Solved: McAfee Support Community - Re: Forward syslog event to another SIEM

layer0 · ‎01-30-2015

Hello

I want to know if it is possible to forward syslog event that i receive in the McAfee SIEM to another SIEM or syslog Server?

Thanks

robert_dearbyte · ‎01-30-2015

Yes, you have multiple event filter options. One of them is device/data source. Other types are normalized ID, severity, source.destiantion IP. Also ESM formwarding has the option to obfuscate data to mask sensitive data.

robert_dearbyte · ‎01-30-2015

Yes that's possible.

Two options:

1 is to forward the original syslog from the receiver to an other IP address. This sends the raw unparsed packets but will also parse the events locally. The option can be found on the receiver properties -> REceiver Management -> Data Archival and then the bottom option.

2 is forwarding from the ESM. This applies to parsed and aggregated events. Benefits are that you can select what data is send to another SIEM of syslog server. Disadvantage is that the format will be different from the original event and may require additional parsing on your other SIEM. This feature can be foun in the ESM properties ->Event forwarding

layer0 · ‎01-30-2015

Thank you Robert, one question, with the second option can you pick what data source do you want to forward events?

robert_dearbyte · ‎01-30-2015

Yes, you have multiple event filter options. One of them is device/data source. Other types are normalized ID, severity, source.destiantion IP. Also ESM formwarding has the option to obfuscate data to mask sensitive data.

aygitci · ‎07-08-2015

Hi,

What's about the SIEM ESM/ERC... itselfs 'system' logs ? How send them ?

Thanks

layer0 · ‎03-04-2015

Hello Again Robert

Do you know how i have to add the data source in the last siem that receives the data from the other siem?

Thanks

robert_dearbyte · ‎03-06-2015

Hi Layer0,

I don't really get your question. Waht is the last SIEM in your case? And what is the other siem?

If you have multiple mcafee ESMs a better way is to add the ESM as a device in your "primary" ESM. This way you get a distributed ESM model and you can drill down on all data sources, devices and data.

If you have an other brand SIEM: The way you add data sources in that siem, well... wrong forum to ask i guess

If you mean that you have a syslog/siem sending data to your McAfee ESM, it really depends on how this data is forwarded and by what syslog/siem server. Splunk and syslog-NG are supported as proxies out of the box. Other syslog servers will probably require some reconfiguration. Kiwi, for example, modifies the syslog when you forward it to ESM. You need to spoof the network packet via winpcap so that the original syslog message is forwarded.

layer0 · ‎03-06-2015

Hello

I mean the last situation, i see that splunk and syslog-ng are supported but not McAfee SIEM, is that right?

Thanks

erik_anderson · ‎03-18-2015

Hi Layer0,

Yes, McAfee event forwarding is supported. On the sending side, setup event forwarding to use SEF (Standard Event Format). On the receiving side, configure a data soure to receive forwarded events: Data Source Vendor - McAfee, Data Source Mode - Enterprise Security Manager, Data Format - SEF (I think default works too), Data Retrieval - Syslog, IP Address - Address of the forwarding ESM. If you are forwarding multiple data sources, you can break them back out into individual sources. For each data source, create one identical to the one on forwarding SIEM, but change the Data Format to SEF. You can do this with WMI also. By switching to SEF, you won't have to enter Windows login credentials.

If you need more detail, let me know.

Cheers