Duplicate data source names on different Receivers can prevent Enterprise Log Manager SFTP from showing all available logs
Last Modified: 2022-11-22 09:09:33 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Duplicate data source names on different Receivers can prevent Enterprise Log Manager SFTP from showing all available logs
Technical Articles ID:
KB92254
Last Modified: 2022-11-22 09:09:33 Etc/GMT Environment
SIEM Enterprise Log Manager (ELM) 11.x SIEM Enterprise Security Manager (ESM) 11.x SIEM Event Receiver (Receiver) 11.x Problem
You can pull ELM logs in the ESM GUI using either the ELM Archive or ELM Search function. But, if you retrieve the same logs using the ELM SFTP client, the logs aren't found and the directories are empty.
Cause
Duplicate data source names on one or more Receivers usually causes this issue. For example, Receiver 1 has a data source called When viewing the ELM SFTP folder structure, the ELM can't combine data sources with the same name on different Receivers. It picks one Receiver and doesn't show logs from the other Receiver. A common reason for the duplicate names is a data source being set up on one Receiver and being moved to another Receiver. Renaming or deleting the original Receiver doesn't take place when this move occurs. Solution
Look for duplicate data source names and IP addresses across different Receivers and rename the problematic data sources. The Receiver has protections in place to prevent duplicate data source names on the same Receiver, but not on different Receivers.
Affected ProductsLanguages:This article is available in the following languages: |
|