McAfee SIEM - How To Perform The Initial Setup

Version 2

    Overview

     

    In this document, you will learn how to perform the initial setup of the McAfee SIEM. The steps will be the same whether you are using the hardware or a virtual version of the appliance. We will assume that you have your appliance ready to be powered up and that a monitor and keyboard are connected to it if you are using a hardware appliance, so you can interact with the appliance. And, if you are using the virtual version, we assume that you are ready to power up your virtual machine. In all cases, you will need to have an IP Address available to assign to your SIEM. And lastly, you will have to know the IP address of your gateway and subnet mask.

     

    In our example, we are going to set up the ESM component of the McAfee SIEM, since it’s the first component you need to install. The steps are the same for all combo boxes or VMs that include the ESM component.

     

    Video

     

    You can also watch the steps described in this document by viewing the video below.

     

    Procedure

     

    First Power Up

     

    1. Power up your SIEM. After the boot process is completed, you will see the screen below.

     

    image001.png

     

    2. Press the ESC key to enter the menu at the top left corner of the screen, until the menu comes up. If you are using a VM, remember to click inside the console window first, then press ESC until the menu appears.

     

    3. Use the arrow keys to navigate to ‘MGT IP Conf’ line and press Enter. Use the arrow keys again to move to the ‘Mgt1’ line and press Enter.

     

    image002.pngimage003.png

     

    4. Enter the IP Address using the arrow keys. Make sure you are at the end of the line and press Enter when complete.

     

    image004.png

     

    5. After setting the IP Address, do the same for the Netmask.

     

    image005.png

     

    6. After the Netmask is finished, use the arrow keys to navigate to ‘Done’ and press Enter. This returns to the MGT IP Conf Menu. Select 'Gateway' and add the Gateway Address.

     

    image006.png

     

    7. Optionally you can set the DNS servers, but this can also be accomplished through the UI. In our case, we’ll wait until we get to the UI part of the setup to enter the DNS information.

     

    image007.png

     

    8. When finished, navigate to ‘Save Changes’ and press Enter. The device will then update its network settings and will now be accessible from the network. You need to perform the same steps for additional SIEM devices you are adding to the environment.

     

    Completing the setup through the user interface

     

    Now that the appliance has an IP address assigned, you can complete the setup through the web user interface. The McAfee SIEM is managed through a web/Flash interface. Some features of the web console utilize pop-up windows, you should allow pop-ups for the IP address or host name for your SIEM.

     

    To log into the ESM for the first time, open a web browser. Connect to the management IP address that you specified in the previous steps, using the following format:

     

    https://<ESM_IP_Address>/Application.html

     

    Note: If you don’t add ‘Application.html,’ a pop-up Window asking you to login will come up. The application.html takes you directly to the login page in your current browser window.


    Accept the security certificate error.  All McAfee SIEM appliances ship with a self-signed certificate. You can later provide a valid one through user interface to avoid seeing this error again.

     

    image008.png

     

    The first time user name and password to login are NGCP, all capital. The user name is case sensitive. And the password is security.4u, all lower case.

     

    Read and accept the End User License Agreement.

     

    image009.png

     

    You are now prompted to change our password.

     

    Enter security.4u in the current password field.

     

    Enter and confirm a new password of your choice in the new password field.

     

    Note: When you change the password for the NGCP user, this will change the ssh password as well. To connect to the ESM using ssh, use root as the user, and the new password that you set for NGCP.

     

    image010.png

     

    Click OK. The Enable FIPS dialog appears.

     

    It is highly recommended that you DO NOT enable FIPS mode unless you explicitly know why you need it. FIPS can only select the first time you logon to the SIEM. This option is irreversible and cannot be undone. If you select wrong, you will have to re-image your appliance to change the option. Answer No to the FIPS dialog, then confirm by answering Yes to the Disable FIPS dialog.

     

    image011.png

     

    image012.png

     

    Some information about accessing update for your SIEM is displayed.

     

    You can use your SIEM for 30 days if you do not have proper credentials. To request credentials, email licensing@mcafee.com with your grant number (provided if you purchased the product) and contact details. If you are evaluating the product, contact your McAfee sales team (contact information are at the end of this document).

     

    Click OK.

     

    image013.png

     

    Next, you are asked to select your time zone. It's important that you set your time zone correctly, so you can see your events and incidents with thecorrect time.

     

    image014.png

     

    Now you can finish the network configuration and add additional information if required, such as DNS, an optional secondary management interface and IPv6 settings. The primary management IP, netmask and gateway should be filled with the information you previously set up on the appliance itself.

     

    Check the primary management IP.

     

    If the DNS fields are populated with 0.0.0.0, either enter your DNS server IP or delete the zeros or you will get an error message.

     

    image015.png

     

    You can set up a proxy servers if your are using them to connect to the Internet. Click Next.

     

    image016.png

     

    You can add static routes if required. Click Next.

     

    image017.png

     

    Add your NTP servers  to synchronize time. To achieve best results in the SIEM, it’s important to have a common time reference across the enterprise.  If we leave this at default, the SIEM will use a set of Internet-based NTP servers.  You should enter your enterprise NTP server instead.Click Next.

     

    image018.png

     

    And finally, you are asked to enter your customer ID and password. If you have received one from McAfee, enter it here. Again, if you don't have one, you can still use the SIEM for 30 days.

     

    Click Finish.

     

    image019.png

     

    The Networks settings change dialog box informs you that the ESM needs to restart. Click Yes.

     

    image020.png

     

    Click OK to the IP Address change box.

     

    image021.png

     

    The restart process takes 90 seconds.

     

    You are asked to log back into the console. Click OK to acknowledge the messages on the screen.

     

    image022.png

     

    You are back into the console. If you need to make a change to your configuration, you can access the system configuration through the ”gold” properties icon at the top left corner of the console.

     

    image023.png

     

    Conclusion

     

    You’ve seen how to perform the initial setup for a McAfee SIEM. Now your SIEM is up and running. The next steps are to update your SIEM and add data sources.

     

    Useful Links

     

    For more information about the McAfee SIEM, visit:

     

    McAfee SIEM Product page: http://www.mcafee.com/us/products/siem/index.aspx

     

    McAfee SIEM Community: https://community.mcafee.com/community/business/siem

     

    McAfee Sales page http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales