Knowledge Center

Enterprise Security Manager 11.x.x Known Issues
Technical Articles ID:   KB90422
Last Modified:  11/12/2019


McAfee SIEM Enterprise Security Manager (ESM) 11.x.x


Recent updates to this article
Date Update
November 12, 2019 Added 11.3.0 release information.
September 27, 2019 Added known issues SIEM-12686 and SIEM-11330; updated release information.
June 25, 2019 Added 11.2.0 known issues and release information.
June 4, 2019 Minor formatting change. No content updates.
February 28, 2019 Changed known issues order from oldest at top of table to newest at top of table.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Click to expand the section you want to view:

Version General Availability (GA) Release Notes
11.3.0 November 12, 2019 Release Notes1
11.2.1 July 27, 2019 PD283361
11.2.0 June 25, 2019 PD283361
11.1.3 February 12, 2019 PD279871
11.1.2 November 13, 2018 PD279871
11.1.1 October 9, 2018 PD279871
11.1.0 September 26, 2018 PD279871
11.0.2 June 12, 2018 PD27805
11.0.1 April, 11, 2018 PD27715
11.0.0 March 27, 2018 PD27677
1 Release Notes for ESM 11.1.x are cumulative. Scroll down to see information for earlier versions.

Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, visit the Product Downloads site at http://www.mcafee.com/us/downloads/downloads.aspx.
There are no critical known issues.

Reference Number Component Related Article Found in Version Resolved in Version Issue Description
SIEM-12686 Snowflex   11.2.0 HF4   Issue: After upgrading to SIEM 11, 3xxx errors occur indicating issues retrieving query results from the new database architecture.
SIEM-11330 ESM   11.1.3 11.2.0 HF5 Issue: The Event Forwarding functionality experiences performance issues in SIEM 11.
Solution: Upgrade to ESM 11.2.0 HF 5 or later.
1273430 ESM   11.1.3   Issue: Invalid data sources might be created when including leading zero's in the octets of the IP address.
1266321 ESM   11.1.3   Issue: Manual interaction with the appliance is needed when reboots occur during the upgrade process to ESM 10.3.4 or 11.1.3.
Workaround: If Technical Support has previously directed you to change to an earlier kernel version, follow the steps below before you upgrade to ESM 10.3.4 or 11.1.3. These steps allow you to avoid the need to manually interact with the appliance during reboots in the upgrade process.

