cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee IPS integration problem

I have integrated McAfee IPS (network security Manager )with my Mcafee ESM.  But it not displaywith different category events. ESm display all the logs in one raw with onecategory name.  Please let me is thereany integration problem with ESM? How can I integrate properly with ESM.

I really appreciate your support gentlemen’s.

5 Replies

Re: McAfee IPS integration problem

There was an old version of the NSM parser that worked this way, but it should no longer be the case with the current parser.  You should verify the following:

  • Ensure you are using the proper parser. 
    • If you are pulling events via syslog, the parser is "Network Security Manager (ASP)". 
    • If you are using the SQL Pull method of retrieving events from NSP, you should have your NSP defined as a "device", not a "data source" (select ESM, then click button for "Add Device" and select "McAfee Network Security Manager".

  • Ensure you have the latest rules downloaded and rolled out to your Receivers.

Scott

Re: McAfee IPS integration problem

hi Scott,

thank you for your reply.

I have updated rules and roll out for devices, but still i am receiving assame. i am getting only one category with i attached below screen shot. Also I haveattached IPS setting for your more information. Please let me know what I haveto do for parser McAfee IPS logs properly.

Thank you,

Chandimal.k

McAfee-IPS-02.png

McAfee-IPS-01.png

Re: McAfee IPS integration problem

It's not entirely clear what the problem is here.  The events you are seeing here do not look at all like events that would come from NSP.  Since you have configured the NSP parser to receive via syslog, have you configured your NSM to send events to the ESM via syslog?  You might have best results contacting McAfee Support for assistance.

Scott

Re: McAfee IPS integration problem

I have integrated McAfee IPS with ESM with the help of McAfeeSIEM Technical support team. If anyone want to intergrade McAfee IPS , add thisas devices not as data source.  You haveto follow below step to get the max.

  1. First upgrade the ESM on the supported version (either9.2.2 or 9.3.1). 
  2. Make sure McAfee NSM is on supported version(7.1.3 or later).
  3. You must run the NSM Configuration Utility  on the Server running the NSM MySQL

For your reference, please findthe link to the same below.

http://kc.mcafee.com/agent/index?page=content&id=KB77091

     4.   Add McAfee NSM as device on ESM, test the SQL rootuser connectivity and NSM admin connectivity.

This will enable add automatically  childe sensors whichare configured with NSM.

All the Best,

bperez
Level 10
Report Inappropriate Content
Message 6 of 6

Re: McAfee IPS integration problem

To configure the NSM in the SIEM you must prepare the MySql database to accept connections from the receiver ip address here's the commands:

Assuming that scenario:

SIEM Receiver IP: 192.168.100.1

NSM Manager IP:: 192.168.100.2

User to access the NSM database from SIEM: siem pass: siempass (you must change without special characters)

A)Access to the windows system in the NSM Manager and run the following commands:

  • C:\Program Files (x86)\McAfee\Network Security Manager\MySQL\bin>mysql --user=root mysql -p (ask for the root password)
  • add a mysql user to read the lf database from the siem ip address: create user siem@192.168.100.1 identified by 'siempass';
  • grant permisions to the lf table to siem user: grant select in lf.* to 'siem'@'192.168.100.1';

B) Create a new device in NSM:

Capture.JPG

Capture2.JPG

Capture3.JPG

Capture4.JPG

Now you are getting connected with NSM and SIEM