Showing results for 
Show  only  | Search instead for 
Did you mean: 

SIEM Foundations: Basic Install and Config

No ratings


Step 1: Initial Power-Up and Configuration

The first appliance to bring online is the Enterprise Security Manager (ESM). This includes any ESM combo boxes such as ESM/REC/ELM.

  1. Connect the power supplies to a properly grounded outlet (preferably on a sufficient Uninterruptible Power Supply).
  2. Connect a network cable to the Management 1 NIC.
  3. Press the power button on the front of the bezel.
    For VM-based SIEM appliances, power on the guest image.
    Wait for the appliance to boot completely.
  4. Configure the basic ESM network settings.
    1. Connect a VGA monitor and keyboard.
      For VM-based SIEM appliances, enter Console mode.
      The LCD display is mimicked on the monitor/console.
    2. Press ESC on the keyboard to open the configuration menu.
      NOTE: The keyboard may appear unresponsive and may require multiple keystrokes to recognize each key press.
    3. Using the arrow keys on the keyboard, scroll down to MGMT IP Config. Press Enter.
    4. Configure the MGT 1 IP address using the keyboard (accepts numeric entry).
    5. Configure the NETMASK.
    6. Configure the GATEWAY IP.
    7. Save the network configuration.

NOTE: The remaining network configuration (DNS, etc.) can be entered through the GUI.

Repeat the initial configuration process for all remaining appliances.

Step 2: Connecting to the ESM via Web GUI

The McAfee SIEM is managed and maintained entirely through a web/Flash interface. Following are the minimum requirements for a host connecting to the ESM:

  • Processor – P4-class Intel (not Celeron) or higher (Mobile/Xeon/Core2/Core i3/5/7) or AMD/AMD2 class or higher (Turion64/Athlon64/Opteron64/A4/6/8)
  • RAM – 1.5GB
  • Browser – IE7.x or later, Firefox, Chrome 12.0.742.91+, Safari 5.1.7+ NOTE: Since some features of the web application utilize pop-up windows, it is recommended that you allow pop-ups for the IP address/hostname of the ESM.
  • Adobe Flash Player – Version 11.2.x.x or later

To log into the ESM, follow the steps below.

  1. Open a web browser on your client computer.
  2. Connect to the IP address specified in previous section.
  3. Accept the security certificate error.
    NOTE: All McAfee SIEM appliances ship with a self-signed certificate. The customer can provide a valid security certificate through the GUI to avoid this certificate error.
  4. Click the Login link on the page that opens. The McAfee ESM application will load and prompt you for a username and password.
  5. Choose a default Language.
  6. Enter the default username NGCP.
  7. Enter the default password security.4u and click Login.
  8. Accept the EULA.
  9. You will be then be prompted to change your password.
  10. Enter security.4u in the current password field.
  11. Enter and confirm a new password of your choice in the new password field
  12. Click OK. The Enable FIPS dialog will appear.
    NOTE: It is highly recommended that you NEVER enable FIPS mode unless absolutely necessary. FIPS mode must be selected the first time you log on to the system and cannot subsequently be changed after the initial installation.
  13. Answer No to the FIPS dialog, then confirm by answering Yes to the Disable FIPS dialog.
  14. Next, a dialog box will open with the following message:
  15. Click OK. The McAfee ESM Startup screen will open.

Step 3: Completing the Initial ESM Configuration Wizard

The initial configuration of network settings (IP address, Netmask, Gateway) was sufficient to allow the basic log on via the web GUI. Additional configuration will be performed by the ESM setup wizard in the following dialogs.

  1. Select the system logging language and the time zone setting for the NGCP user.
  2. Click Next >.
  3. Enter the appropriate DNS values for the ESM to perform name resolution.
  4. Click Next >.
  5. If a proxy server is required for the ESM to communicate to the Internet, enter the appropriate proxy server settings.
  6. Click Next >.
  7. If additional static routes are required for the ESM to communicate, add them from the current screen.
  8. Click Next >.
  9. If a local Time Server is available, replace the default NTP server IP addresses with a valid network time server address.  It is HIGHLY recommended that you leverage local NTP server for your SIEM implementation. Without a consistent time source, your SIEM components and data sources are likely to experience time drift.  This can have some very unexpected results, such as failed connections between SIEM devices, failed authentication to Windows data sources, and others.  If you do not have an NTP server available, it is often acceptable to enter the IP address of your primary Active Directory server.
  10. Click Next >.
  11. Enter the Customer ID and Password provided by McAfee licensing to allow automatic rule updates, place a check in the Auto Check box and select the update interval.  If you do not have credentials, you can obtain them by sending an email to with your contact information and McAfee grant number.  If your ESM is not connected to the Internet, you can also download and install the rules update manually.
  12. Click Finish.
  13. You may see a dialog box indicating that IP address changes were made that will require redirection. Click OK.
  14. A dialog box will appear indicating that the settings will be saved and services on the ESM will be restarted. When asked to continue, click Yes.
  15. Once the ESM services have restarted, re-enter your password to complete the ESM setup wizard.

« previousoutlinenext »


@Scott Taschler You are a God sent savior ...This doc really helped me. Could you please create more doc on How to create basic correlation rules

Version history
Revision #:
1 of 1
Last update:
‎08-08-2014 08:56 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community