2 Replies Latest reply on Dec 23, 2014 11:00 PM by syvtit

    Stonesoft Log Server in DMZ and SIEM in internal network

    professor_is

      Hello everybody.

      I have one Next Generation SMC+Logserver, which located in DMZ and McAfee SIEM (Combo= ESM+local Receiver) lockated in internal network.

      Task: to integrate SMC as log data source into McAfee SIEM system.

      What have been done:

      1. According to ESM_DataSource_Config_for_NGFW.pdf document I configured log forwarding in LogServer (DMZ)

      SMC.png

      2. According to the same document I configured data source in SIEM (internal network)

      SIEM_Data_Source.png

       

       

      3. McAfee SIEM has two network interfaces one for internal data sources, second for DMZ:

      10.12.png

      10.11.png

      The problem is - no data available in McAfee SIEM.

      After I have uploaded some data logs manually, I noticed that data become to appear in dashboards, so it can be made conclusion that syslog parser works perfectly. So I suspect the issue is in network part of log data forwarding.

      The question: Do I need some extra receiver located in DMZ to push my log data from SMC to SIEM?

        • 1. Re: Stonesoft Log Server in DMZ and SIEM in internal network
          thyvarin

          Hey,

           

          I would start by capturing traffic on both SMC and SIEM server to see if SMC is sending any UDP 2055 traffic to SIEM IP and if SIEM is seeing that traffic come in. If you don't see any UDP 2055 traffic leaving SMC server, something on SMC side seems to be causing this. First thing I would check is that if there's FW software (e.g. iptables on Linux server) running that it's allowing the traffic, and that SMC server has valid route to reach the SIEM server. Log server traces files in <smc_home>/tmp folder should also tell more but if those needs to be analyzed, it would be best to open Service Request to NGFW support team.

           

          Similarly if traffic leaves SMC and reaches SIEM server, but you don't see the logs in SIEM, check that SIEM server don't have local FW software dropping the packets. If that's not the case, you might want to open SR for SIEM support team.

           

          And for your question about additional receiver, I doubt that this is needed as long as there's UDP 2055 connectivity from SMC to SIEM. Though I'm not SIEM expert so I can't say for sure.

           

          BR,

          Tero

          • 2. Re: Stonesoft Log Server in DMZ and SIEM in internal network
            syvtit

            Dear,

            You can try this attachment. I tried and succeeded with this way.

             

            BR,

            Sy Vu