cancel
Showing results for 
Search instead for 
Did you mean: 
aleksa
Level 7
Report Inappropriate Content
Message 1 of 9

MEF fields

Hi all,

is there any way to extend default field list that is suggested when You do field mapping with your custom table (view)? I need more string fields .

I successfully connected Oracle database with receiver and map fields from my view to fields that are exists in client (example: i have field SY_ACTION and I mapped it with suggested field Action etc.).

Thank You in advance,

Alex

8 Replies
xded
Level 12
Report Inappropriate Content
Message 2 of 9

Re: MEF fields

You can add custom Types  and after you adding this custom type you can these new custom type to your field mapping.

aleksa
Level 7
Report Inappropriate Content
Message 3 of 9

Re: MEF fields

Hi xded,

thank You for answer. Is there any way if You can describe me that procedure or point to literature? Where I can add custom type field?

Thank You in advance.

Best regards,

Alex.

xded
Level 12
Report Inappropriate Content
Message 4 of 9

Re: MEF fields

Sure i can =).

1. Go to the System Properties of the ESM

2. On the leftside of the new windows there is a menupoint called "Custom Types" click on it

3. Now you have two options. First there is a Custom Types for your need or ther is no one.

4. If is the last point correct than you can creat your own Custom Type with the add button.  In the porductguid of version 10 on the site 335

5. After that you should add this new custom type in the parser rule under field mapping or you can it via the + button

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 5 of 9

Re: MEF fields

To expand on xded's well stated steps, you can have 10 custom fields per rule but they do overload other fields so if you're missing a field that you expect, go to System Properties | Custom Types and sort by Event Field. Note that you can only use one of any given field that shares an Event Field ID.

aleksa
Level 7
Report Inappropriate Content
Message 6 of 9

Re: MEF fields

Hi xded,

thank You for Your help. Now, I'm not using parser, I'm using MEF. Is it possible to have custom fields mapping on event collector?

Thank You in advance,

Alex.

Highlighted
xded
Level 12
Report Inappropriate Content
Message 7 of 9

Re: MEF fields

Hi Alex,

all logs must be parsed it make no matters that the receiver get this logs via MEF or Syslog. But you can't change the orig. Windows Parser.

aleksa
Level 7
Report Inappropriate Content
Message 8 of 9

Re: MEF fields

Thanks in prompt answer,

but I have field mapping in collector. Can I leave field mapping to <none>?

Best regards

McAfee Employee klance
McAfee Employee
Report Inappropriate Content
Message 9 of 9

Re: MEF fields

It might be simpler to change from MEF field mappings to syslog transmission and then generate custom rules.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community