cancel
Showing results for 
Search instead for 
Did you mean: 

Integration Suricata with McAfee SIEM

Greetings!

Dear Concern,

I am integrating Suricata 4.0.5 with McAfee SIEM but it is not working. 

I have read the supported logs platform sheet and suricata was not mentioned in it. 

https://www.mcafee.com/enterprise/en-us/assets/data-sheets/ds-siem-supported-devices.pdf

However, Suricata supports Syslog and i am also attaching image of Data Source which is added.

 

Suricata - Data Source Configuration.PNG

 

Thank You!

Yours Sincerely,
Syed Irfan Naseer
3 Replies
Highlighted
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Integration Suricata with McAfee SIEM

Hi,

yes its' going to work.

but first of all - quickly change in the "Support Generic Syslog" Field

from the chosen one to "Log Unknown Events"

 

after incoming events (mostly "unknown events"..becuse theres' no Parser rules for that Data Source)

you will need to start to write parser rules for the diffirent events.

 

Best regrads.

 

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: Integration Suricata with McAfee SIEM

not working like you don't get any events? I'd check two things:

- do a tcpdump against the source IP on ERC to make sure events are hitting ERC.

- check iptable to make sure your ERC is configured correctly to accept incoming events on syslog 514

Re: Integration Suricata with McAfee SIEM

Hi,

It is integrated but getting garbage data since we will have to write the parser. Cat Sad

Suricata-01.PNG

 

Anyways this is the limitation of McAfee SIEM which i would like to forward to SIEM team to write parser for suricata logs. I wish to see in the next upgraded version of SIEM. 

Thank You!

Yours Sincerely,
Syed Irfan Naseer
ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.