I've found the SIEM collector utility to be extremely finicky and difficult to work with. What kind of logs are you trying to send to the receiver? Do you have a source configured on the other end to receive these logs? If you can provide some screenshots I could help further, I spent a lot of time configuring the SIEM collector application.
C:\Program Files (x86)\McAfee\Windows Event Collector\debug.log to see what happens with your parsing and events.
Also make sure you disable encryption until you make it work.
On the ERC look inside /var/log/data/inline/thirdparty.logs/NUMBER/in
where NUMBER is the id of your data source which you can get by running the tq inside the command line interface
I've had similar issues with the 11.x version of the collector. I have a situation right now where I can get logs from the machine the collector is installed on, but as soon as I turn on encryption communications fails. Here's the debug from it when it happens:
<131> Mar 07 15:10:03 localhost SIEMCollector ERROR 0 MEFConnection::TestConnection MEFOpen failed to connect due to: A Schannel call failed (rv = 0x80090331, err = 1) <@ line #203>
<131> Mar 07 15:10:30 System SIEMCollector ERROR -1 ServiceMain ============ The Service has crashed, and is now restarting. ============
<131> Mar 07 15:10:30 localhost SIEMCollector ERROR 0 MEFConnection::TestConnection MEFOpen failed to connect due to: A Schannel call failed (rv = 0x80090331, err = 1) <@ line #203>
1 of 1 people found this helpful
Is the port 8082 allowed on the firewall? Also encryption option is enabled/disabled accordingly on the data source setting as well, they would need to match on both end.
We use port 8081, and yes, there's a firewall exception in place. I am receiving logs in the SIEM from the server in question - it's when I enable SSL encryption (on both ends) that I lose communication. I would add that I currently have about 30 servers in the same DMZ using 8081 and SSL to connect to the SIEM and they're all working fine. However, they have the older version SIEM collector, not version 11.