cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
layer0
Level 8
Report Inappropriate Content
Message 1 of 13
‎01-30-2015 05:33 AM

Forward syslog event to another SIEM

Jump to solution

Hello

I want to know if it is possible to forward syslog event that i receive in the McAfee SIEM to another SIEM or syslog Server?

Thanks

Reply
1 Solution

Accepted Solutions
robert_dearbyte
Level 10
Report Inappropriate Content
Message 4 of 13
‎01-30-2015 06:10 AM

Re: Forward syslog event to another SIEM

Jump to solution

Yes, you have multiple event filter options. One of them is device/data source. Other types are normalized ID, severity, source.destiantion IP. Also ESM formwarding has the option to obfuscate data to mask sensitive data.

View solution in original post

0 Kudos
Reply
12 Replies
robert_dearbyte
Level 10
Report Inappropriate Content
Message 2 of 13
‎01-30-2015 05:46 AM

Re: Forward syslog event to another SIEM

Jump to solution

Yes that's possible.

Two options:

1 is to forward the original syslog from the receiver to an other IP address. This sends the raw unparsed packets but will also parse the events locally. The option can be found on the receiver properties -> REceiver Management -> Data Archival and then the bottom option.

2 is forwarding from the ESM. This applies to parsed and aggregated events. Benefits are that you can select what data is send to another SIEM of syslog server. Disadvantage is that the format will be different from the original event and may require additional parsing on your other SIEM. This feature can be foun in the ESM properties ->Event forwarding

Reply
layer0
Level 8
Report Inappropriate Content
Message 3 of 13
‎01-30-2015 06:07 AM

Re: Forward syslog event to another SIEM

Jump to solution

Thank you Robert, one question, with the second option can you pick what data source do you want to forward events?

0 Kudos
Reply
robert_dearbyte
Level 10
Report Inappropriate Content
Message 4 of 13
‎01-30-2015 06:10 AM

Re: Forward syslog event to another SIEM

Jump to solution

Yes, you have multiple event filter options. One of them is device/data source. Other types are normalized ID, severity, source.destiantion IP. Also ESM formwarding has the option to obfuscate data to mask sensitive data.

View solution in original post

0 Kudos
Reply
aygitci
Level 7
Report Inappropriate Content
Message 5 of 13
‎07-08-2015 10:27 AM

Re: Forward syslog event to another SIEM

Jump to solution

Hi,

What's about the SIEM ESM/ERC... itselfs 'system' logs ? How send them ?

Thanks

0 Kudos
Reply
layer0
Level 8
Report Inappropriate Content
Message 6 of 13
‎03-04-2015 05:27 AM

Re: Forward syslog event to another SIEM

Jump to solution

Hello Again Robert

Do you know how i have to add the data source in the last siem that receives the data from the other siem?

Thanks

0 Kudos
Reply
robert_dearbyte
Level 10
Report Inappropriate Content
Message 7 of 13
‎03-06-2015 02:00 AM

Re: Forward syslog event to another SIEM

Jump to solution

Hi Layer0,

I don't really get your question. Waht is the last SIEM in your case? And what is the other siem?

If you have multiple mcafee ESMs a better way is to add the ESM as a device in your "primary" ESM. This way you get a distributed ESM model and you can drill down on all data sources, devices and data.

If you have an other brand SIEM: The way you add data sources in that siem, well... wrong forum to ask i guess

If you mean that you have a syslog/siem sending data to your McAfee ESM, it really depends on how this data is forwarded and by what syslog/siem server. Splunk and syslog-NG are supported as proxies out of the box. Other syslog servers will probably require some reconfiguration. Kiwi, for example, modifies the syslog when you forward it to ESM. You need to spoof the network packet via winpcap so that the original syslog message is forwarded.

0 Kudos
Reply
layer0
Level 8
Report Inappropriate Content
Message 8 of 13
‎03-06-2015 11:16 AM

Re: Forward syslog event to another SIEM

Jump to solution

Hello

I mean the last situation, i see that splunk and syslog-ng are supported but not McAfee SIEM, is that right?

Thanks

0 Kudos
Reply
nss88
Level 7
Report Inappropriate Content
Message 9 of 13
‎06-23-2020 06:54 PM

Re: Forward syslog event to another SIEM

Jump to solution

Hi Robert, we have performed option 2 for our McAfee ESM --> Splunk integration. And, the "Disadvantage is that the format will be different from the original event and may require additional parsing on your other SIEM" as you mentioned is very much observed with the events being received in Splunk.

We are looking at changing to Option 1. Would you be able to give more details on how this can be done ie can we point it directly to the Splunk Indexer or does it need to be to syslog server first? What are advantages and disadvantages for us to consider on going to this direction?

0 Kudos
Reply
nss88
Level 7
Report Inappropriate Content
Message 10 of 13
‎06-23-2020 07:02 PM

Re: Forward syslog event to another SIEM

Jump to solution

Hi Robert, we went on option 2 and you are right regarding the "Disadvantage is that the format will be different from the original event and may require additional parsing on your other SIEM."

So, we are looking at going to option 1 instead, can you advise whether we can point it directly to the Splunk Indexer or do we need to have a syslog server to set as the receiver? Also, can you give us more details regarding the advantages and disadvantages for us to consider on going to this option?

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC