1 2 Previous Next 10 Replies Latest reply on Jun 12, 2014 8:33 AM by Regis

    DHCP and DNS logging

    docdriza

      I am on version 9.3.2, and I am trying to have DNS and DHCP logs sent to my SIEM. I currently use the SIEM Collector agent 10 and have it distributed through ePO. Currently I have the WMI logs being sent to the SIEM. Now I would like to add DHCP and DNS. I was under the impression that I would have to essentially have three data sources added. One for WMI, DHCP, and DNS. I was able to add the DNS and WMI data sources fine. When I add the DHCP data source I get the following error.

       

      2014-03-04 14_52_27-https___ssdsrv126_Application.html.jpg

       

      I can tell you with 100% certainty that I do not have another DHCP Data source with this IP address and Host ID.

       

      On the ePO side below is a screenshot of how i have the policy configured.

       

      2014-03-04 14_52_27-https___ssdsrv126_Application.htmls.jpg

       

       

       

      Is there something I am missing?

        • 1. Re: DHCP and DNS logging
          rth67

          From my experience, you can only have 1 Data Source per IP Address. You have to use the "Host ID"

          We are using the SIEM Collector Agent to tail the IIS Logs, so if the Agent is setup to do both WMI and IIS, the WMI Data Source would contain the IP Address of the Server, but the IIS Data Source would only contain the "HostID" as configured.

          In your ePO Policy, on the first tab, make sure you have the "Generate HostID's" option checked. (Generated Host IDs will be like the pattern <hostname>-<configuration name>)

          The HostID in the Data Source should be defined as the "ServerName-HostID"

          • 2. Re: DHCP and DNS logging
            esher72

            I am using the older SIEM Agent (v 9.1.3) to pull my DHCP logs. So your mileage may vary here.

             

            I create a data source like this with the IP of the machine with the agent:

            siem_1.PNG

             

            Then I create a child data source under that for the DHCP server with the IP of the DHCP server and Host ID configured on the agent box:

            siem_2.PNG

             

            These are the matching settings from over on the machine running the agent:

            SIEM3.PNG

            You can just keep adding child data sources for each DHCP server. Use the DHCP servers' IP for each of those and make sure the Host IDs match what you set up. Hopefully that helps. I have about 20+ DHCP servers in there now and am about to build out a new agent machine to accomadate some new DHCP servers from an acquistion we just had. I will proabably go with the newest agent then. If this doesn't work for you because I am using an older version of the agent, I might have more to offer when I do that new build.

            • 3. Re: DHCP and DNS logging
              esher72

              You can probably disregard my previous post. I completely missed the part about ePO. We do not use it. The company we acquired does but we are decommisioning it. The way we leverage the agent is that I have a Windows Server 2012 machine that has the agent and acts as an aggregator for all the flat file logs we wish to feed into our SIEM. It handles all of our DHCP, DNS, and IIS logs. The way we use it might not be of much help to your situation. Sorry about that.

              • 4. Re: DHCP and DNS logging
                docdriza

                I am using the Host ID which is allowing me to successfully add a WMI and DNS datasource from the same IP address. I run into probelms when I add a third data source.

                • 5. Re: DHCP and DNS logging
                  docdriza

                  If you are using the SIEM collector vis ePO, this is a response I got from the McAfee tech.

                   

                  "We identified this as having issues, and the issues relysomewhere in the code, this will not be fixed except through a patch or upgrade. Unfortunately at this time I have not been able to reproduce the issueeither. At this time the only immediate workaround is to manually add theconfigurations after ePO deployment, or attempt to remove one of the two filetail configurations and see if the other can still rollout successfully."

                   

                  I got no response on when a new patch or upgrade will come out.

                  • 6. Re: DHCP and DNS logging
                    rashid47010

                    Hi

                     

                    I just recently upgrade our system to version 9.3.2, and I am trying to have DNS and DHCP, logs sent to my SIEM.

                    I want to collect the logs from system[WMI] and applications[from DHCP, DNS] from same machine.

                     

                    Can you please forward me the step to achieve the task

                    • 7. Re: DHCP and DNS logging
                      docdriza

                      If you are using ePO to do this, it will not work. I am working through this issue, but if you are not I cant seem to figure out how to attach the document I got from support. maybe this will help you?

                       

                      https://community.mcafee.com/thread/58734

                      https://kc.mcafee.com/corporate/index?page=content&id=KB74849&actp=search&viewlo cale=en_US&searchid=1377163705967

                      • 8. Re: DHCP and DNS logging
                        rashid47010

                        Thanks for kind reply.

                         

                        I install the McAfee agent of one of the Microsoft Exchange.

                         

                        Initially I plan to get the WMI(System) logs from that server. but there are no logs at all.

                         

                        Is there any troubleshooting steps.

                        • 9. Re: DHCP and DNS logging
                          docdriza

                          You are going to need to see if thre is a FW in the way of the system and the reciever. Because I do not have the same collector deployment, you may want to contact McAfee support. they would be able to help you more than I can. Who knows, there might be someone that reads this thread that could help you.

                          1 2 Previous Next