I recommend creating your own thread - most of this thread is 5 years old so doesn't necessarily represent current behaviours in the SIEM system.
The main disadvantage of Receiver Data Archival over syslog is it will only forward events which are received via syslog over udp. The lesser disadvantage is there is no filtering possible, so it will always send all events which are received over syslog over udp - this can lead to greater filtering being needed on the other SIEM.
A new option is available from SIEM 11 - you can use a Data Streaming Bus appliance to present a kafka topic of raw logs for collection by external providers.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Yes, McAfee event forwarding is supported. On the sending side, setup event forwarding to use SEF (Standard Event Format). On the receiving side, configure a data soure to receive forwarded events: Data Source Vendor - McAfee, Data Source Mode - Enterprise Security Manager, Data Format - SEF (I think default works too), Data Retrieval - Syslog, IP Address - Address of the forwarding ESM. If you are forwarding multiple data sources, you can break them back out into individual sources. For each data source, create one identical to the one on forwarding SIEM, but change the Data Format to SEF. You can do this with WMI also. By switching to SEF, you won't have to enter Windows login credentials.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.