A couple other suggestions:
- Verify you have pushed policy to your Correlation Engine. Select the Correlation Engine in the device tree, them click the Policy Editor icon directly above it at the top left of the UI. In the Policy Editor, select Operations / Rollout.
- Verify date/time configuration on all your system components: ACE, ESM, Receivers, data sources. Appliances should all be set for GMT. Data sources should be configured with the time zone that is represented in the logs seen at the Receiver.
The policies were all pushed out and the date and time are all the same.
The only events i see were the one generated by my logons to the ESM. Do i need to put anything in the "Filter" area of the rule correlation or the checkbox "Use Event Data" will take care of that ?
I do get this error message whenever I do a "sync device" :
Failed to retrieve the data source settings. Error: Unable to sync with the device. Verify that the device does not have any child devices. (ER236). Please view the Help contents for troubleshooting information as applicable.
I'm confused by what you say around the only events you see were generated by your ESM logins. These events you're mentioning: are they indvidual login events, or are they correlated events? Are the ESM logins really the only events you see? Are there other events for other data sources coming into ESM? Obviously, if there are no events coming in, then there is not much for the correlation engine to work with, and you won't see any correlated events. Alternately, I wonder if you may be operating under an account with limited visibility, and may not have permission to see the events coming in from other data sources and the ACE.
The sync device error is a bit troubling. Might be worth a call to McAfee Support to get some expert troubleshooting advice.