cancel
Showing results for 
Search instead for 
Did you mean: 
DavA
Level 9
Report Inappropriate Content
Message 1 of 9

Why to install a Collector \ Agent ?

Hi dear community.

Does anyone know when and for what purpose do i need to install a collector \ Agent ?

why the data source configuration on the receiver is not enough ?

does it have to do with the quality of the logs?

or maybe when in the SIEM Architecture the ESM and the data sources are in a different geolocation or network?

I well trully aprichiate your help! Thank you

 

8 Replies
rlourenc McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: Why to install a Collector \ Agent ?

Hi DavA

So there can be multiple use cases for this.  i will mention them below:

  1. you want to encrypt logs between the data source and the receiver
  2. you have to collect multiple log types from 1 data source.  for example active directory and DNS on the same server.  you cant add a data source with the same IP address twice on 1 reciever.  so you can then use the SIEM collector to collect both or one of the log types as it uses a hostID and not the IP.
  3. and it has some options with databases to query certain tables

mostly you can collect everything else directly with the receiver.

 

regards Rob

DavA
Level 9
Report Inappropriate Content
Message 3 of 9

Re: Why to install a Collector \ Agent ?

Hi 
 
 
 
 
rlourenc,
 
 
 thank you very much for your answer!
 it a big help!  
 
 
 
 
r
 
egards Dav.

Re: Why to install a Collector \ Agent ?

How about Exchange logs? Is there a way for Exchange 2008 to send logs directly or we can you agent collector?

rlourenc McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 9

Re: Why to install a Collector \ Agent ?

Hi

exchange can be a bit of a pain as not everything is logged the same way.

so this really depends what you trying to achieve.

for normal exchange you might get it in some event logs.  for OWA type logs its in the IIS logs.

for exchange admin logs you need to run a script to pull the events from the exchange admin center (EAC) and exports them to a .csv and then use a custom parser. 

what is your use case?

David1111 Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 9

Re: Why to install a Collector \ Agent ?

WOW I didn't know it's so comlicated....

what should i do if i want to get all of the los you mentioned.

and without to eright endless Parsers & REGEX ?!

 

Thank You!

David.

rlourenc McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 9

Re: Why to install a Collector \ Agent ?

Hi David

yeah unfortunetly Microsoft doesnt have a standard way of logging so things are in different places.

with OWA you should just be able to add the IIS logs from the exchange.  i have found in some enviornments though it doesnt give the source address so something like an F5 load balancer needs to use XFF forwarding to send the source to log it in the IIS OWA logs.

for the EAC logs which track what admins are doing on exchange accounts you can use the attached parser.  I will need to look for the script for you that pulls out the EAC logs and puts them into a .CSV that you can pull.  this happens using a scheduled task every 5 minutes.  but i have searched and cant find the script.

David1111 Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: Why to install a Collector \ Agent ?

wow !

i wish i was a expert like you!

Thanks on the details and parser.

if you find the script by any chance

i would like you to share it here.

Best regards

David

Re: Why to install a Collector \ Agent ?

I was thinking to fetch Attachments names + Source Domain names to identify Riskiest Users

Hope this makes sense.

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community