I am integrating Suricata 4.0.5 with McAfee SIEM but it is not working.
I have read the supported logs platform sheet and suricata was not mentioned in it.
However, Suricata supports Syslog and i am also attaching image of Data Source which is added.
yes its' going to work.
but first of all - quickly change in the "Support Generic Syslog" Field
from the chosen one to "Log Unknown Events"
after incoming events (mostly "unknown events"..becuse theres' no Parser rules for that Data Source)
you will need to start to write parser rules for the diffirent events.
not working like you don't get any events? I'd check two things:
- do a tcpdump against the source IP on ERC to make sure events are hitting ERC.
- check iptable to make sure your ERC is configured correctly to accept incoming events on syslog 514
It is integrated but getting garbage data since we will have to write the parser.
Anyways this is the limitation of McAfee SIEM which i would like to forward to SIEM team to write parser for suricata logs. I wish to see in the next upgraded version of SIEM.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center