Hello
I want to know if it is possible to forward syslog event that i receive in the McAfee SIEM to another SIEM or syslog Server?
Thanks
Solved! Go to Solution.
Yes, you have multiple event filter options. One of them is device/data source. Other types are normalized ID, severity, source.destiantion IP. Also ESM formwarding has the option to obfuscate data to mask sensitive data.
Yes that's possible.
Two options:
1 is to forward the original syslog from the receiver to an other IP address. This sends the raw unparsed packets but will also parse the events locally. The option can be found on the receiver properties -> REceiver Management -> Data Archival and then the bottom option.
2 is forwarding from the ESM. This applies to parsed and aggregated events. Benefits are that you can select what data is send to another SIEM of syslog server. Disadvantage is that the format will be different from the original event and may require additional parsing on your other SIEM. This feature can be foun in the ESM properties ->Event forwarding
Thank you Robert, one question, with the second option can you pick what data source do you want to forward events?
Yes, you have multiple event filter options. One of them is device/data source. Other types are normalized ID, severity, source.destiantion IP. Also ESM formwarding has the option to obfuscate data to mask sensitive data.
Hi,
What's about the SIEM ESM/ERC... itselfs 'system' logs ? How send them ?
Thanks
Hello Again Robert
Do you know how i have to add the data source in the last siem that receives the data from the other siem?
Thanks
Hi Layer0,
I don't really get your question. Waht is the last SIEM in your case? And what is the other siem?
If you have multiple mcafee ESMs a better way is to add the ESM as a device in your "primary" ESM. This way you get a distributed ESM model and you can drill down on all data sources, devices and data.
If you have an other brand SIEM: The way you add data sources in that siem, well... wrong forum to ask i guess
If you mean that you have a syslog/siem sending data to your McAfee ESM, it really depends on how this data is forwarded and by what syslog/siem server. Splunk and syslog-NG are supported as proxies out of the box. Other syslog servers will probably require some reconfiguration. Kiwi, for example, modifies the syslog when you forward it to ESM. You need to spoof the network packet via winpcap so that the original syslog message is forwarded.
Hello
I mean the last situation, i see that splunk and syslog-ng are supported but not McAfee SIEM, is that right?
Thanks
Hi Robert, we have performed option 2 for our McAfee ESM --> Splunk integration. And, the "Disadvantage is that the format will be different from the original event and may require additional parsing on your other SIEM" as you mentioned is very much observed with the events being received in Splunk.
We are looking at changing to Option 1. Would you be able to give more details on how this can be done ie can we point it directly to the Splunk Indexer or does it need to be to syslog server first? What are advantages and disadvantages for us to consider on going to this direction?
Hi Robert, we went on option 2 and you are right regarding the "Disadvantage is that the format will be different from the original event and may require additional parsing on your other SIEM."
So, we are looking at going to option 1 instead, can you advise whether we can point it directly to the Splunk Indexer or do we need to have a syslog server to set as the receiver? Also, can you give us more details regarding the advantages and disadvantages for us to consider on going to this option?
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA