cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 9

syslog-ng receiver script and configuration

Hi, Im not that experience with syslog . Im looking for script that can work with syslog-ng to start collecting log from McAfee epo on port 514.  I already looked at https://kc.mcafee.com/corporate/index?page=content&id=KB87927.

8 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: syslog-ng receiver script and configuration

I am not sure what you mean by script, as a script should not be necessary.  You register the syslog server with epo, make sure it communicates successfully and enable event forwarding for desired events to syslog in server settings, event filtering.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 9

Re: syslog-ng receiver script and configuration

EPO then sends just the raw event data to the syslog server.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 9

Re: syslog-ng receiver script and configuration

Thank you for the response. Im looking for instruction to set syslog on centos 7 to received logs . Similar to whats on https://kc.mcafee.com/corporate/index?page=content&id=KB87927 on section C
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 9

Re: syslog-ng receiver script and configuration

We don't provide specific syslog setup instructions, only the example kb and https://kc.mcafee.com/agent/index?page=content&id=KB91194 for syslog encryption requirements.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 9

Re: syslog-ng receiver script and configuration

okay thank you. Im completed stuck here, as the instruction on the link is not complete. Right now this is what i have on the conf file. I treid establishing the connection and it failed

tcp
{
mode => "server"
host => "0.0.0.0"
port => 6514
ssl_enable => true
ssl_verify => false
ssl_cert => "/opt/bitnami/logstash/ssl/mykey-remote.crt"
ssl_key => "/opt/bitnami/logstash/ssl/mykey-remote.key"
}
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 9

Re: syslog-ng receiver script and configuration

I am not sure what you are seeing as incomplete - this has complete instructions for a sample syslog.  You may need to refer to your specific syslog server documentation.

https://kc.mcafee.com/corporate/index?page=content&id=KB87927

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 8 of 9

Re: syslog-ng receiver script and configuration

which certification is needed and where can i get it ?
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 9

Re: syslog-ng receiver script and configuration

Certification meaning certificate?  Per the KB...….

B) Create a self-signed certificate:

To use a syslog receiver with ePO, it is required to use TCP and TLS. For this article, we create and use a self-signed certificate.

  1. Run the following commands:

    sudo mkdir /opt/bitnami/logstash/ssl
    cd /opt/bitnami/logstash/ssl
    sudo openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout logstash-remote.key -out logstash-remote.crt
     
  2. When prompted, enter the details for the certificate. Set the common name to the fully qualified domain name (FQDN) of the VM.
  3. To change the permissions on the key file and allow logstash to read it, type the following command:

    sudo chmod 644 logstash-remote.key

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community