4 Replies Latest reply on Mar 12, 2014 9:32 PM by hon

    SIEM Mcafee Agent

    hon

      Does anyone know that when should i user mcafee agent to collect the log file .If i have ERC for evert site, do i still need that agent?

        • 1. Re: SIEM Mcafee Agent
          rth67

          Are you asking about the SIEM Collector Agent?

          There are several reasons to use the SIEM Collector Agent over setting up a Data Source to poll for data via WMI or to collect via Syslog.

          1. WMI and Syslog are not going to be encrypted, SIEM Collector Agent communication will be (I believe this to be true - still looking).

          2. If someone clears a log locally, you may lose several minutes of log data, with a local SIEM Collector Agent this is not the case.

          3. If you need to tail a log file (IIS, DNS, etc...) - you can only do with a SIEM Collector Agent

          4. Access, your Domain Admin's may not want you to have an account that can poll all servers including DC's for logs, therefore a local agent may be used.

          5. DMZ/Workgroup Servers - Your System Admin's may not want to use a standard account on non-domain servers, so use an Agent.

          6. SIEM Collector Agent 10.0 can be managed/configured and deployed via ePO (requires .NET 3.5 installed on systems deploying to).

           

          The SIEM Collector Agent sends data to the ERC

          • 2. Re: SIEM Mcafee Agent
            hon

            ok thank a lot i have a little question that if i wanna get log from sql do i need to use agent or can i just pull the log file by reciever . Because i think that i can only send log from sql to reciever by agent .

            • 3. Re: SIEM Mcafee Agent
              rth67

              There are several options under the Microsoft Data Sources for SQL, although if you are wanting more than basic information from SQL you probably need a DEM (Database Event Monitor) appliance.

              Data Source Types for SQL:

                   "ACS - SQL Pull (ASP)" allows for Database Name & Instance (specify port #) - not sure what events will be pulled

                   "MSSQL Error Log (ASP)" syslog from SQL Server

                   "MSSQL Server C2 Audit" - not sure what this is.

              • 4. Re: SIEM Mcafee Agent
                hon

                You mean i no need to use collector agent . am i right ?. Can i sumary that we will use agent only when we can't access to the device using the reciever such as port or user problem. If i were right . can i custom aagent to support device more than default that it has