cancel
Showing results for 
Search instead for 
Did you mean: 

Parent-Client datasources via SIEM Collector 11

Hi all,

I was wondering if Parent-Client datasources can be used for SIEM collector 11 datasources?

Under my receiver I would create a parent datasource called WINDOWS_COLLECTOR_EVENTLOG with the following settings:

1.png

The design would be to add all servers under WINDOWS_COLLECTOR_EVENTLOG, and if there server has multiple roles it will be added as well to for example parent data source WINDOWS_COLLECTOR_DHCP, this to catch if there's multiple types of datasources from 1 host. Our SIEM consultant told us that we could use non-routable IP addresses for parent data sources, so that's how we're currently setting up things..

Then at the clients tab I would like to add multiple servers, but to test I started with 1 data source:

2.png

for reference, the config on the server itself for the collector:

3.png

When it is added like this it's not working. When I work without the fictional IP on the parent (so just add it as a plain data source) it does work. What am I doing wrong to add collector sources as a client data source?

I tried leaving the host blank in the parent source but that also doesn't seem to help.Can I work only with parent client if this server does all the event collecton for all servers?

Thanks,

Nicolas

1 Reply
btkarp
Level 9
Report Inappropriate Content
Message 2 of 2

Re: Parent-Client datasources via SIEM Collector 11

I think you want the Parent / Client relationship instead of the Parent / Child. The Parent / Child set up still takes up against your overall allowed number of data sources on the Event Receiver, while the Parent / Client does not.

The way I have set up my environments is as such:

Parent: Logcollection-wmi (using the WMI / MEF parent data source profile)

Clients: All of my wmi logs from all of my hosts report here. Example below.

Hostname: SERVERA-WMI

IP: Server A IP Address

Host ID: ServerA-wmi

--------------------------------------------------------------------------

Parent: Logcollection-iis (using the IIS / MEF parent data source profile)

Clients: All IIS related logs report to this parent. Example below.

Hostname: SERVERA-IIS

IP: ServerA IP Address

Host ID: ServerA-iis

So, Server-A has two separate SIEM data source profiles in sends logs to - IIS and WMI. Hope this makes sense or helps you figure out your issue.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community