cancel
Showing results for 
Search instead for 
Did you mean: 
ccastbr
Level 9
Report Inappropriate Content
Message 1 of 12

ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

We have ePO 5.10.0.    We have used the ArcSight Smartconnector to ArcSight logger on previous servers, however, we are now investigating publishing event to syslog.   The Syslog server forwards events to the ArcSight Logger.

Our syslog server has been registered and the connection test is successful.   Messages from the ePO are seen in the ArcSight logger, however, they are not parsed.     They do not appear the same way we would see the events that had been sent to a receiver by the Smartconnector.

Is there anything additional that is needed?  What about certificates from the SysLog system or ePO certs on the SysLog system?   Is there a way to specify CEF format at the ePO?

1 Solution

Accepted Solutions
cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 12

Re: ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

That just be the way to go.  Let us know how it comes out.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

11 Replies
cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 12

Re: ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

No, we don't support cef format at this time.  The syslog server must support tls 1.2 in order to get the events properly.  KB87927 is how to set up a sample syslog server - you might want to review it to see if there is something not set right.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

ccastbr
Level 9
Report Inappropriate Content
Message 3 of 12

Re: ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

The KB you reference does not mention ePO 5.10.0, however, I read that as 5.9 or higher.   The ePO side of this set up is straightforward with very little to adjust.  I have a successful connection when I hit the test button on the ePO setup.  On the ArcSight Logger we see a message that the connection was tested.    I suspect that our logs are not decrypted.

Our syslog server is set up to receive logs from all Linux computers and I was attempting to also send our ePO logs to it.    I do not want to disrupt the collection of the Linux system logs.  Next week I can try to set up a second syslog server just for the ePO.  

The main reason I am trying the syslog route is that we were told that the ePO SmartConnector for ArcSight is no longer supported.   We have used that connector in the past to go directly to the ArcSight logger.    We are are not required to roll-up to another server, although in the future we may need to.  

If syslog reporting will work, it saves the complication of adding the smart connector to our database, but I can't disrupt what is already running on our syslog server.  

Is the ArcSight SmartConnector still useable and up to date with all of the McAfee products?

x-aga McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 12

Re: ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

Can you share the sample of events not readable received in ArcSight, please?

ccastbr
Level 9
Report Inappropriate Content
Message 5 of 12

Re: ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

I do not have access to the logger.  I will try to get a sample.

cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 12

Re: ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

Non-readable data typically means the ssl connection is not working properly.  You can check the eventparser logs for any errors related to the syslog server.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

ccastbr
Level 9
Report Inappropriate Content
Message 7 of 12

Re: ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

Thank you.   I suspected that encryption was not working, however, it is unclear how to establish the SSL connection with the syslog server.    Registering the server is very easy.  The Test Connection shows success.     

What is cloudy is what certificates are required?     Where are they installed?  How does the syslog server trust the ePO, or vise-versa?          This is likely a problem on the syslog server side, and the owner of the syslog server may need to help me, or I may need to help him help me.      

Our syslog server accepts logs from all RHEL systems and then forward them through an ArcSight connector to the ArcSight logger.    I was hoping to join on to that same server, if possible. 

 

ccastbr
Level 9
Report Inappropriate Content
Message 8 of 12

Re: ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

After some inspection of our syslog server, I believe it is not syslog-ng.  Without disturbing the current connection of RHEL systems, I think I need to be directing my questions to a RHEL forum.  I am curious if I can add an additional receiver on the RHEL syslog server for port 6514 using SSL.     

cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 12

Re: ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

That just be the way to go.  Let us know how it comes out.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Re: ePO Events to Syslog to ArcSight - Messages not readable

Jump to solution

We have a help ticket into ArcSight to get an acceptable parser for ePO events from syslog.

We are have a help ticket into ArcSight because the ePO Smart Connector is throwing errors

Getting invalid object OrionAuditLogMT

 

[2019-11-21 10:52:06,520][ERROR][default.com.arcsight.agent.loadable.agent._McAfeeEPODatabaseAgent][processQuery()]
com.microsoft.sqlserver.jdbc.SQLServerException: Invalid object name 'OrionAuditLogMT'.

 

So - messages are successfully sent via syslog.  Alternative was to use Smartconnector (7.13.0.8178.0), however, still having issues with both paths.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community