cancel
Showing results for 
Search instead for 
Did you mean: 
ksudki
Level 10

Autolearn Windows datasources forwarded by syslog

Jump to solution

Dear community,

I want to automatically create Windows Data Sources for non windows native events (DNS/DHCP/IIS/...). For this, I want to use the "auto learn" feature with the logs being forwarded to the receiver using syslog.

On the ESM, I can see the data source but no type is detected which is indeed a problem.

Is there any known limitations to do this? (I already tested this without success McAfee Corporate KB - The SIEM autolearn feature fails to work KB82128 )

Regards

0 Kudos
1 Solution

Accepted Solutions
ksudki
Level 10

Re: Autolearn Windows datasources forwarded by syslog

Jump to solution

According to McAfee support, Autolearn Windows related Datasource when using syslog needs a PER.

If I do not find any workaround to my issue, I ll create one PER but have doubt that they will be push a patch for this to the product.

Regards

0 Kudos
4 Replies
sssyyy
Level 12

Re: Autolearn Windows datasources forwarded by syslog

Jump to solution

DNS, DHCP, IIS are done via SIEM collector, and you can only start getting the logs once data source is created on receivers. So I don't think auto learn applies to these above.

0 Kudos
ksudki
Level 10

Re: Autolearn Windows datasources forwarded by syslog

Jump to solution

Hi sssyyy,

This is partially true.

In the options you can select syslog as retrieval and I confirm I got it working with third party tools when creating the datasource manually. I cannot figure out why it is not working with Autoloearn.

0 Kudos
sssyyy
Level 12

Re: Autolearn Windows datasources forwarded by syslog

Jump to solution

Right, ok. You might not be using a SIEM collector, just a syslog client on the server then...

0 Kudos
ksudki
Level 10

Re: Autolearn Windows datasources forwarded by syslog

Jump to solution

According to McAfee support, Autolearn Windows related Datasource when using syslog needs a PER.

If I do not find any workaround to my issue, I ll create one PER but have doubt that they will be push a patch for this to the product.

Regards

0 Kudos