cancel
Showing results for 
Search instead for 
Did you mean: 
zakhter
Level 8

Siem Collector v11

Hi All,

Has anyone setup collection for DHCP and DNS using Collector v11 while at SIEM 9.5.2 MR9?

Collector v10 setup along with .Net, has worked without any issue but v11 has never worked.

Please share your experience if it has worked and if there is additional setup has to be done.

Regards,

Zahid

0 Kudos
11 Replies
btkarp
Level 9

Re: Siem Collector v11

@zakhter what does your log file tell you is happening? Does the agent collector for any period of time before failing? If the agent service fails almost immediately after being restarted, it is a known issue. If you contact McAfee Support they can provide you with a beta workaround copy (I believe this is just a temporary version until a final update can be released)

0 Kudos
zakhter
Level 8

Re: Siem Collector v11

Thanks for your reply.

Old install stopped after rebooting the server and McAfee support is not able to resolve as of yet -

New install is not working - tcpdump is indicating incoming traffic but no logs are getting parsed.

0 Kudos
btkarp
Level 9

Re: Siem Collector v11

I am certainly not a McAfee Support engineer but in my experience if the logs are making it to the Event Receiver but are not parsing, it is usually because the logs are in a format that the parser is not expecting - I would start by investigating if you have the ability to adjust what fields are shown within the logs - I know for a similar issue we had for IIS logs, not all of the fields were selected which caused parser issues. I believe by default the Parsers assume the log file will contain all fields. If that still does not help and logs continue to be seen making it to the Event Receiver, I would turn on "Log Unknown Events" in the Data Source profile and see if you can get the logs to show up as "Unknown Events" in the UI.

Again, just running off the top of my head how I would begin troubleshooting - if you are working with Support already, Im sure you are much further along in the investigation than what I have provided. Good luck!

0 Kudos
zakhter
Level 8

Re: Siem Collector v11

Thanks for all your feedbacks.

Not a big fan of collector.  Has anyone used other way to collect DNS, DHCP logs?  Any tweaks can be done in WMI to collect these logs?

0 Kudos
hlckalana
Level 7

Re: Siem Collector v11

We install McAFee SIEM Collector agent V11 for getting logs from Oracle database. We succefully installed Cilent. And we can get the connectivity till following step. But we can’t get any log to our SIEM. Debug file has been attached below. Please anyone can help on this issue will appreciate.

commercial_crdit_issue.png

tcpdump is indicating incoming traffic but no logs are getting parsed.

0 Kudos
zakhter
Level 8

Re: Siem Collector v11

Not a big fan of collector.  Has anyone used other way to collect DNS, DHCP logs?  Any tweaks can be done in WMI to collect these logs

0 Kudos
syed_rizvi
Level 10

Re: Siem Collector v11

, to avoid collector agent, you can use 9.6 file tail function to pull DNS logs. You would need to share logs via CIFS and ensure proper logging is enabled on the DNS server for parser to work correctly. Here are the step.

1. Configure DNS Server logging properties.

dns logs.jpg

2. Change DNS Server logging location(default is system32\dns\) (optional, but recommended)

3. Share the folder where the logs are located and give SIEM AD account read only permissions.

4. Configure data source and select tail option.

dns logs2.jpg

Regards,

Syed

0 Kudos
s.schreiner
Level 7

Re: Siem Collector v11

Syed,

although this is not "my" question, I wondered, if you tested the settings with having "read only" permission on the share.

During my tests I get an error in ESM GUI, stating that "write access" failed, while "read access" succeeded.

If I go for SHARE: Modify and NTFS: RWX, then the Device can be successfully tested, but it delivers no data ...

Opened a service request at McAfee and they came back with "tail needs write access" - so, who is right?

(From a security perspective, I would prefer having only read access to the log files ...)

Regards


Stefan

0 Kudos
syed_rizvi
Level 10

Re: Siem Collector v11

- The error message about not having write access is expected and can be ignored. I have used this method a few times.


s.schreiner wrote:


the Device can be successfully tested, but it delivers no data ...




If you haven't already, use TCPDUMP on ERC to validate port 445 traffic between ERC and DNS Server. Once confirmed, you might be running into parsing issue. Make sure you increase log level on DNS server under debug properties.

0 Kudos