Questions up front for those not wanting to read a long explanation ... is there any limitations with the number of ePO device/datasources we can have in SIEM? Can we disable an ePO device in SIEM?
Up until recently, we had 2 ePO servers in our environment. One was successfully added as a device to SIEM and received events up until it was decommissioned. The other one has never worked as a device in SIEM, never seen events etc.
The first device has been decommissioned, but we are keeping it as a device in SIEM so that we keep the historical data. I have deleted the 2nd device (the only ePO server now) from SIEM and re-added it but that didn't help.
I have noticed note that, under the device status view, both the old and the current epos have the same VIPSID, but I'm not sure if that's normal or not. If it's not normal, I don't know how to make the second device get new VIPSIDs (I did delete it once already).
Any advice/assistance/guidance anyone can provide to resolve the issue is very appreciated.
We have 3 separate ePO servers configured within our ESM deployment. Each is reporting to a separate ERC and we've not seen any problems with them.
It's possible your issue is to do with multiple ePO servers reporting to the same ERC, might be worth logging a support ticket.