Revert any previously modified grub screen/kernel selection to allow for an unattended upgrade:
  1. Create a grub config backup by running the command cp /boot/grub/grub.cfg ~/grub.cfg.bak.
  2. Set the grub config kernel default back to use the first kernel in the list by running the following commands:
    NOTE: The newest kernel should always be first in the list.
vi /etc/default/grub
Edit the GRUB_DEFAULT value and change it to GRUB_DEFAULT=0 
  1. Regenerate grub config using the newly modified default. Run the command grub-mkconfig -o /boot/grub/grub.cfg.
  2. Continue with upgrading devices
1266312 ESM   11.1.3   Issue: Under certain network conditions, keying a device from either the Add Device wizard or the Key Management properties of ESM 11.1.3 (hosted in AWS or Azure) can result in an error message. This result can happen even though the operation completed successfully. 
Workaround: To acknowledge the error, click OK and then click the X in the top-right corner of the window to dismiss the screen instead of clicking the Cancel button. Click refresh on the system tree and the device will be ready.
1264218 ESM   11.1.3   Issue: Upgrading a DSB using a file uploaded through the “ESM File Maintenance” option prevents the upgrade from starting.
Workaround: Upload the file for the DSB during the upgrade process.
1257792 User Interface: Flash (traditional UI)   10.3.0   Issue: Unable to clearly see more than two SAN devices in the UI.
1257763 User Interface: HTML5 (new UI)   10.3.2 11.1.2 Issue: Can't search by File_hash in HTML5 (but works in Flash). Error "Invalid GUID value. Must be hexadecimal digits (0–9 A-F). Dashes are also allowed. Must contain 32 digits.".
1256391 ESM: System Properties   10.3.2   Issue: [ER254] VM data addition is successful, but the UI reports an error when trying to view it.
1255805 ESM: Redundant ESM (RESM)   10.3.2 11.1.2 Issue: Several ESM Redundancy fixes.
1255653 ESM: Reports   11.0.1   Issue: Exporting to CSV from Dashboard incorrectly shows usersource.
ESM: Views   11.0.3 11.1.2 Issue: Snowflex issues in 11.0.3 Update 3 and 11.1.1 – can't run views during background rebuild + 238.
1255633 Receiver   10.3.1   Issue: cURL data source is changed to syslog by “Write.”
1255571 ELM   10.3.2   Issue: Unable to retrieve packets from ELM archive for some events.
1255151 ESM   11.0.3 11.1.0 Issue: EC238 errors seen after you upgrade to 11.0.3 Update 3.
1254879 ESM   11.0.3   Issue: snowflex.conf is being written with incorrect GUID.
1254749 ESM: Alarms   10.3.2 11.1.2 Issue: Wrong device_ip was added to the watchlist.
1254592 Other   10.3.2 11.1.3 Issue: RESM/PESM using wrong key to talk to ELM.
1254585 ESM: Redundant ESM (RESM)   10.3.2 11.1.1 Issue: RESM fails to get notified of RELM failover.
1254583 ELM: Redundant ELM (RELM)   10.3.2   Issue: ELM search results that are saved as links are not copied to RELM.
1254543 ELM: Redundant ELM (RELM)   10.2.0 11.1.3 Issue: UI shows wrong data storage device for the MGTDB.
1254508 ELM   10.3.1   Issue: Synchronization issue between primary and redundant ELMs.
1254216 Receiver   10.3.2   Issue: HA Receiver deletes community for SNMP Request in /etc/snmp/snmpd.conf after return to service.
1254204 ELM   10.3.2   Issue: ELM with SAN does not boot after upgrade to 10.3.
1253955 ESM   11.0.3   Issue: ELM with SAN does not boot after upgrade to 10.3.
1253684 Databus   11.0.3 11.1.2 Issue: No events in UI on ENMELM with 0 Alerts loaded, but the Alerts table is growing.
1253623 Database   11.0.3 11.1.0 Issue: [ER-1][ER238] Errors in Flash and HTML5 with errorcode=238.
1253595 ESM: Alarms   10.2.0 11.1.3 Issue: Specified Event Rate alarms do not work as expected.
1253508 ACE   10.3.2 11.1.1 Issue: Some correlated files get marked as bad.
1253439 Receiver   9.6.1 MR1 11.1.2 Issue: Refresh device button throws an error after you upgrade to ePO 5.10.
1253425 ESM   10.3.2   Issue: Temporary network failure observed several times after you upgrade to 10.3.2.
1253247 User Interface: HTML5   10.2.0 11.1.2 Issue: No data when filtering Palo Alto on some rule_name on HTML5.
1253115 ELM   10.3.1   Issue: ELM with SAN does not boot after upgrade to 10.3.
1252818 ESM   10.2.0 11.1.1 Issue: ELM Integrity Check Function Broken.
1252673 ESM: Case Management   10.2.0 11.1.1 Issue: JSON API to close case causes it to be deleted in SIEM UI.
