7 Replies Latest reply on Feb 18, 2015 12:54 PM by vagner.silva

    CEF - Log File - Data Source

    vagner.silva

      Hello guys,

       

      The company I am supporting is creating an application and they asked what should be the best way to provide us a log file that could be added as a Data Source in McAfee SIEM .
      We were thinking about something like a CEF format:

      CEF: 0|Logxyz|Company|Log ID|Kind of operation|User ID|Date|Time|Origin|IP|MAC Address

       

      I was trying to make some tests using McAfee SIEM Collector Management Utility but I am not obtainig any success on that. Do you have any idea how it should be added?

       

      Thanks a lot .

        • 1. Re: CEF - Log File - Data Source
          ryan.fitzpatrick

          Depending on how you want the receiver to grab the data, you can a generic file grab, you can use the collector to watch the log, etc.

           

          Once you determine how you want to grab the log for the application the data source will be configured as such.

           

          Device Type: Generic

          Device Model: Syslog
          Retrieval Method: undetermined

           

          Then you can create a pipe delimited parser to grab the data to the specific field.

           

          ([^\|]*)\|([^\|]*)\|([^\|]*)\|([^\|]*)\|([^\|]*)\|([^\|]*)\|([^\|]*)\|([^\|]*)\| ([^\|]*)\|([^\|]*)\|([^\|]*) ( This parser will grab the literal data between each pipe and can be mapped to the appropriate field when setting up the parser.)

           

          If you copy your example format into regexr.com/v1 and then copy the parser, you will see how the data is parsed into each group.

           

          Thank you.

          • 2. Re: CEF - Log File - Data Source
            vagner.silva

            I was talking to the application team if they are going to provide the log file in CIFS but the problem it's when I am trying to use the Windows McAfee EventCollector it keeps me saying me the Log path it's incorrect. I am also opening a ticket with McAfee support abou that.

             

            It should be great if they provide it through syslog but seems they want us read a log file in a shared path but my tests with the Windows McAfee EventCollector are not working .

            • 3. Re: CEF - Log File - Data Source
              ryan.fitzpatrick

              Vagner,

               

              Are you able to provide a screen shot of the Windows Event collector and the path the file is located at via a \\server-name\path\file.txt format? Feel free to obfuscate any personal information.

              • 4. Re: CEF - Log File - Data Source
                vagner.silva

                No chances to the application team provide it for through Syslog so I have the following:

                 

                a server running Windows wk8 r2 and a shared path called \\TEST_SERVER\SHARED_FOLDER\LOGS

                 

                and I am trying something like below:

                CIFS.JPG

                • 5. Re: CEF - Log File - Data Source
                  vagner.silva

                  Sorry, I am using Microsoft as data source, the source model it will be CEF and the data retrieval it will be CIFS:
                  CIFS2.JPG

                  • 6. Re: CEF - Log File - Data Source
                    vagner.silva

                    I just made more tests here and seems it worked using C$

                    CIFS3.JPG

                     

                    Now I am creating some CEF files to made a test getting the events.

                    • 7. Re: CEF - Log File - Data Source
                      vagner.silva

                      Even creating many .log files the data is not being added to SIEM.

                       

                      A created some files like:log1.JPG

                      and the content in the file it's:

                       

                      CEF: 0|Logxyz|Company|Log ID|Kind of operation|User ID|Date|Time|Origin|IP|MAC Address