How to add as data source in the ESM; System Center Endpoint Protection 2016 also known as ForeFront Endpoint?
I tried ForeFront guide; the link is below but this is pulling sql DB and configured as supposed to be but did not work even after Firewall change and everything.
If I am not wrong, can we use ESM SIEM collector agent using "Generic Log Tail" to collect the ForeFront Endpoint logs.
If so, please show me the steps to configure or any knowledge base article to help me out. Please advise!
We've configured ESM to pull via SQL DB, you have to make sure the correct DB instance is selected.
What firewall rule should be open - TCP port 1433 and UDP port 1434? or anything else!
Do you have any sample image to show the configuration? Any help will be much appreciated.
our EP sits within SCCM, so we just connect to the DB table that has EP data.
I have the same configuration but still having the issue pulling data. I even enabled Firewall rule allow for UDP port 1434 outbound from reciever to mssql db and also TCP port 1433 default outbound from the receiver to mssql db.
Called mcafee support engineer and told me that it might not support forefront Endpoint 2016, which I doubt now because your endpoint 2016 is working. Not sure what I am missing here.
What kind of issue are you having? Unable to connect or connection OK, but can't pull back any data? I think TCP1433 is sufficient as the SQL server listen on 1433. Do a telnet from your ERC to the DB to make sure the FW is not blocking you.
Test connection is successful and account has read permission to db. Not sure what I am missing here.
Getting this error below.
receiver ip 220.127.116.11.
Endpoint ip 10.10.10.1
McAfee-ERC-1260 ~ # tcpdump -nni eth0 host 10.10.10.1 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:25:29.863295 IP (tos 0x0, ttl 126, id 2838, offset 0, flags [DF], proto TCP (6), length 41)
10.10.10.1.1433 > 18.104.22.168.43110: Flags [.], cksum 0xaea5 (correct), seq 948722877:948722878, ack 2577839236, win 256, length 1
16:25:29.863314 IP (tos 0x0, ttl 64, id 30973, offset 0, flags [DF], proto TCP (6), length 40)
172.26.1.3.43110 > 22.214.171.124..1433: Flags [.], cksum 0x6ed4 (incorrect -> 0xaf8e), seq 1, ack 1, win 23, length 0
16:25:59.864328 IP (tos 0x0, ttl 126, id 2839, offset 0, flags [DF], proto TCP (6), length 41)
10.10.10.1.1433 > 126.96.36.199..43110: Flags [.], cksum 0xaea5 (correct), seq 0:1, ack 1, win 256, length 1
16:25:59.864337 IP (tos 0x0, ttl 64, id 30974, offset 0, flags [DF], proto TCP (6), length 40)
188.8.131.52..43110 > 10.10.10.1.1433: Flags [.], cksum 0x6ed4 (incorrect -> 0xaf8e), seq 1, ack 1, win 23, length 0
16:26:29.864155 IP (tos 0x0, ttl 126, id 2840, offset 0, flags [DF], proto TCP (6), length 41)
We are using 2012, but i doubt 2016 won't work unless the underlying SQL DB table structure has changed.
The user account that you specified in data source configuration, does it have both db_datareader and public rights? Connect successful only means that the credential is valid on SQL, and privilege may not be sufficient to pull back data. Also make sure you roll out policy at the default level.