7 Replies Latest reply on Aug 19, 2013 11:06 AM by haroot

    SQL Event Configuration Utility


      Hi there,


      Do you have any idea how can I use 'McAfee Event Collector Manager Utility' in order to send events collected from a database's table?


      I created a database with a table, mapped some columns between table and ESM with 'Sql Event Configuration Utility', configured 'McAfee Event Collector Manager Utility'; as Data Source I selected Syslog and as data retrieval MEF.

      McAfee ESM receives events from the Collector Manager but they are not parsed.


      Thank you.



        • 1. Re: SQL Event Configuration Utility

          From my understanding you would need to create your own parsing rules for events received using the SQL Event Configuration Utility.  This is because the format would change from table to table and EMS won't know the order that the events would come in.


          I have not configure this feature yet so I not 100% certain, so take this with a grain of salt.





          • 2. Re: SQL Event Configuration Utility



            thank you. I found the way in order to collecting data. "Message" column is the name of the rule message and Data Retrieval and Format must be MEF.

            1 of 1 people found this helpful
            • 3. Re: SQL Event Configuration Utility

              Umberto - you can use MEF and then Message column as the event type or - SYSLOG and create own parsers.




              • 4. Re: SQL Event Configuration Utility



                      Better way is to create a view from the tables you want to collect data and map the field accordingly to ESM fields. To work minimum "message" field of ESM needs to be mapped, a .xml configuration file need to be created for the view and called in windows agent and it should be MEF format. We are collecting logs from custom applications using this method (Remeber McAfee ESM only supports one table at a time so if you want to collect from multiple table you need to create a view).





                • 5. Re: SQL Event Configuration Utility

                  If you want to pick up multiple tables, you can actually do this without a view as well. You just need to use another "configuration" under the same host in the McAfee Event Collector Management Utility. Basically, you would make a new .XML file with the SQL configuration tool, pointing to the same DB, but a different table, and then use that XML for the config in the new configuration under the same host in the McAfee Event Collector Management Utility. The only caveat with this is you need to use the Host ID instead of the IP address in the Configuration and for the data source that matches in ESM.



                  Also I use McAfee > McAfee Event Format as the data source type in ESM to utilize the Host ID.


                  Let me know if you need screenshots or anything.

                  • 6. Re: SQL Event Configuration Utility



                          Screenshots would be of great help!......





                    • 7. Re: SQL Event Configuration Utility



                      I am integrating SQL 2000 with Mcafee SIEM using McAfee Windows Agent using SQL utility.After the initial configuration I am  unable to receive the logs.After looking at the DEBUG Logs, I found the below error message



                      GetNextRecordData Failed to retrieve next record: The conversion of a char data type to a datetime data type resulted in an out-of-range datetime value. -    at GenericSQLGenerator.MSSQLDBAccess.ExecuteQuery(String query, DataTable& ds)

                         at GenericSQLGenerator.Configuration.ExecuteQuery(String p, DataTable& ds)

                         at MEFPluginDll.MEFPlugin.GetNextRecordData()



                      I  checked the time format on both the servers i.e. Agent as well as the Server and its same.


                      Has anyone faced similar issues.