4 Replies Latest reply on Mar 28, 2016 4:32 AM by leshe4ka

    SIEM collector for Linux 10.x  documentation?

    Regis

      Greetings,

       

      First, a hopefully easy one.. where is the documentation on the configuration of the mcafee-siem-collector-10.x.rpm ?    As a hint I'll offer that I couldn't find any under the documentation tab of the MFE SIEM Collector 10.0.2 (w/Linux Collector) download page under the product Event Receiver.    Unfortunately, there I could only find release notes that speak only to the Windows version.

       

      Second, will the collector agent allow me to collect web server logs that are brought over to a linux box via cron and scp periodically?   e.g.  linux box A  scp's at intervals to several web servers remotely to bring logs to  A in various directories (one directory per web server). And then the collector is configured to look for a regex of log file names in various directories one directory  per web server?  Each source with a unique tag?   I saw documention of prior version indicating that logfile tailing was the only thing supported, and what I'm trying to do really isn't logfile tailing at all, it's more "pickup new log files as they're deposited."

       

      These are web server logs from a linux web server variant that doesn't have a syslog option that I'm aware of.

       

      Thanks for any insights on how you've managed similar logs.

        • 1. Re: SIEM collector for Linux 10.x  documentation?
          LT McGary

          I'm looking for the same information. Has anyone located the configuration documentation?

          • 2. Re: SIEM collector for Linux 10.x  documentation?
            penoffd

            Good luck with this.  I've been trying to find it for several years.  I don't think it exists anymore.

            • 3. Re: SIEM collector for Linux 10.x  documentation?
              chris_hankins

              This is a bit older from the Linux Agent 9.1.1 days but its the last time I recall any specific documentation around the Linux SIEM agent. The configuration has not changed too much from what I can tell between our 10.x installs and this, hopefully it will help.

               

              McAfee Linux Event Collector 9.1.3 provides you with the capability to add a local agent to your system to push several types of data to the McAfee Event Receiver.

              The installer is available by calling McAfee Support at 800-937-2237.

               

               

              -------------------------

               

               

              Supported Versions

               

               

              Ubuntu 10.04 Uses mcafee-linux-event-collector_9.1.1.0-358_1004_amd64.deb

              Ubuntu 12.04 Uses mcafee-linux-event-collector_9.1.1.0-358_1204_amd64.deb

              Redhat 5.8  Uses mcafee-linux-event-collector_9.1.1.0-358.el5.x86_64.rpm

              Redhat 6.2  Uses mcafee-linux-event-collector_9.1.1.0-358.x86_64.rpm 

              Fedora 16   Uses mcafee-linux-event-collector_9.1.1.0-358.x86_64.rpm

              Suse 11   Uses mcafee-linux-event-collector_9.1.1.0-358.x86_64.rpm

               

               

              ------------------------- 

               

               

              Installing the Agent

               

               

              Run the installer by double clicking the .deb or .rpm from the gui or

              using rpm -i package.rpm from the command line for rpm and dpkg -i package.deb for deb

               

               

              End-User License is here:

               

               

                /usr/share/doc/mcafee/EULA McAfee - Corporate-August 2010.rtf

               

              -------------------------

               

               

              Configuring the Agent

               

               

              To date filetail is the only plugin "type" that is supported, but you can have as many filetail sections as you want.

              The file to be tailed must be on the local system not a mounted file.

              The path to your conf file is below you can change the default path of the conf file by changing the path in the init script.

               

               

                /etc/mcafee/mcafee_event_collector.conf

               

              bookmark_dir= Is directory where bookmark file is saved and is configurable.

              debug_level= Is the level of debug output by the collector options are error,info,warning,and debug. 

              log_path= Is the direcotry where the log is written. 

              sleep= If a file has not been modified since the agent was last shutdown, on startup will put the file in a watch list and check on it from time to time. If there are files in the watch list, the agent will check it every x number of seconds.

              inactive_sleep= If there are no files in the watch list, the agent will sleep y number of seconds, before waking and checking for files in the watch list.

               

               

              rec_ip= Is the IP of the receiver to send events to.

              rec_port= Is the port of the receiver is listining on. 

              rec_encrypt= Changin this value enables or disables encryption 0=off 1=on

               

               

              type= Is the plugin type.  (To date filetail is the only plugin "type" that is supported, but you can have as many filetail sections as you want.)

              subtype = Is a subtype of the plugin. ( To date big_fix is the only subtype that is supported.) Big_fix logs with a date at the top of a File with this subtype option it takes that date and appends it to the beggining of each event.

              hostid = Put a value here if you would like to use a Host ID on the receiver. 

              ft_dir = Directory where plugin will look for files to tail. 

              ft_filter = Filter for what file to tail ie. mesages or log.*

              ft_delim =  Delemiter for collector to know when a new event has happend ie. <newline>, <space>, <tab>, Regular expressions are also supported. 

              ft_delim_end_of_event = Delemiter to start at the begginging or the end of the event 0=begginging 1=end Default is 1

              ft_start_top = This tells us to start at the top of the file 0=no 1=yes

               

               

               

               

               

               

              See example Configuration file at bottom of this docuemnt. 

               

              -------------------------

               

               

              Running the Agent

               

               

               

               

              Once you have completed editing the file, restart your Event Collector service with this cmd:

               

               

                /etc/init.d/mcafee_event_collecotr restart or

                service mcafee_event_collector restart

               

                start and stop are also options.

               

                you can also run the Agent manualy run /usr/bin/event_collector -h to see your options

                To enable auto learning for the agent run event_collector manually from command line with the -a option

               

               

               

               

              -------------------------

               

               

              Example Configuration File with two filetail sections with one using a hostid. 

               

               

              ##############

              # Collector

              ##############

              bookmark_dir=/var/lib/mcafee/bookmark

              debug_level=error

              log_path=/var/log/mcafee/event_collector.log

              sleep=5

              inactive_sleep=300

               

              ##############

              #       Receiver

              ##############

              rec_ip=172.18.3.54

              rec_port=8081

              rec_encrypt=0

               

               

              ##############

              #       Plugin

              ##############

              type=filetail

              hostid=

              ft_dir=/apps/Something/log

              ft_filter=something.log

              ft_delim=<newline>

              ft_delim_end_of_event=1

              ft_start_top=1

               

               

              type=filetail

              hostid=

              ft_dir=/apps/something/logs/

              ft_filter=someaccess.log

              ft_delim=<newline>

              ft_start_top=1

               

               

               

               

              -------------------------

              • 4. Re: SIEM collector for Linux 10.x  documentation?
                leshe4ka

                HI.

                I think the branch is not dead yet ))

                I decided to put here the other day SIEM Collector on the Linux OS RedHat. In order to collect the events generated by the service - auditd, that are written in /var/log/audit/audit.log

                But the events I did not get in the ESM.

                 

                # Collector

                ##############

                bookmark_dir=/var/lib/mcafee/bookmark

                debug_level=debug

                log_path=/var/log/mcafee/siem_collector.log

                sleep=5

                throttle=300

                 

                ##############

                #       Receiver

                ##############

                rec_ip=192.168.xxx.xx

                rec_port=8081

                rec_encrypt=0

                 

                 

                ##############

                #       Plugin

                ##############

                type=filetail

                subtype=big_fix

                hostid=messages

                ft_dir=/var/log/audit

                ft_filter=audit.*

                ft_delim=[newline]

                ft_delim_end_of_event=1

                ft_start_top=1

                 

                Ping pass, iptables off.

                On the receiver is open port 8081.

                 

                Here are the settings Data Source

                Data Source.jpg

                What can be configured not ?