4 Replies Latest reply on Jan 5, 2015 3:09 AM by vinaya_k

    Parsing WMI Events

    layer0

      Hello

       

      I would like to know if it is possible to customize the parsing of WMI events in SIEM?

       

      Thanks

        • 1. Re: Parsing WMI Events
          streamer

          Yes it is possbile and create quite easy. All you need to know regular expression Then change type of your data source with generic syslog instead default parsing.

          • 2. Re: Parsing WMI Events
            vinaya_k

            Hi,

             

            For now we can only create parsers for syslog, WMI parsers are code based parsers so you need to raise a PER ticket with McAfee along with your log sample and then in next SIEM upgrade they will include your parsers.

             

            Regards,

             

            Vinaya

            • 3. Re: Parsing WMI Events
              streamer

              I have not tried yet but if you wanna using custom parser with a WMI log source then you must use McAfee SIEM Collector management instead WMI datasource. So you can add Windows Event Log - CEF (ASP) with support generic syslog and Data Retrieval MEF. As far as I know Mcafee SIEM Collector Agent support all Windows Log types such as: application, security, system,Microsoft-Windows-???

              • 4. Re: Parsing WMI Events
                vinaya_k

                Hi Streamer,

                 

                Yes we can use Windows Event Log - CEF (ASP) to collect windows events via syslog but as windows by default doesn't generate syslog events you need to use a tool such as Snare to forward your windows events via syslog. With my experience most of the customers opt not to use snare as it's a open source tool. You can give it a try though

                Regards,

                 

                Vinaya