cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Rafaqat
Level 7
Report Inappropriate Content
Message 1 of 6

McAfee ePO integration with Kiwi Syslog Server

Hi everyone!

I am trying to forward events from sPO Server to Kiwi Syslog server. I have registered a syslog server on ePO side and have enabled TCP TLS 1.2 on Syslog server side. I even created a self signed certificate on syslog server using IIS.

While testing the connection on ePO, i only see .... on ePO and receive random characters on Syslog server.

Let me know if I am missing anything on anyside.

Thanks and regards,

5 Replies
aguevara
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: McAfee ePO integration with Kiwi Syslog Server

It sounds like  RFC 5424 and RFC 5425( also known as syslog-ng) is not enabled on the syslog server if the characters received are not readable

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

 

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: McAfee ePO integration with Kiwi Syslog Server

Check KB91194 - 3 dots indicate the handshake isn't completing at all.  That kb lists tls requirements including ciphers that may need to be enabled.  You can also run nmap against the syslog server to see what protocols/ciphers it is able to negotiate (KB91115).

Otherwise you can get a wireshark capture that will show the connection attempt.  

If the syslog server also is configured to require mutual authentication, then that is not supported.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Rafaqat
Level 7
Report Inappropriate Content
Message 4 of 6

Re: McAfee ePO integration with Kiwi Syslog Server

Hi cdinet,

 

Thank you for your response.

How do I enable the ciphers mentioned in the article?

Secondly, where do I get the self signed certificate? Do i need to export it from McAfee ePO itself or I can use IIS server to create a self-signed certificate on Syslog server?

 

Regards,

Rafaqat
Level 7
Report Inappropriate Content
Message 5 of 6

Re: McAfee ePO integration with Kiwi Syslog Server

Hi Aguevara,

 

Thank you for your response.

I've enabled RFC 5425 on Kiwi Syslog server. Attached is the syslog configuration.RFC 5425.PNG

aguevara
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: McAfee ePO integration with Kiwi Syslog Server

question: How do I enable the ciphers mentioned in the article?

Answer, They are enabled from ePO, you need to see how to enable this on the syslog with your syslog vendor , Also "You do not need to import the certificate used by the syslog receiver into ePO. As long as the certificate is valid, ePO accepts it. Self-signed certificates are supported and are commonly used for this purpose." from the article KB91194


On your last screenshot i don't see RFC 5424  and that is also needed, im not sure how to configure that on this particular syslog

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community