Loading...

Knowledge Center


Enterprise Security Manager: Required actions after a hardware replacement
Technical Articles ID:   KB89696
Last Modified:  8/31/2017
Rated:


Environment

McAfee SIEM Enterprise Security Manager (ESM) 10.x.x, 9.6.x

Summary

After a full product replacement of ESM, you must take several steps to ensure full product functionality after the replacement is brought into service and the database has been restored. This article provides a post-RMA checklist of the issues that will occur and steps to prevent the issues from occurring.

IMPORTANT: The issues detailed and the procedures to correct them are not of the restore process. These issues will occur if the procedures are not performed.

Problem

These issues will occur when a full product replacement of ESM happens:
  • A database backup and restore does not restore string names, custom rules, or custom parsers. This will cause incoming events to display "0" for the rule name, system policy corruption, and an inability to correctly process events.
  • SIEM Event rules may not restore correctly even from a full ESM backup.
  • The replacement ESM hardware will have a different ID_rsa.pub key, hardware hash, and encryption keys. This prevents trusted SSH connections to the Receiver, ELM, ACE, ADM, and other SIEM products from working correctly. The system will be unable to configure or retrieve information from the devices.

Solution

  1. Resolve dashboard events showing a rule name or description of 0
    1. Open receiver properties.
    2. Go to Events, Flows, & Logs.
    3. Find Last Downloaded String Record and set the date to 01/01/1970.
    4. Find Last Downloaded Rule Record and set the date to 01/01/1970.
    5. Download and install a SIEM Manual Rules Update by following KB83046
  2. Resolve the SSH communication issues or "device not responding" errors when opening properties:
    1. Select the device in the GUI and open properties.
    2. Find the key management tab on the left and click it.
    3. Click key the device and follow the prompts. You will need to provide a new password for the device. This will become the new root password for that device. 
    4. After the new settings are written out to the device, exiting and re-entering properties should now work normally. 
    5. Under receiver properties select Receiver configuration, then ELM IP and select the ELM from the drop down list and click OK. This exchanges SSH keys between them.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.