cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Event ID 2401 not captured by IBM Qradar SIEM

Hi.

We have IBM Qradar SIEM integrated with McAfee ePo. When system gets updated with latest AMcore, Client event 2401 gets generated, but SIEM is not able to capture it. where as, event ID 1118 which is getting generated for update, getting captured in SIEM. Difference in both EVENT ID is, 2401 is client event & 1118 is triggered as Threat event. I have below Questions.

1. What  is difference between these 2 Event ID's & when these are getting captured in client event and threat event if both are getting trigged when system gets updated?

2. Why for few systems 2401 getting triggered and for few systems 1118 getting triggered? We check OS and ENS versions are same, still few systems generating 2401 for amcore update & few 1118?

3. Any other specific setting in ePo to send client events to syslog server? We checked in Event filtering, both the events are enabled to send it to syslog.?

 

TIA

Girish Modak.

3 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Event ID 2401 not captured by IBM Qradar SIEM

There is a qradar extension that you can find in software manager for that syslog server, is that checked in?  Otherwise, check the eventparser log for any errors forwarding to syslog.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Event ID 2401 not captured by IBM Qradar SIEM

Hi

Thanks for the response,  In our environment, Qradar SIEM integrated with ePo using  JDBC protocol, which do not required any extension to be checked in ePo, not even we need to configure the syslog server for event forwarding as per IBM Qradar Documentation. Please advise if there is anything that need to be configured from ePo end.

TIA

Girish Modak

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Event ID 2401 not captured by IBM Qradar SIEM

So is that to mean you are pulling data directly from the database instead of it as a registered server?  If so, what tables are you pulling from?  Event ID 2401 is an agent event, where event 1118 is an ens generated event.

If you are not using your siem as a registered syslog server, then the settings to forward to syslog mean nothing.  They are only applicable for registered syslog servers for the eventparser to forward the events.  If your siem is pulling directly from the database, then epo itself is out of the picture.  That would then depend on what the agent send in.  So you can compare what you see in siem by running threat and client event reports in epo to see if they match up or not.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community