cancel
Showing results for 
Search instead for 
Did you mean: 
ccastbr
Level 9
Report Inappropriate Content
Message 1 of 10

ePO Events to Syslog to ArcSight - Messages not readable

We have ePO 5.10.0.    We have used the ArcSight Smartconnector to ArcSight logger on previous servers, however, we are now investigating publishing event to syslog.   The Syslog server forwards events to the ArcSight Logger.

Our syslog server has been registered and the connection test is successful.   Messages from the ePO are seen in the ArcSight logger, however, they are not parsed.     They do not appear the same way we would see the events that had been sent to a receiver by the Smartconnector.

Is there anything additional that is needed?  What about certificates from the SysLog system or ePO certs on the SysLog system?   Is there a way to specify CEF format at the ePO?

9 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: ePO Events to Syslog to ArcSight - Messages not readable

No, we don't support cef format at this time.  The syslog server must support tls 1.2 in order to get the events properly.  KB87927 is how to set up a sample syslog server - you might want to review it to see if there is something not set right.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

ccastbr
Level 9
Report Inappropriate Content
Message 3 of 10

Re: ePO Events to Syslog to ArcSight - Messages not readable

The KB you reference does not mention ePO 5.10.0, however, I read that as 5.9 or higher.   The ePO side of this set up is straightforward with very little to adjust.  I have a successful connection when I hit the test button on the ePO setup.  On the ArcSight Logger we see a message that the connection was tested.    I suspect that our logs are not decrypted.

Our syslog server is set up to receive logs from all Linux computers and I was attempting to also send our ePO logs to it.    I do not want to disrupt the collection of the Linux system logs.  Next week I can try to set up a second syslog server just for the ePO.  

The main reason I am trying the syslog route is that we were told that the ePO SmartConnector for ArcSight is no longer supported.   We have used that connector in the past to go directly to the ArcSight logger.    We are are not required to roll-up to another server, although in the future we may need to.  

If syslog reporting will work, it saves the complication of adding the smart connector to our database, but I can't disrupt what is already running on our syslog server.  

Is the ArcSight SmartConnector still useable and up to date with all of the McAfee products?

McAfee Employee x-aga
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: ePO Events to Syslog to ArcSight - Messages not readable

Can you share the sample of events not readable received in ArcSight, please?

Highlighted
ccastbr
Level 9
Report Inappropriate Content
Message 5 of 10

Re: ePO Events to Syslog to ArcSight - Messages not readable

I do not have access to the logger.  I will try to get a sample.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: ePO Events to Syslog to ArcSight - Messages not readable

Non-readable data typically means the ssl connection is not working properly.  You can check the eventparser logs for any errors related to the syslog server.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

ccastbr
Level 9
Report Inappropriate Content
Message 7 of 10

Re: ePO Events to Syslog to ArcSight - Messages not readable

Thank you.   I suspected that encryption was not working, however, it is unclear how to establish the SSL connection with the syslog server.    Registering the server is very easy.  The Test Connection shows success.     

What is cloudy is what certificates are required?     Where are they installed?  How does the syslog server trust the ePO, or vise-versa?          This is likely a problem on the syslog server side, and the owner of the syslog server may need to help me, or I may need to help him help me.      

Our syslog server accepts logs from all RHEL systems and then forward them through an ArcSight connector to the ArcSight logger.    I was hoping to join on to that same server, if possible. 

 

ccastbr
Level 9
Report Inappropriate Content
Message 8 of 10

Re: ePO Events to Syslog to ArcSight - Messages not readable

After some inspection of our syslog server, I believe it is not syslog-ng.  Without disturbing the current connection of RHEL systems, I think I need to be directing my questions to a RHEL forum.  I am curious if I can add an additional receiver on the RHEL syslog server for port 6514 using SSL.     

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 9 of 10

Re: ePO Events to Syslog to ArcSight - Messages not readable

That just be the way to go.  Let us know how it comes out.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: ePO Events to Syslog to ArcSight - Messages not readable

Everyone is back at work today,  and I have to refine my problem statement now that I have an ArcSight person to help me.   The messages are readable, however, they are not parsed at the ArcSight Logger.   

We do use the ArcSight syslog-ng connector and it is set up to accept TLS connections.

The epo messages appear un-parsed in the "Name" field. 

When we enable RFC 5424, the message is parsed better, however, not quite the same fields and information as the ePO DB connector.  It does not look like it was completed parsed as it would with epo_db.

Looking at a message in the logger that has been captured with RFC 5424 enabled, we see the parser selected by the logger is "arcsight:10:120"   

The RHEL systems are not using the RFC 5425, so we will add a second syslog-ng connector and a different port for the ePO, however, I am disappointed that we cannot search the data the same way.  I am not convinced the messages are parsed correctly.

     

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community