2 Replies Latest reply on May 16, 2017 4:52 PM by sssyyy

    Reading EVTX files with SIEM collector (Need Help)


      Ladies and Gents,


      I am have been trying to get McAfee SIEM collector to read an EVTX file that is an aggregate of all of my end point logs being collected on a win 2012  server.


      The agent sees the file, makes one pull and than stops with DEBUG file saying there is now new events to be written.

      I monitored the plugins folder and I see the file being copied over and compared.

      I also can force a log  pull by just deleting the bookmark file.


      I opened a support case to be told that the agent only looks at the file name to determine if there is new data in the file.

      I HAVE TO CALL BS on that one!!!


      Sample config



      ESM 9.6.1

      Agent: 11 latest build


      Has anyone gotten around this glitch?


      If you used a 3rd party agent, which one did you use. I don't mind using CEF converter, or even SNARE.


      Thank You and Regards