1252531 ELS   10.3.0   Issue: ELS fills up disk with elastic search logs.
1252368 ESM   10.3.1   Issue: Unable to add SSD to VM data after you add data_hd.
1252041 ELM   11.0.3   Issue: Unable to migrate the ELM mgtdb a second time.
1251834 Receiver   11.0.3   Issue: Issues with SetClusterConfig and start of active collectors in HA after upgrade to v11.
1251203 Receiver   10.3.2   Issue: SIEM Receiver data source does not allow CIDR range.
1250991 ESM: Redundant ESM (RESM)   10.2.0 11.1.1 Issue: Primary is unable to complete Sync to redundant (log table).
1250483 Receiver   10.3.1 11.1.1 Issue: Directory /usr/local/ace/incoming/bad is growing to a large size on the Receiver without correlation engine.
1250794 ELM   11.0.3   Issue: ELM Kernel panic RIP: kmem_cache_alloc+0X00/0x140  RSP:  fffc900004439f0 boots into new kernel.
1249825 Receiver   10.3.1   Issue: Error is ‘Error retrieving events. Could not get file from device’ after SIEM upgrade (kernel issue).
1249628 ELM   10.2.0   Issue: Rule integrity check complete, some number rules failed by rule update.
1249322 ESM   11.0.3 11.1.1 Issue: [EC-1][ER238][ER1387] Server errors seen after you upgrade to 11.0.3.
1248631 ESM: Data Enrichment   10.3.1   Issue: In SIEM-MAR Integration, Active Response appears only for five seconds in the drop-down list of the 'Type' option in the Source tab for the Data Enrichment Wizard.
1248451 ESM   10.2.0 11.1.1 Issue: Over-used allocation reporting available space in exabytes.
1248382 ESM   11.0.2 11.1.2 Issue: Last Event times in Device Summary Reports are not accurate.
1247952 Receiver   10.3.1 11.1.1 Issue: /usr/local/ace/incoming/bad folder fills after upgrade to 10.3.1.
1247149 ACE   10.2.0   Issue: Correlation Rule with Flows Nested Variable not working correctly.
1247141 ESM   10.2.1 11.1.2 Issue: Table component shows No Results at Physical Display Level.
1246623 Receiver   10.3.1   Issue: Error is ‘Error retrieving events. Could not get file from device’ after SIEM upgrade (kernel issue).
1245611 Receiver   11.0.3   Issue: Kafka topics are not created on a recently installed ENMELM combo (data is not sent).
1243534 ACE   10.2.0   Issue: Sometimes a correlated event could not be triggered.
1243507 ESM: Clustering   11.0.2   Issue: "Promote Node" for new node fails and then none of ESMs in the cluster can perform any change to the system.
Workaround: Perform another restart or service restart on the promoted node so ESM gains the management role.
1243149 ESM   11.0.2   Issue: Management node UI fails to load after an upgrade: error "Application unavailable" because the Local EDB starts with errors.
Workaround: Restart the dbserver. Execute the following commands on the ESM:
#service dbserver stop
#service dbserver start
1242870 ELM   10.3.0 10.3.3 Issue: ELM with SAN will not boot after upgrade to 10.3.
1240176 ESM: Views   11.0.0 11.0.2 Issue: The Static String Column now displays properly in the Table component.
1240046 ESM   11.0.0 11.0.2 Issue: Corrected an issue that prevented Static String Event details from displaying for some events.
ACE   11.0.0 11.0.2 Issue: ACE stops processing events when customer has flow correlation rules.
1237902 ELS   10.2.0 11.0.2 Issue: ELS log (/var/log/kafkactl.log) is now maintained to avoid excessive file size.
ESM   10.2.1 11.0.2 Issue: Does not accept a plus sign (+) in the email address ER71 Invalid Parameters.
1236287 Upgrade   11.0.0   Issue: Data source write-out fails with ER 122 after you upgrade from 10.2 to 11.0 GA with an ELS configured.
1235498 ELM: Redundant ELM (RELM)   10.2.0   Issue: Data written to the mount point without a mounted mirror is not copied correctly to the mirror.
1235335 Database   11.0.0 11.0.1 Issue: EDB FDB - results of 'IF' are blank.
1235280 Other   11.0.0 11.0.1 Issue: Compliance Views do not show correct data in Table components.
1234565 UI: HTML5   11.0.0   Issue: In CyberScorecard, Severity values on the Executive view are not changed properly.
1234993 Upgrade   11.0.0   Issue: After you upgrade from 10.2.0, ELS tries to connect to the local kafka.
1234870 UI: HTML5   10.2.0 11.0.2 Issue: Save packet in HTML corrupted the data.
1234806 ESM: Views   10.2.0 11.0.2 Issue: Scorecard: Extra results display after delete and repull of Assets.
