4 Replies Latest reply on Jul 28, 2015 1:22 AM by SIEMer SIEMer

    MFE SIEM Collector 10.03 (w/Linux Collector)

    SIEMer SIEMer

      Anyone tried

      MFE SIEM Collector 10.03 (w/Linux Collector)

      mcafee-siem-collector-10.03.62106-1417.i686.rpm??

      I tried installing it on a Red Hat Enterprise Linux Server release 6.5 (Santiago) with the configurations below, however, I still can't get any syslog events to the SIEM. Any thoughts please? any documentations other than those are much appreciated  http://s-download.mcafee.com/corporate/products/protected/SIEM/SIEM_9.5.0/Receiv er/SIEMCollector/SIEM_Collector_ePO_Exte…

       

      https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24599/en_US/SIEM_Collector_Upgra…

      http://s-download.mcafee.com/corporate/products/protected/SIEM/SIEM_9.5.0/Receiv er/SIEMCollector/SIEM_Collector-Release_…

       

      Thanks,

       

       

      Screen Shot 2015-07-14 at 22.09.16.png

      Screen Shot 2015-07-14 at 22.12.07.png

        • 1. Re: MFE SIEM Collector 10.03 (w/Linux Collector)
          rpd85

          Still learning myself, but I'm pretty sure the Linux Collector cannot be managed via ePO; you would have to edit the local config files instead. The policy screens you posted the screenshots of would only apply to the Windows version.

          Also, there is no documentation for the 10.x version of the Linux Collector (although someone posted documentation for version 9.1 here, and hopefully it all still applies: https://community.mcafee.com/thread/74266)

          I've been experimenting with it myself without success thus far, and was actually told by a Support rep that support techs currently are not even being trained on supporting it, so it seems to not be a very common method of collecting Linux logs...

          • 2. Re: MFE SIEM Collector 10.03 (w/Linux Collector)
            SIEMer SIEMer

            Thanks for you response.

            I haven't done he local config for the siem yet. Problem is I have a massive linux boxes and it would be way too easy to manage those via ePO.
            Scott Taschler is the expert for SIEM on here and I hope he will be able to answer this.

            • 3. Re: MFE SIEM Collector 10.03 (w/Linux Collector)
              joannab

              You have 2 methods to get logs from Linux:

              1- Use an agent - install mcAfee event collector: edit its configuration file /etc/mcafee/mcafee_event_collector.conf, change rec_IP, rec_port, and host_ID (Value entered into the corresponding field of the agent configuration using MEF data retrieval)

              Remember to restart the agent after the changes are made in the config file.

              2- configure linux system to send out syslog

              • 4. Re: MFE SIEM Collector 10.03 (w/Linux Collector)
                SIEMer SIEMer

                Thanks for you response joannab!

                The syslog config is within the siem collector configuration. I have already done that. I also verified that it is not a firewall issue.

                Still waiting on support to verify if the siem collector for linux can be manged by ePO