1 of 1 people found this helpful
I saw a similar issue, and made a similar assumption. However, while observing the messages log in real time for the 2 data-sources, it turned out to be the 2 data-sources were affected more by time change. This is in addition to the parser being changed to meet the new parameters of an up to date Cisco device.
I would recommend doing a MANUAL rule update, and a policy push to ALL devices. Thats how I fixed my issue that seems similar to yours.
Tried manual rule update and rolled policy out to all devices. But the inactive flag is still there. Mine is a Linux data source with syslog data. Which rule update did you use? I tried both below without any luck:
I would suggest logging a Service Request with McAfee.