I do not have the exact answer to your question, but I will try to give some ideas in order to help you.
First, if the customer has ePO, you can deploy the McAffee SIEM Agent automatically to each workstations.
I currently do not know if it is possible to configure the agent's hostid parameter to reflect the workstation name through ePO.
Then you can use the autolearning feature with an automatic rule to add each of the datasources to your SIEM. For example, you can use such variable as HOST, IP, MODEL inside the name to reflect the same name you put in ePO.
Let me know if this helps
ksudki Thank you for the response. Unfortunately, the customer does not use ePO. I wish they did though. However, I believe that the agent can be pushed to each host via other endpoint protection, it would just be a custom package that I would have to build.
You could you expand on your idea for using an automatic rule to add data sources? From my understanding, auto-learn capabilities were based on IP. Since this is a DHCP environment, I'm not sure we could rely on this option but I still like to hear your thoughts - maybe I am missing something.
Thanks again for the response.
We have looked into WEF - However, this requires us to create a data source for each host we want to collect from (which is something the customer is unwilling/unable to provide.
I have not investigated ACS or SCOM - I will start researching now. Thanks for the suggestions.
Regarding WEF: Not if you configure it like this right?
- Configure the Event Source systems to forward events to the WEF Event Collector.
- Install the Agent on the WEF Event Collector.
- Add a single host, and for Host Name/IP, add the Event Collector IP address.
- Create a Configuration. Select Windows Event Log and name the configuration.
- Select Forward Event in the Windows Event area.
NOTE: WEF can forward to logs other than Forwarded Events. Forwarded Events is the default.
6. At this point, you have two choices:
- Select WEF - if you require the granularity of a data source-per-Event-Source, check the WEF box.
- Do not select the WEF - if you have many Event Sources (for instance, Event Forwarding can be configured as part of a Domain group policy, and doing so can make it less obvious how many Event Sources are actually forwarding events), then having a data source for each Event Source might prove difficult. In this case, leave WEF deselected. This way, all events are collated under the Agent data source.
Now you got me cooking with fire. I have opened a ticket with Support to further discuss this option. My previous support ticket into this type of log collection did not detail this type of collection. This might be the perfect option.
Thank you for response! I will update this thread with further details in case future engineer run into this dilemma! Cheers!
WEF is probably your best bet if you must collect from workstations or very large windows server environments. It's how Microsoft is doing windows log collection.
So there's that...
However, workstation logs typically provide very little useful information beyond local login attempts. What is the customer trying to achieve?
Will the customer allow you to connect to AD from ESM? You could use the asset import function to get a list of all domain-registered computer names, then use that for your event sources.