8 Replies Latest reply on Jul 8, 2015 12:27 PM by aygitci

    Forward syslog event to another SIEM

    layer0

      Hello

       

      I want to know if it is possible to forward syslog event that i receive in the McAfee SIEM to another SIEM or syslog Server?

       

      Thanks

        • 1. Re: Forward syslog event to another SIEM
          robert_dearbytes

          Yes that's possible.

           

          Two options:

          1 is to forward the original syslog from the receiver to an other IP address. This sends the raw unparsed packets but will also parse the events locally. The option can be found on the receiver properties -> REceiver Management -> Data Archival and then the bottom option.

          2 is forwarding from the ESM. This applies to parsed and aggregated events. Benefits are that you can select what data is send to another SIEM of syslog server. Disadvantage is that the format will be different from the original event and may require additional parsing on your other SIEM. This feature can be foun in the ESM properties ->Event forwarding

          • 2. Re: Forward syslog event to another SIEM
            layer0

            Thank you Robert, one question, with the second option can you pick what data source do you want to forward events?

            • 3. Re: Forward syslog event to another SIEM
              robert_dearbytes

              Yes, you have multiple event filter options. One of them is device/data source. Other types are normalized ID, severity, source.destiantion IP. Also ESM formwarding has the option to obfuscate data to mask sensitive data.

              • 4. Re: Forward syslog event to another SIEM
                layer0

                Hello Again Robert

                 

                Do you know how i have to add the data source in the last siem that receives the data from the other siem?

                 

                Thanks

                • 5. Re: Forward syslog event to another SIEM
                  robert_dearbytes

                  Hi Layer0,

                   

                  I don't really get your question. Waht is the last SIEM in your case? And what is the other siem?

                  If you have multiple mcafee ESMs a better way is to add the ESM as a device in your "primary" ESM. This way you get a distributed ESM model and you can drill down on all data sources, devices and data.

                   

                  If you have an other brand SIEM: The way you add data sources in that siem, well... wrong forum to ask i guess

                  If you mean that you have a syslog/siem sending data to your McAfee ESM, it really depends on how this data is forwarded and by what syslog/siem server. Splunk and syslog-NG are supported as proxies out of the box. Other syslog servers will probably require some reconfiguration. Kiwi, for example, modifies the syslog when you forward it to ESM. You need to spoof the network packet via winpcap so that the original syslog message is forwarded.

                  • 6. Re: Forward syslog event to another SIEM
                    layer0

                    Hello

                     

                    I mean the last situation, i see that splunk and syslog-ng are supported but not McAfee SIEM, is that right?

                     

                    Thanks

                    • 7. Re: Forward syslog event to another SIEM
                      erik_anderson

                      Hi Layer0,

                       

                      Yes, McAfee event forwarding is supported. On the sending side, setup event forwarding to use SEF (Standard Event Format). On the receiving side, configure a data soure to receive forwarded events: Data Source Vendor - McAfee, Data Source Mode - Enterprise Security Manager, Data Format - SEF (I think default works too), Data Retrieval - Syslog, IP Address - Address of the forwarding ESM. If you are forwarding multiple data sources, you can break them back out into individual sources. For each data source, create one identical to the one on forwarding SIEM, but change the Data Format to SEF. You can do this with WMI also. By switching to SEF, you won't have to enter Windows login credentials.

                       

                      If you need more detail, let me know.

                       

                      Cheers

                      • 8. Re: Forward syslog event to another SIEM
                        aygitci

                        Hi,

                         

                        What's about the SIEM ESM/ERC... itselfs 'system' logs ? How send them ?

                         

                        Thanks