Showing results for 
Search instead for 
Did you mean: 
McAfee Employee LKS
McAfee Employee
Report Inappropriate Content
Message 11 of 12

Re: ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

You may need to adjust the table name from "OrionAuditLogMT" to "OrionAuditLog" in your Syslog server. The schema differs from previous version to latest. 


Re: ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

Everyone is back at work today,  and I have to refine my problem statement now that I have an ArcSight person to help me.   The messages are readable, however, they are not parsed at the ArcSight Logger.   

We do use the ArcSight syslog-ng connector and it is set up to accept TLS connections.

The epo messages appear un-parsed in the "Name" field. 

When we enable RFC 5424, the message is parsed better, however, not quite the same fields and information as the ePO DB connector.  It does not look like it was completed parsed as it would with epo_db.

Looking at a message in the logger that has been captured with RFC 5424 enabled, we see the parser selected by the logger is "arcsight:10:120"   

The RHEL systems are not using the RFC 5425, so we will add a second syslog-ng connector and a different port for the ePO, however, I am disappointed that we cannot search the data the same way.  I am not convinced the messages are parsed correctly.


More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community