2 Replies Latest reply on May 16, 2017 4:52 PM by sssyyy

    Reading EVTX files with SIEM collector (Need Help)

    paul.k

      Ladies and Gents,

       

      I am have been trying to get McAfee SIEM collector to read an EVTX file that is an aggregate of all of my end point logs being collected on a win 2012  server.

       

      The agent sees the file, makes one pull and than stops with DEBUG file saying there is now new events to be written.

      I monitored the plugins folder and I see the file being copied over and compared.

      I also can force a log  pull by just deleting the bookmark file.

       

      I opened a support case to be told that the agent only looks at the file name to determine if there is new data in the file.

      I HAVE TO CALL BS on that one!!!

       

      Sample config

       

      Specs;

      ESM 9.6.1

      Agent: 11 latest build

       

      Has anyone gotten around this glitch?

       

      If you used a 3rd party agent, which one did you use. I don't mind using CEF converter, or even SNARE.

       

      Thank You and Regards