cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 11

DHCP and DNS logging

Jump to solution

I am on version 9.3.2, and I am trying to have DNS and DHCP logs sent to my SIEM. I currently use the SIEM Collector agent 10 and have it distributed through ePO. Currently I have the WMI logs being sent to the SIEM. Now I would like to add DHCP and DNS. I was under the impression that I would have to essentially have three data sources added. One for WMI, DHCP, and DNS. I was able to add the DNS and WMI data sources fine. When I add the DHCP data source I get the following error.

2014-03-04 14_52_27-https___ssdsrv126_Application.html.jpg

I can tell you with 100% certainty that I do not have another DHCP Data source with this IP address and Host ID.

On the ePO side below is a screenshot of how i have the policy configured.

2014-03-04 14_52_27-https___ssdsrv126_Application.htmls.jpg

Is there something I am missing?

1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 11

Re: DHCP and DNS logging

Jump to solution

If you are using the SIEM collector vis ePO, this is a response I got from the McAfee tech.

"We identified this as having issues, and the issues relysomewhere in the code, this will not be fixed except through a patch or upgrade. Unfortunately at this time I have not been able to reproduce the issueeither. At this time the only immediate workaround is to manually add theconfigurations after ePO deployment, or attempt to remove one of the two filetail configurations and see if the other can still rollout successfully."

I got no response on when a new patch or upgrade will come out.

View solution in original post

10 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 11

Re: DHCP and DNS logging

Jump to solution

From my experience, you can only have 1 Data Source per IP Address. You have to use the "Host ID"

We are using the SIEM Collector Agent to tail the IIS Logs, so if the Agent is setup to do both WMI and IIS, the WMI Data Source would contain the IP Address of the Server, but the IIS Data Source would only contain the "HostID" as configured.

In your ePO Policy, on the first tab, make sure you have the "Generate HostID's" option checked. (Generated Host IDs will be like the pattern <hostname>-<configuration name>)

The HostID in the Data Source should be defined as the "ServerName-HostID"

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 11

Re: DHCP and DNS logging

Jump to solution

I am using the Host ID which is allowing me to successfully add a WMI and DNS datasource from the same IP address. I run into probelms when I add a third data source.

esher72
Level 9
Report Inappropriate Content
Message 4 of 11

Re: DHCP and DNS logging

Jump to solution

I am using the older SIEM Agent (v 9.1.3) to pull my DHCP logs. So your mileage may vary here.

I create a data source like this with the IP of the machine with the agent:

siem_1.PNG

Then I create a child data source under that for the DHCP server with the IP of the DHCP server and Host ID configured on the agent box:

siem_2.PNG

These are the matching settings from over on the machine running the agent:

SIEM3.PNG

You can just keep adding child data sources for each DHCP server. Use the DHCP servers' IP for each of those and make sure the Host IDs match what you set up. Hopefully that helps. I have about 20+ DHCP servers in there now and am about to build out a new agent machine to accomadate some new DHCP servers from an acquistion we just had. I will proabably go with the newest agent then. If this doesn't work for you because I am using an older version of the agent, I might have more to offer when I do that new build.

esher72
Level 9
Report Inappropriate Content
Message 5 of 11

Re: DHCP and DNS logging

Jump to solution

You can probably disregard my previous post. I completely missed the part about ePO. We do not use it. The company we acquired does but we are decommisioning it. The way we leverage the agent is that I have a Windows Server 2012 machine that has the agent and acts as an aggregator for all the flat file logs we wish to feed into our SIEM. It handles all of our DHCP, DNS, and IIS logs. The way we use it might not be of much help to your situation. Sorry about that.

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 11

Re: DHCP and DNS logging

Jump to solution

If you are using the SIEM collector vis ePO, this is a response I got from the McAfee tech.

"We identified this as having issues, and the issues relysomewhere in the code, this will not be fixed except through a patch or upgrade. Unfortunately at this time I have not been able to reproduce the issueeither. At this time the only immediate workaround is to manually add theconfigurations after ePO deployment, or attempt to remove one of the two filetail configurations and see if the other can still rollout successfully."

I got no response on when a new patch or upgrade will come out.

View solution in original post

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 11

Re: DHCP and DNS logging

Jump to solution

Hi

I just recently upgrade our system to version 9.3.2, and I am trying to have DNS and DHCP, logs sent to my SIEM.

I want to collect the logs from system[WMI] and applications[from DHCP, DNS] from same machine.

Can you please forward me the step to achieve the task

Former Member
Not applicable
Report Inappropriate Content
Message 8 of 11

Re: DHCP and DNS logging

Jump to solution

If you are using ePO to do this, it will not work. I am working through this issue, but if you are not I cant seem to figure out how to attach the document I got from support. maybe this will help you?

https://community.mcafee.com/thread/58734

https://kc.mcafee.com/corporate/index?page=content&id=KB74849&actp=search&viewlocale=en_US&searchid=...

Former Member
Not applicable
Report Inappropriate Content
Message 9 of 11

Re: DHCP and DNS logging

Jump to solution

Thanks for kind reply.

I install the McAfee agent of one of the Microsoft Exchange.

Initially I plan to get the WMI(System) logs from that server. but there are no logs at all.

Is there any troubleshooting steps.

Former Member
Not applicable
Report Inappropriate Content
Message 10 of 11

Re: DHCP and DNS logging

Jump to solution

You are going to need to see if thre is a FW in the way of the system and the reciever. Because I do not have the same collector deployment, you may want to contact McAfee support. they would be able to help you more than I can. Who knows, there might be someone that reads this thread that could help you.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community