I am trying to configure SQl 2005/2008 with McAfee Receiver as a Data Source.I went through the steps as mentioned under Help Contents but unfortunately the configuration steps are outdated and not relevant either to 2005 or to 2008.
My main requirement here to configure the SQL DB's with SIEM (receiver )and to start with I am looking only at the authentication and the admin activity events form both SQl 2005 & 2008.With respect to SQL 2008 I was able to find the configuration on the Microsoft site and after enabling the audting on SQL 2008 (in this case the SQl events are getting logged under Windows Application Logs and the Data Source on the receiver has been configured as WIndows --> WMI Event log). I started receving the failed login events but I am unable to recieve the Login Success Events from the database even though I can see these events being logged under Windows Application Event Logs.The DB guy also tried to create and delete a Table to generate certai events but unfortunately even these aren't being shown on the Event Summary Dashboard but I can see the event log being generated under Windows Application Log.I couldnt find anything helpful for SQL 2005 as I have worked ocassionally on the database side.
Has anyone integrated/configured SQL with McAfee Receiver ?Kinldy share the steps.
I am struggling with this as well. I have a ticket open with support. Seems they are saying to have SQL push the events into the application log. I am looking at the Windows agent now to see if that will be the solution for SQL and IIS logs.
The procedure that you have mentioned works well with SQL 2008 where its easy to push the SQL logs but the same procedure doesnt work for SQL 2005. With regards to IIS you can use the Windows agent or you can configure it using FTP as data retrieval option.
Please keep me posted on the ticket progress as that might be helpful for my scenario as well.
Not having much luck with the Mcafee windows event collector. The agent is set up and sending (packet capture shows the receiver is getting them), but nothing shows up in ESM. I have tried several variations of data source properties, but nada. Not sure if Vendor should be MS or mcafee. I have a ticket open, but they only respond about every other day.
have you installed the Windows agent on the same machine as your SQL database? If not, then you can try one more combination: Try to create two data sources one for Windows Agent and the another one for SQL .
In my opinion vendor should be microsoft for both the cases.
This below steps will help you,
I have tried this for Microsoft Threat Managment Server as datasource,
Findthe below steps to enable the same so that we can get the logs from MicrosoftTMG to McAfee ESM- SIEM.
AccessingMicrosoft Forefront TMG's Log Files (SQL Express)
Ifyou need to analyse and report on Microsoft Forefront Threat Management Gatewaylog files, the most common stumbling block is enabling access to the defaultSQL Express databases that contains the firewall and web proxy log files. Thelog databases are stored in an SQL Express instance named MSFW
EnableTCP access to the MSFW instance
Enabling TCP/IP on the MSFW instance
Setthe listening Port on the MSFW instance
OnceTCP/IP is enabled on the MSFW instance, you need to set it to listen on port1433
Setting the Port on the MSFW instance
Changethe listening port on the ISARS instance
TheISARS SQL instance also listens on port 1433 and this can cause connectionissues. Change this instance to use port 1434:
Changing the port on the ISARS instance
Forthe above changes to take effect, you need to restart the SQL Server (ISARS)and then the SQL Server (MSFW) services in that order.
Testthe connection from the McAfee ESM - SIEM machine
Youshould now be able to connect to the MSFW databases from a remote computer. Totest the connection, we recommend that you can telnet the Port 1433 or whateverassigned port by you from the McAfee ESM – SIEM ssh session preferably viaputty. As long as you are logged into Windows with a user account that isa local administrator on the TMG server, you should be able to connect withoutissue.
Where you able to add a SQL server as a data source? I've placed several security logs into a SQL database and want to pull them now as a single data source. Unfotunately, there is no generic SQL parser setup. I do not want to use the agent. Since some of the out of the box parser do a SQL pull shouldn't it be possible to leverage one and tweak the rules accordingly?