cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
paul.k
Level 10
Report Inappropriate Content
Message 1 of 3

Reading EVTX files with SIEM collector (Need Help)

Jump to solution

Ladies and Gents,

I am have been trying to get McAfee SIEM collector to read an EVTX file that is an aggregate of all of my end point logs being collected on a win 2012  server.

The agent sees the file, makes one pull and than stops with DEBUG file saying there is now new events to be written.

I monitored the plugins folder and I see the file being copied over and compared.

I also can force a log  pull by just deleting the bookmark file.

I opened a support case to be told that the agent only looks at the file name to determine if there is new data in the file.

I HAVE TO CALL BS on that one!!!

Sample config

Specs;

ESM 9.6.1

Agent: 11 latest build

Has anyone gotten around this glitch?

If you used a 3rd party agent, which one did you use. I don't mind using CEF converter, or even SNARE.

Thank You and Regards

1 Solution

Accepted Solutions
McAfee Employee klance
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Reading EVTX files with SIEM collector (Need Help)

Jump to solution

Instead of generating an .evtx file, could you just set up Windows Event Forwarding to your 2012 server? If you did, you could set the SIEM Collector to read the ForwardedEvents log with the WEF events checkbox set so that it will split out your events by hostname.

2 Replies
McAfee Employee klance
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Reading EVTX files with SIEM collector (Need Help)

Jump to solution

Instead of generating an .evtx file, could you just set up Windows Event Forwarding to your 2012 server? If you did, you could set the SIEM Collector to read the ForwardedEvents log with the WEF events checkbox set so that it will split out your events by hostname.

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: Reading EVTX files with SIEM collector (Need Help)

Jump to solution

Agree. Also what version of 11 r u using? Hopefully the agent is able to access the .evtx while other process locks it to write to it.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community