cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Setting Up Syslog

Hi there, I was looking to get some assistance in syslogging DLP events to our SIEM. I did setup syslog as a Registered Server, but these messages are encrypted and my SIEM has them garbled. We'd like to know how we can get around this, or alternatively query the SQL database to pull in user activity information with a SQL query. We need to have incidents monitored in our SIEM as soon as possible. Please and thanks.
2 Replies
McAfee Employee nyeshoda
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Setting Up Syslog

Since DLP endpoint is based on ePO and ePO is installed on a Windows machine, you cannot work with syslog, you probably will have to install an agent/connector of that SIEM solution.

Re: Setting Up Syslog

Start by creating an ePO DLP Incident query based on the data you are looking to build a SQL query on. 

There is an option in ePO to view the details of a saved query. Under “Actions” you can “View SQL” to get a database query of the selected ePO query. 

The “View SQL” action give you the SQL query that was used by ePO to generate the ePO query.

From there, you can look into the database structure to include additional information from other tables that are not available from a normal ePO DLP query. Unfourtunately, this is neccesary if you want more specific information from certain types of DLP events. 

 

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.