cancel
Showing results for 
Search instead for 
Did you mean: 

ePO Server Log Location/ Log Forwarding

Jump to solution

Hello,

I am running on McAfee ePO 4.6.4. I am trying to forward all of my logs toQRadar, which is serving as my event manager. Per the QRadar instruction I haveset up a JDBC pull of the ePO logs as well as an SNMP push by McAfee ePO. I amseeing logs from my agents; for example: "Anti-spywareMaximum ProtectionSmiley Tonguerevent execution of scripts from the Temp folder".

The issue I am having is that I don'tseem to be receiving the logs contained in the ePO Audit Log. So I am notseeing User logins, Admin logins, failed logins etc. I see these events in theePO Audit Log (found by navigating to Menu| User Management | Audit Log).

Are these logs being stored in another place? Is there a way to forward themthrough ePO itself?

If not I can forward them using a product like Adaptive Log Exporter (ALE),but I would need to have a file location with a Log file to forward.

1 Solution

Accepted Solutions
djjava9
Level 11
Report Inappropriate Content
Message 2 of 4

Re: ePO Server Log Location/ Log Forwarding

Jump to solution

these logs are indeed stored in the ms sql db used by epo, but your data will only be as good as what qradar CHOOSES to grab from the sql db.  they are not grabbing the audit data that you are looking for because it lives in a different table.  Most siem vendors grab the data from the most obvious table in epo which is the 'threat events' table, which is what you are seeing.  If you want to see audit entries you will have to ask qradar to improve their parser and pull that data as well.  Alternatively you could use a different siem like Mcafee's ESM which does have an accurate parser to grab that audit log data ;-)

Capture.PNG

3 Replies
djjava9
Level 11
Report Inappropriate Content
Message 2 of 4

Re: ePO Server Log Location/ Log Forwarding

Jump to solution

these logs are indeed stored in the ms sql db used by epo, but your data will only be as good as what qradar CHOOSES to grab from the sql db.  they are not grabbing the audit data that you are looking for because it lives in a different table.  Most siem vendors grab the data from the most obvious table in epo which is the 'threat events' table, which is what you are seeing.  If you want to see audit entries you will have to ask qradar to improve their parser and pull that data as well.  Alternatively you could use a different siem like Mcafee's ESM which does have an accurate parser to grab that audit log data ;-)

Capture.PNG

Re: ePO Server Log Location/ Log Forwarding

Jump to solution

So that clears up why the JDBC pull is not working. Is there a way to push this information, similar to creating an automatic response resulting in an SNMP trap being sent ? Or is this functionality not available?

Thanks

djjava9
Level 11
Report Inappropriate Content
Message 4 of 4

Re: ePO Server Log Location/ Log Forwarding

Jump to solution

off the top of my head i dont think we expose the audit log via snmp.