cancel
Showing results for 
Search instead for 
Did you mean: 
socgt
Level 8
Report Inappropriate Content
Message 1 of 7

Reports in Mcafee ESM

Hello ,

I am trying to configure a number of reports on the mcafee ESM and need suggestion on it.

1) Expected Host/Log Source Not Reporting

    All systems / devices where source is not sending events

2) Log volume trend over days

    Trend of all logs of all systems

Can anybody please suggest what queries will be configured.

Thanks

6 Replies
Highlighted
paul.k
Level 10
Report Inappropriate Content
Message 2 of 7

Re: Reports in Mcafee ESM

Socgt,

1)For your first one there is a built in report at the ESM level that wlil give you a list of all devices sorted by the last time they send an event.

ESM Properties--> System Information-->View Reports-->Event time-->Export to CSV

2) For the second is a bit tougher. it will depend on the granularity.

     I would use a distribution stacked by device type, with baseline enabled. It will give you a very good feel of the volume in your enviroment.

     There are always just dials with base line that will just tell you your total volume for the time period.

Good luck

socgt
Level 8
Report Inappropriate Content
Message 3 of 7

Re: Reports in Mcafee ESM

Hello

Thanks for the suggestion.

Could you please tell me how to implement 'distribution stacked by device type, with baseline enabled'.

Thanks

paul.k
Level 10
Report Inappropriate Content
Message 4 of 7

Re: Reports in Mcafee ESM

See my other reply

Re: Reports in Mcafee ESM

Hi Socgt,

I am also trying to implement distribution stacked by device type, with baseline enabled,

Kindly let me know how can I implement it.

socgt
Level 8
Report Inappropriate Content
Message 6 of 7

Re: Reports in Mcafee ESM

Hello,

I am also trying to make a report with a 'Bar Chart' that can display top 20 data sources that have generated a particular event.

Any suggestions..??

Thanks

paul.k
Level 10
Report Inappropriate Content
Message 7 of 7

Re: Reports in Mcafee ESM

Gents,

for the distributions just create a new view drop in a distribution element,  select destribution, click next, click stacking and type in device type id.

Done.

Just set the time period.

This is best I can do here.

Now for socgt, you want to know if a data source did something is a bit tough. The only bar chart i know of that listed device id is collection rate. if that works for you than you can just filter that down for the event id that you need.

Now depending on some datasources you may be capturing a field that is a unique identifier for that data sources, hostname, ext_device...... etc etc etc. You can just create a bar chart for that field and filter it by that sig id.

Regards,

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.