From my experience, you can only have 1 Data Source per IP Address. You have to use the "Host ID"
We are using the SIEM Collector Agent to tail the IIS Logs, so if the Agent is setup to do both WMI and IIS, the WMI Data Source would contain the IP Address of the Server, but the IIS Data Source would only contain the "HostID" as configured.
In your ePO Policy, on the first tab, make sure you have the "Generate HostID's" option checked. (Generated Host IDs will be like the pattern <hostname>-<configuration name>)
The HostID in the Data Source should be defined as the "ServerName-HostID"
I am using the older SIEM Agent (v 9.1.3) to pull my DHCP logs. So your mileage may vary here.
I create a data source like this with the IP of the machine with the agent:
Then I create a child data source under that for the DHCP server with the IP of the DHCP server and Host ID configured on the agent box:
These are the matching settings from over on the machine running the agent:
You can just keep adding child data sources for each DHCP server. Use the DHCP servers' IP for each of those and make sure the Host IDs match what you set up. Hopefully that helps. I have about 20+ DHCP servers in there now and am about to build out a new agent machine to accomadate some new DHCP servers from an acquistion we just had. I will proabably go with the newest agent then. If this doesn't work for you because I am using an older version of the agent, I might have more to offer when I do that new build.
You can probably disregard my previous post. I completely missed the part about ePO. We do not use it. The company we acquired does but we are decommisioning it. The way we leverage the agent is that I have a Windows Server 2012 machine that has the agent and acts as an aggregator for all the flat file logs we wish to feed into our SIEM. It handles all of our DHCP, DNS, and IIS logs. The way we use it might not be of much help to your situation. Sorry about that.
I am using the Host ID which is allowing me to successfully add a WMI and DNS datasource from the same IP address. I run into probelms when I add a third data source.
If you are using the SIEM collector vis ePO, this is a response I got from the McAfee tech.
"We identified this as having issues, and the issues relysomewhere in the code, this will not be fixed except through a patch or upgrade. Unfortunately at this time I have not been able to reproduce the issueeither. At this time the only immediate workaround is to manually add theconfigurations after ePO deployment, or attempt to remove one of the two filetail configurations and see if the other can still rollout successfully."
I got no response on when a new patch or upgrade will come out.
I just recently upgrade our system to version 9.3.2, and I am trying to have DNS and DHCP, logs sent to my SIEM.
I want to collect the logs from system[WMI] and applications[from DHCP, DNS] from same machine.
Can you please forward me the step to achieve the task
If you are using ePO to do this, it will not work. I am working through this issue, but if you are not I cant seem to figure out how to attach the document I got from support. maybe this will help you?
Thanks for kind reply.
I install the McAfee agent of one of the Microsoft Exchange.
Initially I plan to get the WMI(System) logs from that server. but there are no logs at all.
Is there any troubleshooting steps.
You are going to need to see if thre is a FW in the way of the system and the reciever. Because I do not have the same collector deployment, you may want to contact McAfee support. they would be able to help you more than I can. Who knows, there might be someone that reads this thread that could help you.