We have IBM Qradar SIEM integrated with McAfee ePo. When system gets updated with latest AMcore, Client event 2401 gets generated, but SIEM is not able to capture it. where as, event ID 1118 which is getting generated for update, getting captured in SIEM. Difference in both EVENT ID is, 2401 is client event & 1118 is triggered as Threat event. I have below Questions.
1. What is difference between these 2 Event ID's & when these are getting captured in client event and threat event if both are getting trigged when system gets updated?
2. Why for few systems 2401 getting triggered and for few systems 1118 getting triggered? We check OS and ENS versions are same, still few systems generating 2401 for amcore update & few 1118?
3. Any other specific setting in ePo to send client events to syslog server? We checked in Event filtering, both the events are enabled to send it to syslog.?
Thanks for the response, In our environment, Qradar SIEM integrated with ePo using JDBC protocol, which do not required any extension to be checked in ePo, not even we need to configure the syslog server for event forwarding as per IBM Qradar Documentation. Please advise if there is anything that need to be configured from ePo end.
So is that to mean you are pulling data directly from the database instead of it as a registered server? If so, what tables are you pulling from? Event ID 2401 is an agent event, where event 1118 is an ens generated event.
If you are not using your siem as a registered syslog server, then the settings to forward to syslog mean nothing. They are only applicable for registered syslog servers for the eventparser to forward the events. If your siem is pulling directly from the database, then epo itself is out of the picture. That would then depend on what the agent send in. So you can compare what you see in siem by running threat and client event reports in epo to see if they match up or not.
Was my reply helpful? If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.