cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 15

EPO Tables - Syslog Forwarding

Hi Team 

We will need to upgrade to 5.10 soon as 5.09 is approaching EOD. We currently have a SIEM that pulls events from database tables via a complex query that grabs info and joins it from multiple EPO tables. 

We are considering switching to syslog when we move to 5.10.

Is there a way to configure event forwarding for multiple EPO tables? From what I could find the only information that is forwarded is just from EPOEvents table? And it is limited in contextual / additional information, such as hashes and such. 

Also, if we upgrade to 5.10 - does the database table structure change in that version, like field names and such? Will we be able to still utilize the existing method of pulling logs without any data / detail loss or it will require complete redo?

Assistance is appreciated!

14 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 15

Re: EPO Tables - Syslog Forwarding

Only events are sent via syslog and yes, queries would change some in 5.10.  You can also get the database schema for 5.10 here:

https://kc.mcafee.com/agent/index?page=content&id=KB91051

Additionally, you can create a query in epo for the data you want to pull, save it, then view query sql to get the actual query epo is running and modify yours accordingly.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 15

Re: EPO Tables - Syslog Forwarding

Thanks for the response. 

I have the 5.10 schema, but it doesn't list any changes of schema/queries  compared to 5.09. Is there an article that goes over the major differences? 

Also, is there a way to send dlp events via syslog too? Are incident related database tables also undergoing changes on 5.10?

 

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 15

Re: EPO Tables - Syslog Forwarding

You will need to ask the dlp team about those, as those come in differently.  As for any documented queries for siem, no we don't have anything as each customer has different requirements.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 15

Re: EPO Tables - Syslog Forwarding

I'm not worried about changes to  the queries, but to the existing schema/fields per table. Specifically Events Table, which is the only one used for syslog forwarding. 

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 15

Re: EPO Tables - Syslog Forwarding

The schema should show any differences between 5.9 and 5.10, as you can get both schemas.  However, easiest way to find columns/tables is to look at existing queries in epo for the data you want to pull.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 15

Re: EPO Tables - Syslog Forwarding

If you don't have a 5.10 server yet, then let me know what you want and I can create query and get syntax for you.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 8 of 15

Re: EPO Tables - Syslog Forwarding

That actually would be very helpful and appreciated! We don't have a 5.10 server yet. 

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 15

Re: EPO Tables - Syslog Forwarding

ok, what exact data are you looking for?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 10 of 15

Re: EPO Tables - Syslog Forwarding

Not sure what sort of input i need to provide, but ideally i want to enrich data coming from epoevents table with information from epocomputerproperties, epoleafnode, EPOEventFilterDesc and EPExtendedEvent tables. 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community