cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Log forwarding configuration from ePO

Jump to solution
Hi, I could not find any related article so I am wondering: *How can can change log format to be forwarded to SYSLOG server? Currenlty I have configured log forwarding to QRAdar SYSLOG server via TLS. However logs are being sent in XML fomrat. Is there any way to change them to JSON or CEF format? * How I can choose what events/logs to send to SYSLOG server? Thank you ina advance.
1 Solution

Accepted Solutions
Highlighted

Re: Log forwarding configuration from ePO

Jump to solution

Hi,

Sorry for not updating or closing this discussions.

I was able to solve the problem. We are running on microsegmented network with zero-tolerance so a number of firewalls were missing from Agent Handlers to QRadar.

As we have a number of isolated environments and McAfee AH, ePO and endpoints are spread between all the environments. So if oyu are configuring event forwarding to SIEM (like QRadar) make sure you have all firewalls opened between ePO, AH and SIEM 🙂

Good luck and thank you for all your suggestions

View solution in original post

7 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Log forwarding configuration from ePO

Jump to solution

Yes, they will be sent in xml format and I don't believe that can be changed at this time.  You can follow KB60021 to request that feature.

As far as what events are sent, you can go to event filtering and enable syslog forwarding for specific events.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: Log forwarding configuration from ePO

Jump to solution

Hi  cdinet,

Thank you for your response.

What is the difference between "Store in ePO" and "Store in SIEM"? Currently I have "Store in both" selected and all "ticked" events are forwarded to IBM QRadar that I have set as SYSLOG server on ePO.

I have also tried to switch to "Store in ePO" only and I still receive alerts on QRadar. Is this an expected behaviour? Shouldn't it treat QRadar as SIEM? Or does it treat McAfee SIEM as SIEM only? 🙂

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: Log forwarding configuration from ePO

Jump to solution

Those settings only apply if you have a registered syslog server in epo that is forwarding events.  It does not apply if you are pulling the data directly from the database.  That last option, by the way, is not recommended, as it can introduce deadlocks and performance issues.

How exactly is your QRadar set up?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: Log forwarding configuration from ePO

Jump to solution

This is exactly what I have done.

Previously I was pulling data directly from the databases which wasn't very convenient way. Now I have got a possibility to push data directly to QRadar from ePO. I have configured SYSLOG server through Registered Servers via 6514 port.

I played a bit more switching between "Store in ePO", "Store in SIEM" and both and it seems it is working more oraless. The only strange behaviour I observe is that if I switch to "Store in ePO" only events continue to be sent to QRadar for another hour. Then they stop. 

When I switch back to "Store in both" and try to generate some of the events I can see that some events are missing in QRadar, however I can see those events in ePO DB. I will play a bit more with this and try to identify any patern of issues.

Your comments and recommendations will be really appreciated.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: Log forwarding configuration from ePO

Jump to solution

Per the product guide for epo, this is what those options mean:

To store the selected events in individually selected servers:
• Click Store in ePO — Store event in the McAfee ePO database.
• Click Store in SIEM — Store event in SIEM database.
• Click Store in both — Store event in McAfee ePO and SIEM databases.

The events that are missing from Qradar, are they event id's that are selected to be stored in siem?  Are they specific events/products/types that are missing?  Does the eventparser log show any errors sending to the syslog server?  Does the Qradar or syslog server show any errors?

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: Log forwarding configuration from ePO

Jump to solution

Hi,

Apologies for the delayed response.

Yes, event IDs are "ticked" and set to be sent to both database and SIEM. I have been testing with EICAR text file where McAfee detects infection on endpoint, ePO gets and event and writes it to database. However Qradar doesn't recieve it.

Regarding the evetparser logs. Yes, some errors are being logged like:

20191024085220 E #04864 POBLLEXT EPOBllExt.cpp(480): COM Error 0x80040E31, source=Microsoft SQL Server Native Client 11.0, desc=Query timeout expired, msg=IDispatch error #3121

And then an "Event" file being created in Event folder, but after a moment it disappears and in the eventparser log I can see a Success record. There are no "stuck" even files in the Event folder so I assume those are getting processed.

Also there are more much more events missing in the QRadar than I can see errors in the eventparser log.

Anyway, thank you for your help. I have raised a ticket with the support and uploaded MER to get it investigated futher.

 

Highlighted

Re: Log forwarding configuration from ePO

Jump to solution

Hi,

Sorry for not updating or closing this discussions.

I was able to solve the problem. We are running on microsegmented network with zero-tolerance so a number of firewalls were missing from Agent Handlers to QRadar.

As we have a number of isolated environments and McAfee AH, ePO and endpoints are spread between all the environments. So if oyu are configuring event forwarding to SIEM (like QRadar) make sure you have all firewalls opened between ePO, AH and SIEM 🙂

Good luck and thank you for all your suggestions

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community