cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jaklsdjfalsdfj
Level 7
Report Inappropriate Content
Message 1 of 16
‎09-28-2021 07:36 AM

log forwarding

Jump to solution
I have a requirement to send logs to our SIEM (RSA NetWitness). . After setting up a REGISTERED SYSLOG server, I am currently seeing the following on my SIEM: . Windows Security Logs Windows Event Logs . We are not seeing other McAfee-related events. . I followed the steps in the guide, but there is one section that seems unclear to me . I will upload a screen cap - for your review . the documentation states the following: . After you register the syslog server, (which has been completed successfully) you can set McAfee ePO to send events to your syslog server (what are the steps to set McAfee ePO to send events?) . Please advise on next steps
0 Kudos
Reply
1 Solution

Accepted Solutions
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 16 of 16
‎10-05-2021 01:37 PM

Re: log forwarding

Jump to solution

Ok, can you stop apache and eventparser on epo, rename the eventparser and server log, then start them up.  Give everything a few min to ensure events are coming in, then upload the new logs to the SR.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

0 Kudos
Reply
15 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 16
‎09-28-2021 12:42 PM

Re: log forwarding

Jump to solution

In event filtering under server settings, you have to choose the event ID's you want sent to the syslog server - choose send to syslog and database so that if syslog fails for any reason, you still have them in epo.  You also need to ensure the syslog meets all the tls requirements.  See KB91194.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
jaklsdjfalsdfj
Level 7
Report Inappropriate Content
Message 3 of 16
‎10-01-2021 06:27 AM

Re: log forwarding

Jump to solution

no - same situation

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 16
‎10-04-2021 06:05 AM

Re: log forwarding

Jump to solution

To see the windows event logs, you must be using the siem collector on the clients.  EPO never receives windows events from clients, only what the point products and agents generate.

When you registered the syslog server in epo, does the test connection succeed, fail, or show 3 dots?

Have you enabled the events to be forwarded to syslog in the server settings, event filtering?

What does eventparser log show in relation to the syslog - any errors sending events to syslog?  That is located in epo install directory under db\logs.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
jaklsdjfalsdfj
Level 7
Report Inappropriate Content
Message 5 of 16
‎10-04-2021 02:13 PM

Re: log forwarding

Jump to solution

registering the syslog server in epo, does the test connection succeed, fail, or show 3 dots? - SUCCEEDS

.

Have you enabled the events to be forwarded to syslog in the server settings, event filtering?

-when setting up the Registered Syslog Server, the checkbox for ENABLE EVENT FORWARDING is checked - yes

What does eventparser log show in relation to the syslog - any errors sending events to syslog?  That is located in epo install directory under db\logs.

-Event Parser (EVNTPRSR) shows the following:
reload syslog forwarder event received

Syslog received new syslog list signal

Loading syslog receiver list

Found 10.x.x.x:6514

Loaded 1 receivers

Succeeded <UpdateEvents>, C:\PROGRA~\McAfee\EPOLIC~1\DB\Events\NNNN-NNNN-NNNN-NNNN-mc-20211104xxxx.txml

0 Kudos
Reply
jaklsdjfalsdfj
Level 7
Report Inappropriate Content
Message 6 of 16
‎10-04-2021 02:14 PM

Re: log forwarding

Jump to solution

There is also the following entries:

Succeeded <EPOEvent>, C:\PROGRA, etc, etc, etc

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 16
‎10-04-2021 02:16 PM

Re: log forwarding

Jump to solution

So there are no errors in eventparser regarding the syslog server?  

In server settings, event filtering, do you have the event id's checked that you want to see events for for send to both?  

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
jaklsdjfalsdfj
Level 7
Report Inappropriate Content
Message 8 of 16
‎10-04-2021 02:37 PM

Re: log forwarding

Jump to solution
So there are no errors in eventparser regarding the syslog server? - CORRECT - no errors

In server settings, event filtering, do you have the event id's checked that you want to see events for for send to both? - YES we have dozens of events checked - and it is set to "STORE IN BOTH"
.
FYI - we have the same exact EVENTS selected - for both the US (existing) and EU (newly setup) SIEM
.
according to my colleagues - they say we are getting "everything" on the US SIEM, but only windows events and windows logs - from the EU
.
they are asking us to troubleshoot why there are no ePO events, etc showing up.
0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 16
‎10-04-2021 02:42 PM

Re: log forwarding

Jump to solution

Please open a ticket then with McAfee.  If you run a query in epo for threat events in last day or 2, are there any?

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
jaklsdjfalsdfj
Level 7
Report Inappropriate Content
Message 10 of 16
‎10-04-2021 02:49 PM

Re: log forwarding

Jump to solution
In the Threat Event Log - I see the following entries - from today
.
Event ID - 1119
event description - The update failed, see event log (lots of these)
.
Event ID - 1095
event description - Access Protection rule violation detected (a couple of these)
.
1464 items total
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC