cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
layer0
layer0
Level 8
Report Inappropriate Content
Message 1 of 10
‎01-30-2015 05:33 AM

Forward syslog event to another SIEM

Jump to solution

Hello

I want to know if it is possible to forward syslog event that i receive in the McAfee SIEM to another SIEM or syslog Server?

Thanks

Reply
1 Solution

Accepted Solutions
Highlighted
robert_dearbyte
robert_dearbyte
Level 10
Report Inappropriate Content
Message 4 of 10
‎01-30-2015 06:10 AM

Re: Forward syslog event to another SIEM

Jump to solution

Yes, you have multiple event filter options. One of them is device/data source. Other types are normalized ID, severity, source.destiantion IP. Also ESM formwarding has the option to obfuscate data to mask sensitive data.

View solution in original post

0 Kudos
Reply
9 Replies
robert_dearbyte
robert_dearbyte
Level 10
Report Inappropriate Content
Message 2 of 10
‎01-30-2015 05:46 AM

Re: Forward syslog event to another SIEM

Jump to solution

Yes that's possible.

Two options:

1 is to forward the original syslog from the receiver to an other IP address. This sends the raw unparsed packets but will also parse the events locally. The option can be found on the receiver properties -> REceiver Management -> Data Archival and then the bottom option.

2 is forwarding from the ESM. This applies to parsed and aggregated events. Benefits are that you can select what data is send to another SIEM of syslog server. Disadvantage is that the format will be different from the original event and may require additional parsing on your other SIEM. This feature can be foun in the ESM properties ->Event forwarding

0 Kudos
Reply
layer0
layer0
Level 8
Report Inappropriate Content
Message 3 of 10
‎01-30-2015 06:07 AM

Re: Forward syslog event to another SIEM

Jump to solution

Thank you Robert, one question, with the second option can you pick what data source do you want to forward events?

0 Kudos
Reply
Highlighted
robert_dearbyte
robert_dearbyte
Level 10
Report Inappropriate Content
Message 4 of 10
‎01-30-2015 06:10 AM

Re: Forward syslog event to another SIEM

Jump to solution

Yes, you have multiple event filter options. One of them is device/data source. Other types are normalized ID, severity, source.destiantion IP. Also ESM formwarding has the option to obfuscate data to mask sensitive data.

View solution in original post

0 Kudos
Reply
aygitci
aygitci
Level 7
Report Inappropriate Content
Message 5 of 10
‎07-08-2015 10:27 AM

Re: Forward syslog event to another SIEM

Jump to solution

Hi,

What's about the SIEM ESM/ERC... itselfs 'system' logs ? How send them ?

Thanks

0 Kudos
Reply
layer0
layer0
Level 8
Report Inappropriate Content
Message 6 of 10
‎03-04-2015 05:27 AM

Re: Forward syslog event to another SIEM

Jump to solution

Hello Again Robert

Do you know how i have to add the data source in the last siem that receives the data from the other siem?

Thanks

0 Kudos
Reply
robert_dearbyte
robert_dearbyte
Level 10
Report Inappropriate Content
Message 7 of 10
‎03-06-2015 02:00 AM

Re: Forward syslog event to another SIEM

Jump to solution

Hi Layer0,

I don't really get your question. Waht is the last SIEM in your case? And what is the other siem?

If you have multiple mcafee ESMs a better way is to add the ESM as a device in your "primary" ESM. This way you get a distributed ESM model and you can drill down on all data sources, devices and data.

If you have an other brand SIEM: The way you add data sources in that siem, well... wrong forum to ask i guess

If you mean that you have a syslog/siem sending data to your McAfee ESM, it really depends on how this data is forwarded and by what syslog/siem server. Splunk and syslog-NG are supported as proxies out of the box. Other syslog servers will probably require some reconfiguration. Kiwi, for example, modifies the syslog when you forward it to ESM. You need to spoof the network packet via winpcap so that the original syslog message is forwarded.

0 Kudos
Reply
layer0
layer0
Level 8
Report Inappropriate Content
Message 8 of 10
‎03-06-2015 11:16 AM

Re: Forward syslog event to another SIEM

Jump to solution

Hello

I mean the last situation, i see that splunk and syslog-ng are supported but not McAfee SIEM, is that right?

Thanks

0 Kudos
Reply
erik_anderson
erik_anderson McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 10
‎03-18-2015 12:42 PM

Re: Forward syslog event to another SIEM

Jump to solution

Hi Layer0,

Yes, McAfee event forwarding is supported. On the sending side, setup event forwarding to use SEF (Standard Event Format). On the receiving side, configure a data soure to receive forwarded events: Data Source Vendor - McAfee, Data Source Mode - Enterprise Security Manager, Data Format - SEF (I think default works too), Data Retrieval - Syslog, IP Address - Address of the forwarding ESM. If you are forwarding multiple data sources, you can break them back out into individual sources. For each data source, create one identical to the one on forwarding SIEM, but change the Data Format to SEF. You can do this with WMI also. By switching to SEF, you won't have to enter Windows login credentials.

If you need more detail, let me know.

Cheers

0 Kudos
Reply
hanzch
hanzch
Level 7
Report Inappropriate Content
Message 10 of 10
‎06-18-2019 08:32 AM

Re: Forward syslog event to another SIEM

Jump to solution

Hi Eric,

 

How apply this with two mcafee siem?

can you explain me in more detail?

 

Thanks

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC