cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
sanba06c
Level 10
Report Inappropriate Content
Message 1 of 11

How to forward logs from ePO to IBM Qradar SIEM

Jump to solution

Hello everyone,

I attempted to integrate "McAfee ePolicy Orchestrator" (antivirus appliance) to QRadar. However, there were some errors, which made it unsuccessful. Is there any "step-by-step demonstration process" for this integration (or is there any simpler way to forward logs from McAfee ePolicy Orchestrator to QRadar)? Although there is a guide from IBM, it still seems a little bit complicated for me. 

Any response would be highly appreciated. McAfee ePolicy Orchestrator 

 

1 Solution

Accepted Solutions
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 11

Re: How to forward logs from ePO to IBM Qradar SIEM

Jump to solution

The preferred method is using syslog, but that syslog must support tls 1.2. If connecting directly to the database with a siem or using automatic responses to forward events to snmp server, that can cause some performance issues, some more severe than others, depending on the amount of events sent.  With the syslog server, you have a little more control over what events get sent to syslog in server settings, event filtering.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

10 Replies
rgc
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 11

Re: How to forward logs from ePO to IBM Qradar SIEM

Jump to solution

Can you share the screenshots of the errors, where it is failing.

 

Is that while adding datasource in IBM qradar device ?

 


Raghavendra GC
McAfee Technical Support – APAC
Customer Success Group
www.mcafee.com
sanba06c
Level 10
Report Inappropriate Content
Message 3 of 11

Re: How to forward logs from ePO to IBM Qradar SIEM

Jump to solution

@rgc Unfortunately, I don't find any error, but the log source does not work. Can you advise me which is the most easiest way to integrate ePO to QRadar? Syslog server from McAfee's guide or DSM from IBM guide?

sanba06c
Level 10
Report Inappropriate Content
Message 4 of 11

Re: How to forward logs from ePO to IBM Qradar SIEM

Jump to solution

It does not show any error. Btw, can you tell me which way is the more simple way to integrate ePO to QRadar? Syslog as recommended by McAfee or DSM as proposed by IDM?

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 11

Re: How to forward logs from ePO to IBM Qradar SIEM

Jump to solution

Hello,

Thanks for your post.

Please check the below KB article:

How to set up an example syslog server for use with ePolicy Orchestrator 

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 11

Re: How to forward logs from ePO to IBM Qradar SIEM

Jump to solution

The preferred method is using syslog, but that syslog must support tls 1.2. If connecting directly to the database with a siem or using automatic responses to forward events to snmp server, that can cause some performance issues, some more severe than others, depending on the amount of events sent.  With the syslog server, you have a little more control over what events get sent to syslog in server settings, event filtering.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

sanba06c
Level 10
Report Inappropriate Content
Message 7 of 11

Re: How to forward logs from ePO to IBM Qradar SIEM

Jump to solution

Thank you for your useful reply, which really solves the puzzle. 

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 11

Re: How to forward logs from ePO to IBM Qradar SIEM

Jump to solution

Glad to assist!

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

sanba06c
Level 10
Report Inappropriate Content
Message 9 of 11

Re: How to forward logs from ePO to IBM Qradar SIEM

Jump to solution

Hi @cdinet , I find that our company is using IBM SIEM QRadar appliance v7.3 as a syslog server, which is supposed to support TLS 1.2. However, when I configured on the McAfee ePO and clicked on "test connection", it said "Syslog connection failed". Should I need to set up the syslog server as mentioned in this KB87927  with Bitnami Elk Stack and OpenSSL?

LKS
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 11

Re: How to forward logs from ePO to IBM Qradar SIEM

Jump to solution

Hi sanba06c,

You have to consider two things when you integrate Syslog server with EPO. 

1. TLS 1.2

2. Receiver should configure TLS receivers following RFC 5424 and RFC 5425 (generally known as syslog-ng).

 
If the connection is failing, then check Orion log to find out an error.
 

Was my reply helpful?

If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community