Are you sure you config syslog at Linux push log to McAfee SIEM?
If you sure config it, you can check syslog push McAfee SIEM via command:
tcpdump -i eth0 src x.x.x.x and port 514
Eth0 is card connect with Linux
x.x.x.x: is IP of Linux
Can you capture at command ?
1.) configure apache to send logs to syslog -
2.) configure syslog to send logs to your receiver-
3.) tcpdump on receiver to verify traffic over 514
My CentOS boxes are set up as follows:
In /etc/rsyslog.conf I have:
# ### end of the forwarding rule ###
With X.X.X.X as the IP of my receiver. If I SSH to my receiver and run tcpdump, I see the syslog coming. If you don't see it, then you need to troubleshoot that first.
Then in the ESM, I have the datasource set to Linux (ASP). I have had one person in McAfee support tell me to use "UNIX OS (Solaris, Red Hat, Linux, HP-UX, IBM AIX), Generic(ASP)" and another has said that CentOS wasn't Red Hat enough and that "Linux(ASP)" worked better. Your call there I guess.
you must use Linux (ASP) for all Unix platforms, for Apache use Apache (ASP). All DataSources not-asp are conisiderated legacy and they are deprecated.
Don't put the port 514 in the syslog file, it doesn't need it. :-)