cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rob_v
Level 7
Report Inappropriate Content
Message 1 of 5

EPO and Syslog

Jump to solution
Hello, I am interested in setting up log forwarding for EPO to Syslog. I've looked at various online articles regarding setup and that seems relatively straight forward however I can't find anything that answers my particular query. Rather than forward any/all logs to one particular syslog server, we have a need to be able to send selected logs to particular syslog servers. I am hoping this is possible in conjunction with Automatic Responses , ie malware detected and detecting product hostname contains 'string A' send to Syslog server A or malware detected and detecting product hostname contains 'string B' send to Syslog server B. If anyone has any experience of this please let me know if this is possible (EPO env 5.9.1). thanks, Rob
1 Solution

Accepted Solutions
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: EPO and Syslog

Jump to solution

The server task may be a way to go, but the only action applicable would be to run a registered executable.  So you would have to somehow script that out.

Have you considered using an snmp server?  That might be a little less resource intensive, but not sure. 

What I would recommend, however, is to increase the resources on your epo server.  2 cpu and 8g ram is actually below specs.  8g ram minimum suggestion is for available ram, not installed.  For 11k systems, and adding the load of running frequent queries or automatic responses can severaly impact your performance.  I would highly recommend increasing cpu's and ram.  If you increase ram, you also have to increase the jvmmx value to half the ram for epo to use.  That is located here:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\MCAFEETOMCATSRV590\Parameters\Java

You would configure it as such with an example of 24g ram installed.

12 x 1024 -1 = 12287

If you are selective in the events you are forwarding, you can possibly test the automatic response method, but you might want to throttle them and spread them out some.  You can send them in batches rather than trigger on every event.  You can get an idea of how many events would trigger a response by how many events you receive per hour, for example, in your query outputs.

It is attainable, but with monitoring and configuration to tweak it for performance balance.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

4 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: EPO and Syslog

Jump to solution

We do not recommend at all using automatic responses to send data to syslog servers.  That will only cause a lot of problems, as automatic responses aren't designed for that kind of load on the server with that many responses.  So to answer your question, I know of no supported way to do what you want.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

marko125
Level 9
Report Inappropriate Content
Message 3 of 5

Re: EPO and Syslog

Jump to solution

One client is doing exactly the same way and they are complaining about ePO performance. They are sending quite a big amount of events in this way. I don't have proof, that this is causing performance issues, but I wouldn't consider that option unless there will be really small number of events to send. I recall that time to time they are complaining about missing events in syslog as well.  Other options to consider - you can have rewriters or relays on syslog level and there you can filter out needed events from the whole event stream coming from ePO, if you use ePO built in syslog option. Instead of that I would consider reading needed events directly from database, as SIEM solutions do. There are solutions, reading info from SQL and sending over syslog. One note - in ePO, threat events are in two table - normalized, with some common information and then product specific events table, where all advanced information is located. Syslog is using that normalized threat database. But if you read directly from database, you can use another table and have much more information available in events. At least this is how I undestand that topic.

rob_v
Level 7
Report Inappropriate Content
Message 4 of 5

Re: EPO and Syslog

Jump to solution

Marko125/Cdinet - thanks both for getting back to me. I must admit I am concerned about performance and scalability, although I hoped that as I was only intending to forward malware detection events rather than all events that would mitigate the performance issue to a large degree. To give some background our EPO environment has about 11,000 active registered clients from hundreds of different customers. Our requirement is to be able to send selected messages to different syslog servers (so one customer didn't see anothers data). At present we use automatic responses in conjunction with a registered executable (compiled powershell script based on write-event) to create Windows Application log events on the EPO server. Our monitoring systems then use these events to create tickets for investigation. This doesn't place much of a load on the server (2 cpu, 8GB) and it just ticks along. I found a powershell script (https://tinyurl.com/yadau4hf) written to send syslog messages. I was thinking of adapting it to suit, compiling it and then taking a similar approach as it seems using Syslog 'registered servers' in conjuction with automatic responses may be unsupported and secondly if we ignored the supportability issue, we may be scuppered by load/performance problems. Thank you for the suggestions regarding database options - as we are in a multi-tennant environment they may be problematic from a security point of view. I did consider scripting (scheduled task) grabbing threat events and then sending the relevant events to the different syslog servers. May still be the way to go - lab testing load is just about impossible though. Cheers for your input and suggestions. Any more always welcome

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: EPO and Syslog

Jump to solution

The server task may be a way to go, but the only action applicable would be to run a registered executable.  So you would have to somehow script that out.

Have you considered using an snmp server?  That might be a little less resource intensive, but not sure. 

What I would recommend, however, is to increase the resources on your epo server.  2 cpu and 8g ram is actually below specs.  8g ram minimum suggestion is for available ram, not installed.  For 11k systems, and adding the load of running frequent queries or automatic responses can severaly impact your performance.  I would highly recommend increasing cpu's and ram.  If you increase ram, you also have to increase the jvmmx value to half the ram for epo to use.  That is located here:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\MCAFEETOMCATSRV590\Parameters\Java

You would configure it as such with an example of 24g ram installed.

12 x 1024 -1 = 12287

If you are selective in the events you are forwarding, you can possibly test the automatic response method, but you might want to throttle them and spread them out some.  You can send them in batches rather than trigger on every event.  You can get an idea of how many events would trigger a response by how many events you receive per hour, for example, in your query outputs.

It is attainable, but with monitoring and configuration to tweak it for performance balance.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community