How to configure Log Server and Management Server to forward Syslog to McAfee SIEM

Version 2


    Purpose

     

    The purpose of this document is to assist you in configuring the Log Server and Management Server to forward Syslog information to McAfee SIEM. Management Servers can be configured to forward audit data to McAfee SIEM via syslog.

     

    McAfee Next Generation Firewall Product Page - http://www.mcafee.com/us/products/next-generation-firewall.aspx

    McAfee Next Generation Firewall Expert Center - Next Generation Firewall

    Contact McAfee - http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales


    Initial Configuration


    The Security Management Center (SMC) communicates with the McAfee SIEM. The management server and the log servers are managed through the SMC. You will need to configure all the log servers and the management servers that will be forwarding the logs to the McAfee SIEM.

     

    1. The first step is to add a Local Receiver that will be communicating with McAfee SIEM. Local receiver is the Security Management Center (SMC).

     

    2. Go to McAfee SIEM manager, click on Local Receiver and then click on the + sign (add new data source sign) at the top left of the page. A new pop up window will open, this is where you will enter all the information relating to the new local receiver.

     

    3. From the Data Source Vendor drop down, select McAfee as the vendor. Select Next Generation Firewall in the Data Source Model drop down. Give a name to this new local receiver. Enter IP address of the Security Management Center. As mentioned earlier, Security Management Center will be communicating with the McAfee SIEM. Click OK once you have entered all the information. The new Local Receiver will now appear on the McAfee SIEM dashbaord.

     

    1.JPG

     

    4. Configure the external host (McAfee SIEM) on Security Management Center.

     

    5. On SMC, go to Configuration | Security Engine | Expand Network Elements | Right click Hosts | Add New Host. Give a name for the external host and enter the IP address of the McAfee SIEM. Click OK. As seen in the background, the new external host will appear on SMC.

     

    2.JPG

     

     

    Configure Log Server that will forward Syslog to McAfee SIEM


    6. Right click the log server that will forward the syslog, select Properties. A new pop up window with log server properties will open, switch to the Log Forwarding tab. Click on add and a new row will be added to the table. Next, configure the Log Forwarding rules. In the Target Host, add the McAfee SIEM that we configured in the beginning of this document. Next select the service, enter syslog port 514, select McAfee ESM in the format and lastly select the Data Type that will be sent to the McAfee SIEM. Filters are used to specify in detail which log data is forwarded.


    3.JPG

     

    7. If the McAfee SIEM and Log Server are separated by a McAfee Firewall, a rule must be added to the policy to allow traffic from the Log Server to the SIEM. The source field is the Log Server/Management Server, destination field is the McAfee SIEM, add Syslog (UDP) or Syslog (TCP) in the service field depending on the protocol used during the log server configuration. The Same Service and port that was selected in the Log Forwarding rule earlier must be selected here. Select Allow in the action field. For Logging, the recommended setting is None. Install the policy with this new rule.

     

    Note: Logging the log forwarding can create a loop where the log forwarding creates a log entry each time. If you want to log the log forwarding, create a local filter in the Log Forwarding rule to exclude logs related to forwarding. Save and install the policy to start using the new configuration.

     

    6.JPG

     

     

    Configure Management Server to forward audit data to McAfee SIEM

     

    8. Right click the management server that will forward the audit data, select Properties. A new pop up window with management server properties will open, switch to the Audit Forwarding tab. Click on add and a new row will be added to the table. Next, configure the Audit Forwarding rules. In the Target Host, add the McAfee SIEM that we configured in the beginning of this document. Next select the service, then enter syslog port 514, select McAfee ESM in the format.

     

    4.JPG

     

     

    9. If the McAfee SIEM and Management Server are separated by a McAfee Firewall, a rule must be added to the policy to allow traffic from the Log Server to the SIEM. The source field is the Management Server, destination field is the McAfee SIEM, add Syslog (UDP) or Syslog (TCP) in the service field depending on the protocol used during the log server configuration. The Same Service and port that was selected in the Audit Forwarding rule earlier must be selected here. Select Allow in the action field. Install the policy with this new rule.

     

    7.JPG

     

           10.  McAfee SIEM should now see events from the above configured Log Server and Management Server. Below is an example of McAfee SIEM dashboard that is receiving the syslog from the Log Server.

     

    8.JPG