SIEM Foundations: Adding Additional SIEM Appliances

Version 7

    NOTE: This step may be skipped if the POC platform being evaluated is limited to an All-in-One combo platform such as the ESM/REC/ELM since that appliance has the combined functionality of the ESM, Event Receiver and Log Manager. If and AIO appliance is being installed AND additional appliances are to be evaluated (ACE, DEM, ADM, dedicated ELM) then this step must be performed.

     

    The McAfee SIEM solution is comprised of several platforms, each performing a specialized function. The combined value of all of the discrete components makes the McAfee SIEM solution stand apart from any competitive solution.

     

    The process of connecting additional appliances to the McAfee SIEM platform is known as ‘keying’ since the provisioning activity creates/exchanges a unique SSH key for each attached device. This ensures a secure, encrypted path of communication between the ESM and all subordinate SIEM appliances.

     

    The following steps must be completed for each subordinate appliance added to the SIEM environment.

    1. Click the Add Device button from the Actions Toolbar in the upper left corner of the user interface.
      NOTE: The Actions Toolbar is context-sensitive and will change based on the object selected in the system tree. Be certain to have either the Physical Display or the Local ESM selected for this step.
      Add-ePO-Data-Sourcecircle.png
    2. From the Add Device Wizard window, select the subordinate device to be added (ie. McAfee Event Receiver).
      update-esm.png
    3. Click Next >.
    4. Provide a unique name for the device being added. This will be the name used in the System Tree.
      Add-Device-Wizard---Namecircle.png
    5. Click Next >.
    6. Provide the IP address and communication port assigned to the appliance.
      NOTE: The default communication port assigned to all McAfee SIEM appliances is 22. This can be modified to a TCP port of the customer’s choosing, though all communication between the ESM and a subordinate SIEM appliance will still utilize the SSH/SCP application protocol. Make certain any firewall or network device placed between the two devices have the appropriate rules and/or ACL filters required to permit communication on this port.
      Add-Device-Wizard---IP-Addresscircle.png
    7. Click Next >.
    8. Click the Key Device button.
      Add-Device-Wizard---Key-Device.png
    9. Provide a customer-assigned password for the device. The root user account on the subordinate appliance will be assigned this password.
      NOTE: It is helpful for administrative purposes to assign the same password to the NGCP account as well as all subordinate device keys.
      Add-Device-Wizard---Passwordcircle.png
    10. Click Next >.
    11. When the device has been successfully keyed, a confirmation window will open offering to Export Key or view the device Properties.
      Add-Device-Wizard---Success.png
    12. Click Finish.
    13. Repeat this process for all subordinate devices to be added as part of the POC.

     

    NOTE: If during the keying process an error dialog is displayed claiming the SSH connection failed or a similar error message, follow these steps to troubleshoot.
    Add-Device-Wizard---Error.png

    1. Confirm that network link connectivity exists between the new device (MGMT NIC 1) and a working switch port.
    2. Confirm that the network switch port connecting the ESM and the switch port connecting the new device are either on the same VLAN or, if separated by a layer 3 device that the appropriate routing is configured to support communication between the two devices.
    3. If the ESM and the device being added are separated by a firewall or IPS, make certain there are no traffic rules that would prevent communication over the designated port (default:22).
    4. If the POC deployment is taking place in an ESX-based virtualized environment, it may be necessary to simply repeat the keying process a second time. In many cases, the first attempt creates the ARP entry in the vswitch but not until the second attempt will traffic be passed between the ESM and new SIEM device permitting the proper key exchange.

     

    « previousoutlinenext »