cancel
Showing results for 
Search instead for 
Did you mean: 
paul.k
Level 10

Reading EVTX files with SIEM collector (Need Help)

Jump to solution

Ladies and Gents,

I am have been trying to get McAfee SIEM collector to read an EVTX file that is an aggregate of all of my end point logs being collected on a win 2012  server.

The agent sees the file, makes one pull and than stops with DEBUG file saying there is now new events to be written.

I monitored the plugins folder and I see the file being copied over and compared.

I also can force a log  pull by just deleting the bookmark file.

I opened a support case to be told that the agent only looks at the file name to determine if there is new data in the file.

I HAVE TO CALL BS on that one!!!

Sample config

Specs;

ESM 9.6.1

Agent: 11 latest build

Has anyone gotten around this glitch?

If you used a 3rd party agent, which one did you use. I don't mind using CEF converter, or even SNARE.

Thank You and Regards

0 Kudos
1 Solution

Accepted Solutions
klance
Level 8

Re: Reading EVTX files with SIEM collector (Need Help)

Jump to solution

Instead of generating an .evtx file, could you just set up Windows Event Forwarding to your 2012 server? If you did, you could set the SIEM Collector to read the ForwardedEvents log with the WEF events checkbox set so that it will split out your events by hostname.

2 Replies
klance
Level 8

Re: Reading EVTX files with SIEM collector (Need Help)

Jump to solution

Instead of generating an .evtx file, could you just set up Windows Event Forwarding to your 2012 server? If you did, you could set the SIEM Collector to read the ForwardedEvents log with the WEF events checkbox set so that it will split out your events by hostname.

sssyyy
Level 12

Re: Reading EVTX files with SIEM collector (Need Help)

Jump to solution

Agree. Also what version of 11 r u using? Hopefully the agent is able to access the .evtx while other process locks it to write to it.

0 Kudos