5 Replies Latest reply on Feb 16, 2015 6:21 AM by Peter Näslund

    One or more correlation rules were invalid

    Peter Näslund

      I'm getting the following error:

       

      Correlation (Could not update policy - "Error: Unable to parse the XML file." (One or more correlation rules were invalid))

       

      How do I solve it?

        • 1. Re: One or more correlation rules were invalid
          Scott Taschler

          You may be able to solve this by manually downloading and importing the rules file.  You will find it on the Mcafee download site, after logging in with your grant number.  If that doesn't resolve the issue, I'd suggest calling McAfee support for assistance.

           

          Scott

          1 of 1 people found this helpful
          • 2. Re: One or more correlation rules were invalid
            spetting

            Occasionally this error message can be seen when the correlation engine is overwhelmed. The Ace is so busy that the policy will not roll out and it generates the error above. There are a couple ways to see if the correlation engine is overwhelmed. First, check to see if the events from the correlation engine are behind. If you see the most recent events are more than 20-30 minutes in the past, this could indicate it is overwhelmed. Second, if you can ssh to the ACE, look in /usr/local/ace/incoming to see how many files exist in the directory. If there are more than 25 files, this indicates it is overwhelmed.

             

            Usually if the ACE is behind or overwhelmed, it is simply a bad correlation rule that is causing alot of extra overhead on the box. If you call into support, they can help you identify whcih rule may be causing the issue and help you get it resolved.

             

            Message was edited by: spetting on 3/19/14 12:27:52 PM CDT
            1 of 1 people found this helpful
            • 3. Re: One or more correlation rules were invalid
              Peter Näslund

              McAfee Support suggested this on ESM:

               

                   Do a manual rules update
                   service cpservice stop
                   DBCheck -d '/usr/local/ess/data/ngcp.dfl' -p 'LOCDB***********' -t '!Alert|!Connection|!Log|!Packet|!stringmap' -r
                   service cpservice start

               

              It didn't help. I also did a new manual rules update (file from 17:th march) afterwards.

               

              Today I downloaded a new rules update file from the 24:th, and it helped - Problem solved.

               

              Message was edited by: pnaslund on 3/28/14 5:45:35 AM CDT


              Edited by Moderator to remove DB password

              • 4. Re: One or more correlation rules were invalid
                bkile1

                I have found the ..."ssh to the ACE, look in /usr/local/ace/incoming to see how many files exist in the directory. If there are more than 25 files, this indicates it is overwhelmed" to be the best starting point.