Loading...

Knowledge Center

Write MEFSendData failed due to: Unknown Data Source (when Windows Event Collector fails to send data to the Receiver)
Technical Articles ID:   KB86983
Last Modified:  8/6/2019
Rated:

Environment

McAfee SIEM Enterprise Security Manager (ESM) 11.x.x, 10.x.x
McAfee SIEM Event Receiver (Receiver) 11.x.x, 10.x.x
McAfee SIEM Windows Event Collector 11.x
 

Problem

Your SIEM Windows Event Collector 11.x installation is unable to send data to the SIEM Event Receiver. When you examine the Event Collector debug.log, you see the following error:
 
SIEMCollector ERROR 1 MEFConnection::Write MEFSendData failed due to: Unknown Data Source
 
NOTE: The debug.log file is only seen if the logging level in the Windows Event Collector is set to Diagnostic

Cause

This problem can occur when there is a mismatch between the Event Collector and Receiver Data Sources. Specifically, in version 11.x, the Event Collector now performs a two-way handshake between Event Collector and Receiver. It will not transmit event data unless the Receiver has a Data Source configured for MEF retrieval, together with a configured and matching hostID

You typically see this error if you have a Receiver Data Source that doesn't have MEF retrieval enabled and doesn't have a hostID configured that precisely matches. The spelling and punctuation must match one in the Windows Event collector. This situation was not an issue in prior Event Collector versions. The data was sent without a check to determine if the Receiver had a target Data Source ready to receive data. 

NOTE: The Validate button in the Windows Event Collector tool does not test the Receiver Data Source, or validate the connection to it. 

Solution

Check the following and make sure that you have the right settings for both your Event Collector Data Source and Receiver Data Source:
 
  • hostID is now mandatory. The hostID used to be optional unless multiple data sources were in use. For version 11.0 and later, a hostID must be used on the Receiver Data Source and the Event Collector Data Source. The hostID can be any combination of letters and numbers, but whatever you choose must be identical on both the Receiver and Event Collector Data Sources.
NOTE: If you are using Windows Event Forwarding, the hostID must be identical to the Computer name (full qualified domain name (FQDN) or host name) in the Windows events. See KB77092 for more information.
 
  • Event Data Retrieval of the Data Source must be MEF. When you configure your Data Sources, do the following:
     
    1. Change the Data Format to default.
    2. Change Data Retrieval to MEF.
    3. Write out the Data Source settings, and restart the Event Collector service.
NOTE: Do not set the Data Format setting to MEF. If you do set the Data Format to MEF, the Data Retrieval setting is also changed to MEF with the option to use a hostID. This setting appears as though it works, but this configuration fails. Make sure that the Data Format setting is set to default.
  • The SIEM Receiver must have at least one Data Source with the IP address of the Windows Event Collector. If not, it can't connect through the firewall.
  • If you are adding a new Data Source to the Windows Event Collector, you must first add the Receiver Data Source. The preferred order is:
     
    1. Receiver Data Source is created.
    2. Receiver Data Source settings are written and the policy is rolled-out. 
    3. Event Collector Data Source is created.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.