cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee SIEM Collector Agent - EVT file read

Hi,

I found this configuration option in the agent menu, but i can't make it work fine. In theory this is reading logs directly from the .evt file, not from the windows eventing API. But i get this message in debug mode:

<131>1 febr. 18 14:43:43 10.35.176.155 McAfeeEventCollector: ERROR 1 GetData Failed to load bookmark: Could not find a part of the path 'C:\Windows\System32\winevt\Logs'.

   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

   at System.IO.Directory.InternalGetFileDirectoryNames(String path, String userPathOriginal, String searchPattern, Boolean includeFiles, Boolean includeDirs, SearchOption searchOption)

   at System.IO.Directory.GetFiles(String path, String searchPattern, SearchOption searchOption)

   at McAfee.EventCollector.WindowsEVTPlugin.Plugin.GetData(Nullable`1& eventData)

I'm using domain admin credentials.hank you,

winevt.png

Thank you,

Peter

3 Replies

Re: McAfee SIEM Collector Agent - EVT file read

Peter,

What type of data source are you trying to configure? Also, verify you have the correct directory where the server stores its logs.

Re: McAfee SIEM Collector Agent - EVT file read

McGary,

What do you mean? It's a Windows data source. The problem is, i need to monitor a specific RDP session event that is logged in to this specific .evt file. In Security, System or Application logs not included this message.

zlob
Level 7
Report Inappropriate Content
Message 4 of 4

Re: McAfee SIEM Collector Agent - EVT file read

I try local admin, same error. For test copy events file to another directory - all work fine.

Event files locked by process

You can copy, then take logs (((