cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12
Report Inappropriate Content
Message 1 of 5

SIEM collector for Linux 10.x documentation?

Greetings,

First, a hopefully easy one.. where is the documentation on the configuration of the mcafee-siem-collector-10.x.rpm ?    As a hint I'll offer that I couldn't find any under the documentation tab of the MFE SIEM Collector 10.0.2 (w/Linux Collector) download page under the product Event Receiver.    Unfortunately, there I could only find release notes that speak only to the Windows version.

Second, will the collector agent allow me to collect web server logs that are brought over to a linux box via cron and scp periodically?   e.g.  linux box A  scp's at intervals to several web servers remotely to bring logs to  A in various directories (one directory per web server). And then the collector is configured to look for a regex of log file names in various directories one directory  per web server?  Each source with a unique tag?   I saw documention of prior version indicating that logfile tailing was the only thing supported, and what I'm trying to do really isn't logfile tailing at all, it's more "pickup new log files as they're deposited."

These are web server logs from a linux web server variant that doesn't have a syslog option that I'm aware of.

Thanks for any insights on how you've managed similar logs.

4 Replies

Re: SIEM collector for Linux 10.x documentation?

I'm looking for the same information. Has anyone located the configuration documentation?

penoffd
Level 10
Report Inappropriate Content
Message 3 of 5

Re: SIEM collector for Linux 10.x documentation?

Good luck with this.  I've been trying to find it for several years.  I don't think it exists anymore.

Re: SIEM collector for Linux 10.x documentation?

This is a bit older from the Linux Agent 9.1.1 days but its the last time I recall any specific documentation around the Linux SIEM agent. The configuration has not changed too much from what I can tell between our 10.x installs and this, hopefully it will help.

McAfee Linux Event Collector 9.1.3 provides you with the capability to add a local agent to your system to push several types of data to the McAfee Event Receiver.

The installer is available by calling McAfee Support at 800-937-2237.

-------------------------

Supported Versions

Ubuntu 10.04 Uses mcafee-linux-event-collector_9.1.1.0-358_1004_amd64.deb

Ubuntu 12.04 Uses mcafee-linux-event-collector_9.1.1.0-358_1204_amd64.deb

Redhat 5.8  Uses mcafee-linux-event-collector_9.1.1.0-358.el5.x86_64.rpm

Redhat 6.2  Uses mcafee-linux-event-collector_9.1.1.0-358.x86_64.rpm 

Fedora 16   Uses mcafee-linux-event-collector_9.1.1.0-358.x86_64.rpm

Suse 11   Uses mcafee-linux-event-collector_9.1.1.0-358.x86_64.rpm

------------------------- 

Installing the Agent

Run the installer by double clicking the .deb or .rpm from the gui or

using rpm -i package.rpm from the command line for rpm and dpkg -i package.deb for deb

End-User License is here:

  /usr/share/doc/mcafee/EULA McAfee - Corporate-August 2010.rtf

-------------------------

Configuring the Agent

To date filetail is the only plugin "type" that is supported, but you can have as many filetail sections as you want.

The file to be tailed must be on the local system not a mounted file.

The path to your conf file is below you can change the default path of the conf file by changing the path in the init script.

  /etc/mcafee/mcafee_event_collector.conf

bookmark_dir= Is directory where bookmark file is saved and is configurable.

debug_level= Is the level of debug output by the collector options are error,info,warning,and debug. 

log_path= Is the direcotry where the log is written. 

sleep= If a file has not been modified since the agent was last shutdown, on startup will put the file in a watch list and check on it from time to time. If there are files in the watch list, the agent will check it every x number of seconds.

inactive_sleep= If there are no files in the watch list, the agent will sleep y number of seconds, before waking and checking for files in the watch list.

rec_ip= Is the IP of the receiver to send events to.

rec_port= Is the port of the receiver is listining on. 

rec_encrypt= Changin this value enables or disables encryption 0=off 1=on

type= Is the plugin type.  (To date filetail is the only plugin "type" that is supported, but you can have as many filetail sections as you want.)

subtype = Is a subtype of the plugin. ( To date big_fix is the only subtype that is supported.) Big_fix logs with a date at the top of a File with this subtype option it takes that date and appends it to the beggining of each event.

hostid = Put a value here if you would like to use a Host ID on the receiver. 

ft_dir = Directory where plugin will look for files to tail. 

ft_filter = Filter for what file to tail ie. mesages or log.*

ft_delim =  Delemiter for collector to know when a new event has happend ie. <newline>, <space>, <tab>, Regular expressions are also supported. 

ft_delim_end_of_event = Delemiter to start at the begginging or the end of the event 0=begginging 1=end Default is 1

ft_start_top = This tells us to start at the top of the file 0=no 1=yes

See example Configuration file at bottom of this docuemnt. 

-------------------------

Running the Agent

Once you have completed editing the file, restart your Event Collector service with this cmd:

  /etc/init.d/mcafee_event_collecotr restart or

  service mcafee_event_collector restart

  start and stop are also options.

  you can also run the Agent manualy run /usr/bin/event_collector -h to see your options

  To enable auto learning for the agent run event_collector manually from command line with the -a option

-------------------------

Example Configuration File with two filetail sections with one using a hostid. 

##############

# Collector

##############

bookmark_dir=/var/lib/mcafee/bookmark

debug_level=error

log_path=/var/log/mcafee/event_collector.log

sleep=5

inactive_sleep=300

##############

#       Receiver

##############

rec_ip=172.18.3.54

rec_port=8081

rec_encrypt=0

##############

#       Plugin

##############

type=filetail

hostid=

ft_dir=/apps/Something/log

ft_filter=something.log

ft_delim=<newline>

ft_delim_end_of_event=1

ft_start_top=1

type=filetail

hostid=

ft_dir=/apps/something/logs/

ft_filter=someaccess.log

ft_delim=<newline>

ft_start_top=1

-------------------------

Re: SIEM collector for Linux 10.x documentation?

HI.

I think the branch is not dead yet ))

I decided to put here the other day SIEM Collector on the Linux OS RedHat. In order to collect the events generated by the service - auditd, that are written in /var/log/audit/audit.log

But the events I did not get in the ESM.

# Collector

##############

bookmark_dir=/var/lib/mcafee/bookmark

debug_level=debug

log_path=/var/log/mcafee/siem_collector.log

sleep=5

throttle=300

##############

#       Receiver

##############

rec_ip=192.168.xxx.xx

rec_port=8081

rec_encrypt=0

##############

#       Plugin

##############

type=filetail

subtype=big_fix

hostid=messages

ft_dir=/var/log/audit

ft_filter=audit.*

ft_delim=[newline]

ft_delim_end_of_event=1

ft_start_top=1

Ping pass, iptables off.

On the receiver is open port 8081.

Here are the settings Data Source

Data Source.jpg

What can be configured not ?