Showing results for 
Search instead for 
Did you mean: 

SIEM Foundations: Configuring a SYSLOG Data Source in ESM 10x

Most deployments will require at least one Data Source that sends events to McAfee SIEM via SYSLOG. Most event sources such as firewalls, intrusion detection/prevention systems and Linux hosts will support forwarding logs and events to a collection platform – in this case, the McAfee Event Receiver will be the destination of all forwarded events.

Adding a new Data Source

NOTE: As an example, the following steps would be necessary to add event collection for a Linux host via SYSLOG.

  1. Configure the Linux Data Source to forward all necessary events and logs to the IP address assigned to the Event Receiver. Refer to the vendor-supplied instructions for each Data Source to determine the appropriate steps necessary to perform this event forwarding.
  2. From the Pancake Menu, select Configuration
  3. From Physical Display, select the Receiver on which you will be configuring the SYSLOG Data Source (e.g. Local Receiver-ELM)
  4. Click the Add Data Source button from the Action Toolbar located in the upper left of the interface

    The Add Data Source window will open.
  5. As Data Source Vendor, select UNIX.
  6. As Data Source Model, select Linux.
  7. In the Name field, enter a Name to be used for this Data Source.
  8. In the IP Address field, enter the IP Address from which this Data Source will be sending SYSLOG data
  9. In the Time Zone field, set the time zone that reflects the time stamps the data source will send to your Event Receiver. NOTE: This is not the time zone of the console user and is not necessarily the same as the time zone in which the device resides.

  10. Click OK to confirm and close the window. A dialog box will open a warning window that will inform you that a Policy Rollout is required for this information to be sent to the Receiver.

  11. Click Yes to send the new information to the Receiver. A Rollout window will now open letting you choose what information you want to send
  12. Click OK to confirm. The window will automatically close when the process is completed and ESM will confirm the update process
  13. Click Close to dismiss the window.

More about Time Zones

Your Event Receiver will use this to normalize the time of the events it receives before storing them in the ESM database; it's VERY important that this match the time zone of the received events.  Most events that come into the Receiver do not have an embedded timezone, and the Receiver relies on the configured time zone to properly normalize event timestamps.  If the timezone configuration is incorrect, your events may appear to have timestamps that are in the past or future relative to when they actually happened.  In extreme cases, the ESM may raise an alarm and discard events that are too far out of time sync.

NOTE: Most Data Sources do NOT require any modification to the Data Format, Data Retrieval method, SYSLOG Relay, Mask or any additional fields presented in the Add Data Source dialog.

Version history
Revision #:
1 of 1
Last update:
‎12-18-2017 04:11 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community