1234797 ELM   10.2.0   Issue: Unable to remove DAS from mirror.
1234404 ESM: Policy   11.0.0   Issue: If your session is timed out during a policy roll-out, the roll-out does not complete.
1234388 Other   11.0.0 11.0.1 Issue: Incorrect values appear in Reports and in the legacy (Flash) console.
1234319 ESM   11.0.0 11.0.0 Issue: The "Average Severity" field on the "Events" table shows incorrect value.
1234307 ESM   10.2.0 11.0.2 Issue: All-in-one: Unable to execute command on the device (ER234) when you execute Active Response search on SIEM.
1234302 ESM: Reports   11.0.0   Issue: Bar charts are not included in the exported reports.
ESM: Views   10.2.0 11.0.2 Issue: The error "Something went wrong" displays when you select a Query; can't complete creation of widget.
1234017 ESM: Reports   11.0.0   Issue: Reports that contain Stacked Distribution with "Others" are not created.
1233936 ESM: Alarms   11.0.0   Issue: When viewing the Event Time Mismatch report, no devices are selected by default.
1233730 L10N   11.0.0   Issue: Unlocalized strings appear in System Properties, Clustering.
1233583 ESM: Views   11.0.0   Issue: When you install updates to Views in Content Packs, ESM appends "_Import" to the file instead of replacing existing files.
1233556 UI: HTML5   11.0.0   Issue: When you hover the cursor over an event, the tooltip flashes on and off.
1233305 Other   11.0.0 11.0.1 Issue: "Export to CSV" option does not work on bar chart widgets.
1233171 Other   11.0.0   Issue: ADM Flow Analysis view is setting Flow values (Direction and State) to false by default.
1233167 UI: Flash   11.0.0   Issue: The State column does not populate in Flow views.
1233141 ESM   11.0.0   Issue: On dashboard widgets, Category names and Area names might show a value of "Unavailable."
1233133 ESM   11.0.0   Issue: An error is shown in Task Manager when a view with some distribution components, and baseline enabled, is refreshed.
1233128 ELM   11.0.0 11.0.1 Issue: Redundant ELM (RELM) is unable to retrieve strhse_stats.
1233127 UI: HTML5   11.0.0   Issue: If you view the Configuration screen and experience a session time-out, the Configuration screen is blank after you log back in.
1233089 ESM   11.0.0   Issue: In FIPS mode, users who have Key and Certificate permission can't download or view certificates.
1233086 Receiver   10.2.0 11.0.2 Issue: Collectorsctl does not monitor inode depletion.
1233082 Receiver   10.2.0 11.0.2 Issue: ELM runs out of inodes.
1233043 UI: HTML5   11.0.0   Issue: After you add or delete a data source in the HTML5 dashboard, the device tree on the Physical Device tab does not refresh.
1232875 ESM: Clustering   11.0.0   Issue: After first being keyed, some ESM cluster nodes take more than 30 minutes to get up and running, and might require restart.
1232725 UI: HTML5   10.2.0 11.0.0 Issue: Export to CSV with option "A max number of records" stalls out after v10.2.0 Update 6 is installed.
1232302 L10N   11.0.0   Issue: The Correlation page contains unlocalized strings.
1232286 L10N   11.0.0   Issue: Some localized content is truncated on the Normalized Dashboard.
1232284 L10N   11.0.0   Issue: Some localized UI elements are truncated in the ELS Search history.
1232282 L10N   11.0.0   Issue: In some languages, when creating Benchmark group names, a corrupted character is introduced at the end of the name.
1232280 L10N   11.0.0   Issue: The text in Scorecard benchmark test groups is truncated in some languages.
1232253 L10N   11.0.0   Issue: Events and Events Summary windows contained unlocalized strings.
1232247 L10N   11.0.0   Issue: When selecting devices, some display strings are not localized.
1231874 UI: HTML5   11.0.0   Issue: When exporting Scorecard data, some information is not shown in the export file.
Receiver   10.2.0 11.0.2 Issue: Send2ELM settings cause some receivers to become backlogged waiting for ELM disk space to drop.
1231834 ELS   10.2.0   Issue: Non-admin users can't search ELS.
1231425 ESM: Reports   11.0.0   Issue: The Query wizard does not show options for all query types when a user is logged on as SECANA or SECENG.
1231178 UI: HTML5   11.0.0 11.0.0 Issue: Scorecard results from benchmark groups are not consistent with asset totals.
1231157 ESM   10.2.0   Issue: "Possible Event Time Mismatch" alarm triggers when a device is not selected.
