaseOrg.data                        NDDeviceVLAN.data                 RightsAssignment.index         UsersPW.data

CaseOrg.index                       NDDeviceVLAN.index                Rule.blob                      UsersPW.index

CaseStatus.data                     NDEPDevices.data                  Rule.data                      Var.blob

CaseStatus.index                    NDEPDevices.index                 Rule.index                     Var.data

ChangeLog.blob                      NDEPParams.data                   RuleParam.blob                 Var.index

ChangeLog.data                      NDEPParams.index                  RuleParam.data                 VarException.blob

ChangeLog.index                     NDEndPointIP.data                 RuleParam.index                VarException.data

Class.blob                          NDEndPointIP.index                RuleParamChange.blob           VarException.index

Class.data                          NDEndPointIPHistory.data          RuleParamChange.data           View.blob

Class.index                         NDEndPointIPHistory.index         RuleParamChange.index          View.data

Condition.blob                      NDEndPoints.data                  RuleUseException.data          View.index

Condition.data                      NDEndPoints.index                 RuleUseException.index         ViewComponent.blob

Condition.index                     NDEndPointsHistory.data           RuleVA.data                    ViewComponent.data

Connection1.blob_p1                 NDEndPointsHistory.index          RuleVA.index                   ViewComponent.index

Connection1.data_p1                 NDFolder.blob                     RuleVIN.data                   ViewFolder.data

Connection_ConnectionID_1.index_p1  NDFolder.data                     RuleVIN.index                  ViewFolder.index

Connection_DstIPDur_1.index_p1      NDFolder.index                    SMXRef.data                    Vulnerability.data

Connection_DstPort_1.index_p1       NDFolderDevice.data               SMXRef.index                   Vulnerability.index

Connection_ID_1.index_p1            NDFolderDevice.index              Scoring.blob                   WMIType.data

Connection_LocIDDst_1.index_p1      NDIPLoc.data                      Scoring.data                   WMIType.index

Connection_Prot_1.index_p1          NDIPLoc.index                     Scoring.index                  WatchListValues1.data

Connection_SrcIPDur_1.index_p1      NDNeighbors.data                  ScoringSource.blob             WatchListValues1.index

Connection_SrcPort_1.index_p1       NDNeighbors.index                 ScoringSource.data             WatchLists.blob

Connection_StaticStrings1.bloom_p1  NDParams.data                     ScoringSource.index            WatchLists.data

Connection_User16_1.index_p1        NDParams.index                    SelectFieldName.data           WatchLists.index

DataEnrichment.blob                 NDParamsDetail.data               SelectFieldName.index          Zone.data

DataEnrichment.data                 NDParamsDetail.index              SendEMail.blob                 Zone.index

DataEnrichment.index                NDParamsExclusion.data            SendEMail.data                 ZoneIPMap.data

DataEnrichmentFields.data           NDParamsExclusion.index           SendEMail.index                ZoneIPMap.index

DataEnrichmentFields.index          NDPortControl.data                SendSyslog.blob                connect_esm.sql

DataEnrichmentIPSID.data            NDPortControl.index               SendSyslog.data                finalpartitionlist.sql

DataEnrichmentIPSID.index           NDProcess.data                    SendSyslog.index               ngcp.cfd

DeviceFolder.blob                   NDProcess.index                   StringMap1.data                ngcp.cfd_old

DeviceFolder.data                   NDSearchResults.data              StringMap1.index               ngcp.cfg

DeviceFolder.index                  NDSearchResults.index             StringMap_Name1.bloom          ngcp.cfg_old

DeviceFolderIPSJoin.data            NitroError.Log                    SysSettings.blob               ngcp.cpy

DeviceFolderIPSJoin.index           Notes.blob                        SysSettings.data               ngcp.cpy_old

DistributedESM.data                 Notes.data                        SysSettings.index              ngcp.dfl

DistributedESM.index                Notes.index                       TPTypeApplication.data         ngcp.dfl1407848751

EMail.data                          Notification.blob                 TPTypeApplication.index        ngcp.dfl1410804574

EMail.index                         Notification.data                 Tag.data                       ngcp.dfl_1399392877

EMailGroup.data                     Notification.index                Tag.index                      ngcp.old

EMailGroup.index                    NotificationAction.data           TagAsset.data                  old_sa/

EMailGroupEMailAddress.data         NotificationAction.index          TagAsset.index                 packet1.blob_p1

EMailGroupEMailAddress.index        NotificationActionAttr.blob       TagAssetException.data         packet1.blob_p2

ESMFilters.blob                     NotificationActionAttr.data       TagAssetException.index        packet1.data_p1

ESMFilters.data                     NotificationActionAttr.index      TagAssetGroup.data             packet1.data_p2

ESMFilters.index                    NotificationCheck.data            TagAssetGroup.index            packet1.index_p1

EventForwarding.blob                NotificationCheck.index           TagRule.data                   packet1.index_p2

EventForwarding.data                NotificationEMailAddresses.data   TagRule.index                  partitionlist.sql

EventForwarding.index               NotificationEMailAddresses.index  TagSevBits.data

I noticed many *old files ... but none seems the database lost.

In attachment some logs.

I appreciate your on that, I don't want to face it for the thrid time hehe. Tks

Who Me Too'd this topic

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community