6 Replies Latest reply on Jun 19, 2017 2:17 PM by suryaprakash

    Reports in Mcafee ESM

    socgt

      Hello ,

       

      I am trying to configure a number of reports on the mcafee ESM and need suggestion on it.

       

      1) Expected Host/Log Source Not Reporting

          All systems / devices where source is not sending events

       

      2) Log volume trend over days

          Trend of all logs of all systems

       

      Can anybody please suggest what queries will be configured.

       

      Thanks

        • 1. Re: Reports in Mcafee ESM
          paul.k

          Socgt,

           

          1)For your first one there is a built in report at the ESM level that wlil give you a list of all devices sorted by the last time they send an event.

           

          ESM Properties--> System Information-->View Reports-->Event time-->Export to CSV

           

          2) For the second is a bit tougher. it will depend on the granularity.

               I would use a distribution stacked by device type, with baseline enabled. It will give you a very good feel of the volume in your enviroment.

               There are always just dials with base line that will just tell you your total volume for the time period.

           

          Good luck

          • 2. Re: Reports in Mcafee ESM
            socgt

            Hello paul.k

            Thanks for the suggestion.

             

            Could you please tell me how to implement 'distribution stacked by device type, with baseline enabled'.

             

            Thanks

            • 3. Re: Reports in Mcafee ESM
              socgt

              Hello,

               

              I am also trying to make a report with a 'Bar Chart' that can display top 20 data sources that have generated a particular event.

               

              Any suggestions..??

               

              Thanks

              • 4. Re: Reports in Mcafee ESM
                paul.k

                Gents,

                 

                for the distributions just create a new view drop in a distribution element,  select destribution, click next, click stacking and type in device type id.

                 

                Done.

                 

                Just set the time period.

                 

                This is best I can do here.

                 

                Now for socgt, you want to know if a data source did something is a bit tough. The only bar chart i know of that listed device id is collection rate. if that works for you than you can just filter that down for the event id that you need.

                 

                Now depending on some datasources you may be capturing a field that is a unique identifier for that data sources, hostname, ext_device...... etc etc etc. You can just create a bar chart for that field and filter it by that sig id.

                 

                Regards,

                • 5. Re: Reports in Mcafee ESM
                  paul.k

                  See my other reply

                  • 6. Re: Reports in Mcafee ESM
                    suryaprakash

                    Hi Socgt,

                     

                    I am also trying to implement distribution stacked by device type, with baseline enabled,

                     

                    Kindly let me know how can I implement it.