cancel
Showing results for 
Search instead for 
Did you mean: 
smacklay
Level 7

Insufficient Log Info from ePO to SIEM

Jump to solution

Hi,

We have integrated ePO with SIEM (QRadar). The logs are being forwarded successfully but we don't get all required fields such as OS version, OS Type, System Tree Sorting etc.

Is there a way to chose the required fields which need to be forwarded?

The log forwarding is done through SQL.

0 Kudos
1 Solution

Accepted Solutions
tao
Level 13

Re: Insufficient Log Info from ePO to SIEM

Jump to solution

Old post; may still be relevant:

"these logs are indeed stored in the ms sql db used by epo, but your data will only be as good as what qradar CHOOSES to grab from the sql db.  they are not grabbing the audit data that you are looking for because it lives in a different table.  Most siem vendors grab the data from the most obvious table in epo which is the 'threat events' table, which is what you are seeing.  If you want to see audit entries you will have to ask qradar to improve their parser and pull that data as well..."

You may also consider taking a look at the syslog feature w/n ePO version 5.3.2 & higher: McAfee Corporate KB - How to set up an example Syslog server for use with ePolicy Orchestrator KB879...

4 Replies
catdaddy
Level 20

Re: Insufficient Log Info from ePO to SIEM

Jump to solution

Successfully moved from Support Forums to ePolicy Orchestrator (ePO) > Discussions

For better assistance and better exposure.

Cliff
McAfee Volunteer
0 Kudos
smacklay
Level 7

Re: Insufficient Log Info from ePO to SIEM

Jump to solution

Thank you

0 Kudos
catdaddy
Level 20

Re: Insufficient Log Info from ePO to SIEM

Jump to solution

You are quite welcome Hopefully you will hear feedback soon

Cliff
McAfee Volunteer
0 Kudos
tao
Level 13

Re: Insufficient Log Info from ePO to SIEM

Jump to solution

Old post; may still be relevant:

"these logs are indeed stored in the ms sql db used by epo, but your data will only be as good as what qradar CHOOSES to grab from the sql db.  they are not grabbing the audit data that you are looking for because it lives in a different table.  Most siem vendors grab the data from the most obvious table in epo which is the 'threat events' table, which is what you are seeing.  If you want to see audit entries you will have to ask qradar to improve their parser and pull that data as well..."

You may also consider taking a look at the syslog feature w/n ePO version 5.3.2 & higher: McAfee Corporate KB - How to set up an example Syslog server for use with ePolicy Orchestrator KB879...