1230851 UI: Flash   11.0.0   Issue: Flash views configured with the "Dashboard" category do not render some widgets. An error is shown: "Invalid Parameters (ER71)".
1229799 Receiver   11.0.0   Issue: ESM does not produce or consume messages while data sources are being written, and does not result in data loss.
1229417 Receiver   11.0.0   Issue: Turning data source parsing off while ELS logging is on disables the data source.
1229123 ESM: Reports   10.0.3 11.0.0 Issue: Query CSV option does not retrieve output with the filter set to Open cases.
1227697 Receiver   10.1.4 11.0.0 Issue: Cloudtrail connection errors out with our implementation of the AWS API.
1227617 Receiver   10.2.0   Issue: NTP servers are still queried by Devices when "Use NTP servers for time synchronization and save settings" is not selected.
1227076 ESM   11.0.0   Issue: ELS can't be upgraded from a Multi-Device Manager. This support is targeted for a future release.
ESM   10.2.0 11.0.2 Issue: Scorecard & Asset, Threat, and Risk dashboards are empty.
1226087 ESM   11.0.0   Issue: Retention policy is written to ELS without the Correlation Manager IPSID.
1226077 ESM: Data Enrichment   10.1.1 11.0.2 Issue: Data Enrichment field is not being replaced.
1225706 ESM: Alarms   10,1,1 11.0.0 Issue: Field match alarm is triggered incorrectly with Source GeoLocation filter.
1225395 ACE   10.2.0 11.0.2 Issue: Historical Correlation does not work in newly created correlation manager when all default correlation managers are disabled.
1225160 ESM: Redundant ESM (RESM)   10.2.0   Issue: Communication Troubleshooting Help does not mention proper devices.
1225078 ESM   11.0.0   Issue: When you create a table widget, the context menu "Mark as Review" and "Delete events" functions do not work.
1224831 ESM   11.0.0   Issue: cpservice takes a long time to stop if UpdateMTISThreats is running. An error message shows that "thread failed to close."
1223547 ESM: Views   10.1.4 11.0.0 Issue: Red Banner EC 255 Error Invalid Filter Item, Possible SQL Injection tried marking items reviewed. 
1223187 UI: HTML5   10.1.1 11.0.0 Issue: New widgets that are created have the bound icon in the upper right of the widget box, but it does not reflect the selected category from the first widget.
1222638 UI   10.2.0 11.0.0 Issue: Data source from Asset Manager is not created properly. Name displays as unassigned and IP address does not populate.
1222238 Receiver   10.2.0 11.0.2 Issue: ePO database instance settings do not apply when changes are written.
1222737 ESM: Backup/Restore   10.1.4 11.0.2 Issue: Unable to restore a backup file correctly if RCV has HA settings.
1222461 ESM   10.2.0 11.1.3 Issue: HTML5, Custom type name is not displayed correctly on the dashboard unless the database is restarted.
1222182 Receiver   10.2.0 11.1.3 Issue: Sourcefire estreamer stopped collecting because of an error.
1221397 Other   10.1.0   Issue: You can't add datasources with a FIPS-enabled ENMELM VM.
Workaround: Log on to the ESM database backend, update the IPSversion field of the Local-Receiver in the IPS table, and restart the system.
1219107 ESM   11.0.0   Issue: CreateAndExecuteCommands run one database query for each record returned, which slows performance.
1218722 ACE   10.1.1 11.0.0 Issue: User_Agent custom type cannot contain more than one value.
1216324 ELM   10.1.2 11.0.0 Issue: Access denied (ER70) when a non-admin user tries an ELM search.
ELM   10.1.3   Issue: Mirroring the ELM DB fails with error "NotOk Not enough space available..."
1197308 Doc: Help (online)   10.1.0 11.0.0 Issue: Cannot change the logon logo in HTML5.
1196846 ACE   9.6.0 MR6   Issue: No event is triggered with settings to ‘Group By’ and ‘Override Group By’ in the Correlation Rule because 'Group by' and 'Override Group By' are different types.
1188771 Doc: Help (online)   9.6.0 MR8 11.0.0 Issue: HA Key/Root password with special characters causes IPMI failure. Special characters are:
` ~ ! @ # $ % ^ & * ( ) [ ] \ { } | ; ' : " < > ?
1185713 Doc: Help (online)   9.6 MR9 11.0.0 Issue: EDSFTP copy fails at 30,000+ files.
1179180 Alarms   9.6 MR7   Issue: RAID Disk failure is not reported.
1143023 Doc: Help (online)   9.6.0 11.0.0 Issue: Long, large data Enterprise Log Manager (ELM) searches fail.

Back to top

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.