Hello,
anybody has experience in collecting Message Tracking logs to SIEM (McAfeee ESM 9.3.1)?
I have two questions:
1. User guide says to give network share read privileges to domain user but doesn't say how to configure data source in Add Data Source window on ESM side.
2. Since we have 3 mail servers how should we collect logs from all three shared folders?
Best regards,
Solved! Go to Solution.
Hello,
you can find below the working example of Exchange Message Tracking configuration (CIFS):
If you have three email servers, you have to share folders on them, and - create three data sources for each Exchnge Server.
Regards,
Artur Sadownik
Hello,
you can find below the working example of Exchange Message Tracking configuration (CIFS):
If you have three email servers, you have to share folders on them, and - create three data sources for each Exchnge Server.
Regards,
Artur Sadownik
Thnx Artur,
logs are collected.
I would like to ask you one more question. Although logs are collected, they are not parsed correctly. To be precise, almost all usefull information from message tracking logs, as log type (RECEIVE STORE), message subject, sender or receiver info, are showed in Packet tab where you can only see original log message. However, this way I cannot use filters to search for those parameters. For example: to search for all messages where sender or receiver is xx@mail.com.
By the way I have noticed this also in logs comming from Microsoft Forefront TMG, and from Oracle DB.
Any suggestions?
Message was edited by: pervan on 3/4/13 5:42:52 AM CSTPervan,
when you are using the Exchange Server (ASP) datasource, you should see the sender and receiver in the Source\Destination User fields. If you want to search messages by the addresses, you can use Source\Destination User filters. You probably know, that there is no possibility to use regex in the Filters, but you can use there something called "Normalization Strings":
Regards,
Artur Sadownik
Message was edited by: artek on 3/21/13 11:05:17 PM CET...and - if you cant see the email addresses in the Source\Destination User fields - please ask the McAfee Support about the latest hotfix.
Regards,
Artur Sadownik
Artur,
I'm pretty new to the SIEM, and have a couple of questions about this configuration.
Thanks,
LT
Resurrecting an old post as I have a similar issue.
Trying to add a file share as a data source. Use has read and modify rights. When I do a connection test I get the error:
NotOk writeability: Permission denied, readability: Ok
What exact rights does the user require?
I usually use a packet capture to troubleshoot share issues. You could run tcpdump on the Receiver (tcpdump -nni eth0 host x.x.x.x -X) while you try to mount it. The error is usually clearly stated.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA