Loading...

Knowledge Center


How to troubleshoot when no events are received from a new data source
Technical Articles ID:   KB82387
Last Modified:  11/5/2018
Rated:


Environment

McAfee SIEM Enterprise Security Manager (ESM) 11.x.x, 10.x.x
McAfee SIEM Event Receiver (Receiver) 11.x.x, 10.x.x

Problem

Events are not received on the Receiver after a new data source is added. In addition, you might see an existing data source that was working stops sending data.

NOTE: The inability to collect events from a given data source affects visibility and can reduce compliance for data retention and logging.

Cause

There can be several causes for a failure to get events. Typically, the cause is one of the following:
  • The data source is not sending data to the Receiver, possibly because of misconfiguration.
  • A collector problem on the Receiver is causing the Receiver to not store the received event data.
  • The parser process is unable to decode the raw logs into events.
  • The events might not be inserted into the ESM database.
  • The network or firewall is blocking a needed port, preventing syslog.
  • A problem with the SIEM policy.
Use the following Solutions to troubleshoot and resolve the issue.

Solution

Data source not sending data to the Receiver

Verify that the data source is configured to send data to the Receiver:
  1. Determine which Ethernet adapter is in use. On non-HA Receivers, it is usually eth0, and on HA Receivers it is usually eth1 or the 'floating' IP address.
  2. SSH to the Receiver, type the following command, and then press ENTER:

    tcpdump –nni ethx host x.x.x.x   

    Where x.x.x.x is the IP address of the data source, and ethx is the Ethernet adapter in use. 

    NOTE: For syslog data sources, incoming traffic is seen on port 514 UDP. Slower data sources might need a few minutes of observation before a packet is observed. Faster ones, such as a firewall, are almost immediate. If no packets are observed, there might be a firewall or endpoint issue.

     
  3. If data is not observed, double check the IP address and Ethernet number. If they are correct, the problem is likely to be on the endpoint (for example, the device was not configured properly). For non-syslog data sources, perform a connection test from the graphical user interface while running tcpdump. (WMI will 'pull' data over port 135, SQL pulls data over port 1433.)

    NOTE: If the IP address and port information are correct and incoming traffic is not seen in the tcpdump, a firewall or the network could be preventing inbound traffic over the specified port. Contact your network administrator for further troubleshooting steps.
     
  4. Type the following command and press ENTER:

    iptables –n –v –L|grep x.x.x.x 

    NOTE: Ensure that there is a rule in place for the data source IP address that allows it through the firewall. A typical output from iptables includes the port and IP address of the data source. For example, 10.10.10.10 514 for syslog.

     
  5. Select the data source in the ESM user interface and choose the Device Status dashboard. After loading, scroll down in the bottom window and find the vipsid number of the data source.
  6. SSH to the Receiver and run the following command:

    ls –al /var/log/data/inline/thirdparty.logs/##/in  

    Where ## is the vipsID number.
If there is a Data.xxxxxx file and it is not 0 bytes, continue to Solution 2.

Solution

Data is received and stored on the Receiver, but it is not being parsed
  1. Ensure that the correct parser is selected. In instances where there is more than one possible parser, choose the one with (ASP) in the title. Also, ensure that the delivery and format settings are at the default unless you are using MEF or non-syslog data sources.
  2. The data source settings and policy might not be current, so open the data source properties and change any line. (For example, add a space to the name and then remove the space.)
  3. Click OK and then click Write to write out the data source settings to the Receiver.
  4. Roll out the policy by selecting the Receiver in the device tree and, in the Policy Editor, click Operations, Roll Out Policy. Enable the check box in the bottom left to Update Anyway.
  5. If it is a syslog data source, enable Log Unknown syslog in the data source settings in the graphical user interface. Doing so means that if an event cannot be parsed, it shows up as unknown rather than being discarded.
  6. Select the Interface tab and ensure that the port numbers are completed and correct for the type of data source in question. For example, 514 for syslog, 135 for WMI, 139 for RPC, 1433 for SQL.
  7. Rules might not be turned on for the data source, so with the data source selected, open the Policy Editor. Ensure that the rules listed for that data source are enabled.
    NOTE: It is normal for the default policy rules to be disabled. Do not enable policy at the default level.
If these steps do not resolve the issue, continue to Solution 3.

Solution

Data is collected and parsed, but is not showing in the dashboard

There might be a problem inserting events into the ESM. To see if there is a problem:
  1. Check and see if other data sources are unable to collect data. If they are, go to Receiver Properties and perform a stop and start operation on the Receiver.
  2. Check to determine if other data sources are working as expected.
If these steps do not resolve the issue, continue to Solution 4.

Solution

Issue with the SIEM policy
 
If you are still experiencing issues, it is possible that the needed changes have not been written out. The SIEM needs to write out data source settings to the Receiver and roll out the policy to enforce changes.
  1. Open the Receiver Properties and click the Data Source tab:
    • If the Write button is available, continue to Step 2.
    • If the Write button is not available, select any data source and edit it. Make a small change such as adding and removing a space to the name/description, and then click OK to force Write to become enabled.
  2. Click Write to write out the data source settings to the Receiver.
  3. If Policy Rollout appears, select the lower-left box to force a rollout to all devices, and then click OK.
    NOTE: If it does not appear automatically, go back to the dashboard, select the ESM, click Policy Editor at the top, and then click Operations, Rollout Policy.

If you are still experiencing issues and have followed the steps in all solutions provided, contact Technical Support for further assistance.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.