cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 11 of 13

Re: Forward syslog event to another SIEM

Jump to solution

I recommend creating your own thread - most of this thread is 5 years old so doesn't necessarily represent current behaviours in the SIEM system.

The main disadvantage of Receiver Data Archival over syslog is it will only forward events which are received via syslog over udp.  The lesser disadvantage is there is no filtering possible, so it will always send all events which are received over syslog over udp - this can lead to greater filtering being needed on the other SIEM.

A new option is available from SIEM 11 - you can use a Data Streaming Bus appliance to present a kafka topic of raw logs for collection by external providers.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
erik_anderson
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 12 of 13

Re: Forward syslog event to another SIEM

Jump to solution

Hi Layer0,

Yes, McAfee event forwarding is supported. On the sending side, setup event forwarding to use SEF (Standard Event Format). On the receiving side, configure a data soure to receive forwarded events: Data Source Vendor - McAfee, Data Source Mode - Enterprise Security Manager, Data Format - SEF (I think default works too), Data Retrieval - Syslog, IP Address - Address of the forwarding ESM. If you are forwarding multiple data sources, you can break them back out into individual sources. For each data source, create one identical to the one on forwarding SIEM, but change the Data Format to SEF. You can do this with WMI also. By switching to SEF, you won't have to enter Windows login credentials.

If you need more detail, let me know.

Cheers

hanzch
Level 7
Report Inappropriate Content
Message 13 of 13

Re: Forward syslog event to another SIEM

Jump to solution

Hi Eric,

 

How apply this with two mcafee siem?

can you explain me in more detail?

 

Thanks

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community