cancel
Showing results for 
Search instead for 
Did you mean: 
layer0
Level 8
Report Inappropriate Content
Message 1 of 5

Parsing WMI Events

Jump to solution

Hello

I would like to know if it is possible to customize the parsing of WMI events in SIEM?

Thanks

1 Solution

Accepted Solutions
Highlighted

Re: Parsing WMI Events

Jump to solution

I have not tried yet but if you wanna using custom parser with a WMI log source then you must use McAfee SIEM Collector management instead WMI datasource. So you can add Windows Event Log - CEF (ASP) with support generic syslog and Data Retrieval MEF. As far as I know Mcafee SIEM Collector Agent support all Windows Log types such as: application, security, system,Microsoft-Windows-???

4 Replies

Re: Parsing WMI Events

Jump to solution

Yes it is possbile and create quite easy. All you need to know regular expression Then change type of your data source with generic syslog instead default parsing.

Re: Parsing WMI Events

Jump to solution

Hi,

For now we can only create parsers for syslog, WMI parsers are code based parsers so you need to raise a PER ticket with McAfee along with your log sample and then in next SIEM upgrade they will include your parsers.

Regards,

Vinaya

Highlighted

Re: Parsing WMI Events

Jump to solution

I have not tried yet but if you wanna using custom parser with a WMI log source then you must use McAfee SIEM Collector management instead WMI datasource. So you can add Windows Event Log - CEF (ASP) with support generic syslog and Data Retrieval MEF. As far as I know Mcafee SIEM Collector Agent support all Windows Log types such as: application, security, system,Microsoft-Windows-???

Re: Parsing WMI Events

Jump to solution

Hi Streamer,

Yes we can use Windows Event Log - CEF (ASP) to collect windows events via syslog but as windows by default doesn't generate syslog events you need to use a tool such as Snare to forward your windows events via syslog. With my experience most of the customers opt not to use snare as it's a open source tool. You can give it a try though

Regards,

Vinaya

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator