cancel
Showing results for 
Search instead for 
Did you mean: 

Intel Security SNS ProTip for SIEM: How to configure NFS shares to work with the SIEM

McAfee SIEM supports the use of remote shares such as NFS share, which can be used for the following:

  • Remote storage for the ELM
  • Remote archival for the Receiver
  • Remote backups for the ESM

For information on how to set up these shares, to get the best results, see KB77941 (https://kc.mcafee.com/corporate/index?page=content&id=KB77491 )

For more resources, visit the ServicePortal and search for related content. Also, visit the McAfee SIEM Community (https://community.mcafee.com/community/business/siem).

SNS ProTips help you maximize your protection with troubleshooting, best practices, how-to tips, and links to Knowledge Center resources. To unsubscribe from ProTips or change your SNS settings, visit the SNS Subscription Center

Comments

 Correct KB is  KB77491

 

Problem

When you try to use NFS v3 or older, you might see the error shown below: 

 

Could not connect to the device with the parameters specified. Please check the settings and try again. Usage: mount -V : print version

Solution

The following example for NFS v4 has been successfully tested by the McAfee SIEM engineering team and is required for use by the SIEM:

    1. Edit the exports file on the NFS server.
    2. Use the following configuration:

      /export/nfs  <IP Address>/24(rw,async,no_subtree_check,no_root_squash,fsid=1)

      NOTES:
       
      • /export/nfs should be changed to match your export mount.
      • fsid=1 might be in use for your system, so change the number to be unique to your file.
         

 

  • When the changes have been made on your file server, ensure that you restart the service by typing the following command and pressing ENTER:

    service nfs-kernel-server restart

    NOTE: The above command might be different for your version of NFS.

 

Windows NFS share gives I/O error or Insufficient Permissions after clicking test
Technical Articles ID:   KB89327
Last Modified:  12/7/2018

Environment

McAfee SIEM Enterprise Security Manager (ESM) 11.x.x, 10.x.x

Problem

You see read/write permission errors or input/output (I/O) errors when you try to run a test connect on, or try to manually mount, a Windows NFS share.

Cause

An NFS version mismatch between SIEM and Windows, or the Windows NFS policy settings being configured incorrectly, cause this issue. 

Solution

  1. Manually mount the NFS share from the ESM command line. Use the following syntax:
mkdir -p /tmp/testmount
mount -t nfs x.x.x.x:/path_to_share /tmp/testmount
  1. If the mount connects, try to change directory to /tmp/testmount and ls -al to check for RW permissions on all files. If it does not connect, try to force the NFS version:
mount -t nfs -o nfsvers=2 x.x.x.x:/path_to_share /tmp/testmount
mount -t nfs -o nfsvers=3 x.x.x.x:/path_to_share /tmp/testmount
  1. If you see an input/output error after you manually mount the NFS share, and if forcing the NFS version does not resolve it, check the Windows NFS service policy Authentication and the No Authentication section. Ensure that Allow anonymous access is selected. Also ensure that Allow unmapped user access by UID/GID is selected.
For more information, see the following Microsoft articles:
Version history
Revision #:
1 of 1
Last update:
‎08-19-2015 07:12 PM
Updated by: