3 Replies Latest reply on Jul 15, 2014 7:20 AM by rcavey

    Integration of new log source


      Im new to the Mcafee ESM and was just looking for guidance on how to integrate Symantec Altiris as a new log source. Can anyone talk me through it, including which options i need to configure when going through the add new device set up menu in the ESM?


      Many thanks

        • 1. Re: Integration of new log source




          I used the search function in the top right corner of this site "data source list" which leads to this post --> https://community.mcafee.com/message/269166#269166 which references this --> http://www.mcafee.com/us/resources/data-sheets/ds-siem-supported-devices.pdf


          First check the supported devices document to see if Altiris is supported... Have you read the Product guide yet?  It is a very highly recommended read,  helpful for most basic things.  Instructions are in the product guide on adding a data source.


          I pasted this from the 9.3 Product guide.


          Add a data source

          Configure the settings for the data sources you need to add to the Receiver to collect data.



          For option definitions, click ? in the interface.

          1 On the system navigation tree, select the Receiver you want to add the data source to, then click

          the Properties icon  .

          2 On Receiver Properties, click Data Sources | Add.

          3 Select the vendor and the model.

          The fields you fill out depend on your selections.

          4 Fill in the information requested, then click OK.

          The data source is added to the list of data sources on the Receiver, as well as to the system

          navigation tree under the Receiver you selected.




          I hope the works because if not you'll need to submit a PER for a new parser and that is a painful and long process ( sometimes no response for weeks to months on the status )




          • 2. Re: Integration of new log source

            Hi rcavey


            I have integrated Altiris as a new asset source. I have tested the connection and the test is successful. However when I click on 'Retrieve' I get an error message back saying 'Unable to retrieve data VAER1 HTTP ERROR 500'. Any ideas why this may be?


            I am using ESM 9.3

            • 3. Re: Integration of new log source

              Never used Altiris before....  HTTP 500 is an internal server error which I would look at the Altiris logs.


              Nitro might use a very simple index/status page for the test connection and a cgi/script based URL for the real data hence why you could be getting the error.


              With that said, I would try google "Altiris 500 error" and also try and find out what URL is being called, run tcpdump on either side might help with that, and then try the URL in another browser/wget/curl.


              Also, get Symantec on the horn if you can't get to the Altiris web server/system logs.