9 Replies Latest reply on Nov 18, 2013 10:00 AM by jeremyfernandes

    Local Receiver - Data Source

    arfelix

      Good afternoon,

       

      I have a problem, in the Local Receiver, Data Source, does not generate any event, I configured Devices Data Source according to the information of the devices. Do not know what else to configure.

       

      Show picture.

       

              1) Sending a picture where I show how I configured the Data Source. If there are any mistakes please tell me.

              2) In the following image, I show all my devices configured in Local Receiver. None generates events.

       


       

      El mensaje fue editado por: arfelix on 6/08/13 15:56:35 CDT
        • 1. Re: Local Receiver - Data Source
          cllapole

          Sorry for the basic question, but did you actually configure the Cisco device itself to send the logs?  For any type of syslog data source, you actually have to go to that product itself and configure a push from that device to your receiver.  What model Cisco device is it exactly?  Maybe something along the lines of the instructions found here...

          http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0 080b83d04.shtml

           

          Chris

          1 of 1 people found this helpful
          • 2. Re: Local Receiver - Data Source
            jeremyfernandes

            "arfelix" after you check with "Chris LaPole's" suggestion you can check whether the logs are coming via the tcpdump command.

             

            Log into ESM via SSH.

             

            Run the below command

             

            tcpdump -nni eth0 src 10.5.0.240

             

            If you have multiple interfaces change the interface (eth0, eth1etc.)

             

            Thanks,

             

            Jeremy.

            1 of 1 people found this helpful
            • 3. Re: Local Receiver - Data Source
              arfelix

              Hi, Jeremy.

               

               

              Thanks for the reply,

              But I do not understand, where is the command console. I work with virtual machines, and I can not access to Alt + F2, I have by default the root user and password w3e4r5t6. and tells me "username or password incorrect" and I can not access.

               

               

              And the ESM interface McAfee, Properties> ESM Management> Maintenance> Terminal. Tcpdump command does not work.

               

              P.S. I have not tested the response of Chris Lapole. I Need support staff networks.

              • 4. Re: Local Receiver - Data Source
                jeremyfernandes

                Hello Arfelix,

                 

                The root password should be the same as the NGCP user password.

                 

                The defaults usually are

                - security.4u

                - w3e4r5t6

                 

                Thanks,

                 

                Jeremy

                • 5. Re: Local Receiver - Data Source
                  arfelix

                  Hi Jeremy

                   

                  Of course, the root user, in ESM Interface (web) is NGCP, I can open this. But I can't open in the VM with the root user.

                   

                  I show you.

                   

                  Root_VM.jpg

                  Just here, in the VM I can't access.

                   

                  But, in the Interface Web I can access.

                  Interface_web.png

                  And in the  web interface, the command console tells me this.

                   

                  Command.jpg

                   

                  Thanks, for your quick replies.

                   

                  Arfelix.

                   

                  El mensaje fue editado por: arfelix on 5/09/13 9:15:01 CDT
                  • 6. Re: Local Receiver - Data Source
                    jeremyfernandes

                    Hi Arfelix,

                     

                    Try this,

                     

                    - Open the web interface

                    - Go to ESM Properties -> Users and Groups -> NGCP -> "Edit"

                    - Change the password.

                    - Putty into ESM and try the same password as above with the root user.

                     

                    The root password is set with the NGCP user's password. I just tried the same on my system and it worked.

                     

                    Thanks,

                     

                    Jeremy.

                    • 7. Re: Local Receiver - Data Source
                      arfelix

                      Hi Chris and Jeremy

                       

                      I was checking the device configuration. In cisco devices send logs to enable IP address McAfee ESM. As Chris Lapole said.

                       

                      I log into ESM via SSH. Run the command

                       

                      tcpdump -nni eth0 src 10.5.0.240 (Other IP address) and, I can see how ESM receives syslog registered devices eg. Cisco, ESXi.

                       

                      The problem is that in the ESM interface, I do not see any events or flow of any device, can help me?

                       

                      See tcpdump information.

                      tcpdump.jpg

                      Now, see ESM interface.

                      ESM.jpg

                       

                      Rgds,

                      • 8. Re: Local Receiver - Data Source
                        uzanatta

                        Hi,

                         

                        the Mask must be 32 and not 24.

                         

                        Rgds,

                        • 9. Re: Local Receiver - Data Source
                          jeremyfernandes

                          Hi Arfelix,

                           

                          Sorry for the delay, If your still not able to see the logs. Just delete all the "Syslog" datasource you have created.

                           

                          • Then go to Receiver Properties
                          • Navigate to "Data Source"
                          • Click the "Auto-Learn" button
                          • In the window that open, click the first "Enable" button
                          • Wait for a few minutes and then click the same button, It should say "Disable" now
                          • McAfee should be able to tell you what logs are coming into the system and whether it can identify any of then.
                          • If it is able to get logs and recognize the device you can create the datasource right there.

                           

                          Thanks,

                           

                          Jeremy.

                          1 of 1 people found this helpful