cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

EPO forwarding to Syslog

Jump to solution

Good morning,

I'm trying to get a better understanding of the flow of how we canforward events from ePO to a customer's enterprise syslog. I have the syslog registered in the ePO, which resides in the customer DMZ, and am able to successfully test connection to it. Customer is able to see those test connects hitting their firewall. however with "event forwarding" enabled on the registered server page, the only traffic the customer sees is coming from the agent handlers, which are standalone, over port 6514. 

We originally designed this to only allow syslog traffic from the ePO console, so the firewall rules are dropping the agent handler traffic.

But I get the impression that I am misunderstanding how epo->syslog works. Is the proper function  that all the events are going to be forwarded from the agent handler, not specifically the ePO console, correct? So we would need the firewall rules written to allow traffic from the agent handlers and the epo console itself?

 

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: EPO forwarding to Syslog

Jump to solution

It is all or nothing since each agent handler is basically a virtual extension of epo.  If you are only able to receive events from one ah or the epo server itself and not all of them, you will only see events in syslog that the ah or epo processed, but not other events that other ah's or epo processed.  

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

5 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: EPO forwarding to Syslog

Jump to solution

Each agent handler and epo server has its own eventparser.  The eventparser handles the forwarding of events to the database and to the syslog server.  So to receive events from epo and each agent handler, the firewall ports would need to allow that traffic from each server.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: EPO forwarding to Syslog

Jump to solution

We currently have the firewalls configured to only allow accept 6514 traffic from the epo, but the issue is that the firewall logs only see traffic coming from the agent handlers. When I uncheck "enable event forwarding" in the registered server settings for the syslog forwarder, the agent handlers stop attempting to send traffic to the syslog, but the ePO still does not send events itself. Is it not possible to only receive events from the ePO?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: EPO forwarding to Syslog

Jump to solution

It is all or nothing since each agent handler is basically a virtual extension of epo.  If you are only able to receive events from one ah or the epo server itself and not all of them, you will only see events in syslog that the ah or epo processed, but not other events that other ah's or epo processed.  

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Highlighted

Re: EPO forwarding to Syslog

Jump to solution

Ok I am getting a better understanding of this now. So with our setup, where we have the epo server in the DMZ and an agent handler on a lower level network, we would have to allow traffic from the agent handler through the firewall as well in order for the enterprise syslog to receive those events. If we event filter to "store in SIEM" or "store in both", that would tell the agent handler to reach out to the syslog directly, but if we filter to "store in epo" those agent handler events will go to the epo but the epo won't send them to syslog?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: EPO forwarding to Syslog

Jump to solution

Correct, only the ah won't send events to epo per-se, it will send it directly to database instead of syslog.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community