1 of 1 people found this helpful
The MEF / NPP is an encrypted TCP/IP connection which is made to the McAfee Agent. We have agents for Linux and also for Windows. The Agent collects events and then they are transmitted to the collector using that protocol. We do provide information for customers to utilize the protocol so an external program can insert events into the Receiver's database. One example is an output plug-in for Barnyard using Snort's unified (fast) output.
If you check the online help for “McAfee Event Format” and “NPP Example Code” you will see some detailed information that will enable you to understand the API in detail.
According to information you gave, MEF or NPP in this context refer to only protocol used. They didn't tell us what's an agent or a piece of software required. I understand that we do have Windows & Linux agent. But that doesn't cover all data sources in the data sheet. Mainframe for example, we may need to use 3rd party or develop an agent ourselves. The document just told us MEF(NPP) protocol can be used here. In my opinion, I consider these are not "out of the box support" data sources because nothing we can use right away.
Am I correct? Do I missing something? Or are there any piece of software provided to support those data sources out of the box such as "z/OS, z/vm" above I gave as an example?
Anyway, I'll take a look at example code and API. Thank you very much.
I have updated my previous post with a correction. My apologies for the previous incorrect information.
We do support IBM and other mainframes but that requires a thirdparty agent software. My understanding is that the MEAS agent is a more mature product. Some more information is listed below;
DG Technology MEAS
Authorized Load Libraries
RMF Performance Data
Batch Job and Started Tasks
Top Secret, Type 80
5.x, 6.x ASP - Syslog
Cross Platform Audit
All Enforcive Agent
Anyway, MEF or NPP in that document still refer to only protocol part. IMHO, it would cause confusion.
Especially, when someone want to sell Nitro but found later that those aren't supported out-of-the-box and need 3rd party software agents.
Should we have some more clearer document where we can mention approriate 3rd party software agent if those ones needed?
Is there any other data source that we also need 3rd party software agent?
As far as I know, Mainframe is the one and only one we need 3rd party. Not sure though about those SCADA ones. If you know about other, could you share with the rest of us?
One more thing, do we have plan to produce or release an official solution solely provided by McAfee.
Custom may think about who should buy those software and who should maintain them. Without local support team it might make things a bit (or A LOT !?) harder. Especially for banking customers who got thier mainframe running.
You are correct that the document could be clearer. I have asked PM if they can update that external facing document with some better information so 3rd party agents are clearly stated.
I am not aware of any official solution that McAfee would be providing to replace the integrations with those 3rd party agents but I will also check with PM and let you know if they have some plans for that.