5 Replies Latest reply on Nov 12, 2015 3:41 AM by mariajohn14

    lancope integration

    mariajohn14

      Any one successfully collect the logs from lancope. We are unable to collect the logs from the lancope and we created the service request for the same but we got the below response from the support. But the lancope device is available under the supported device list.

       

       

      I checked this in my lab, and I am observing the same behavior.

      It seems that the rules for the said data source are not updated and we will have to contact the rules team, for the same.

       

      At this point, I would request you to reach out to the Sales Engineer for raising a PER to add the rules, or contact professional services for the modification of the rule.

       

      You can submit a Product Enhancement Request (PER) by logging in at: https://mcafee.acceptondemand.com/.

      To register as a new user, click Register to submit Product Enhancement Requests to McAfee at the top of the page. For additional information, see KB60021.

       

      Feel free to write to me in case you have any concerns.

       

      I shall follow up with you on 14th October, to have a status update, in case I do not receive a response from your side.

        • 1. Re: lancope integration
          andy777

          Hi - There is a troubleshooting process you can go through to understand exactly why the data source isn't showing up in your GUI. It may be related to rule parsing or a number of other things. There are various documents (starting page 47) that describe steps that you can try, but in the end, if you have your data source, enable Unknown Events and see the message count growing you might want to post a log sample to see if the community can assist with rules or suggestions.

           

          This isn't a formal support channel so if you want to open a ticket or file a PER you'll need to reach out to support. Thanks.

          • 2. Re: lancope integration
            mariajohn14

            The logs are coming to receiver and it is not parsing properly. As mentioned earlier i already created the support ticket and they said contact the professional paid service.

            Note : Same thing happened fro fortigate version 5 as well. Opened the ticket 7 months before and still not get resolved.   

            • 3. Re: lancope integration
              andy777

              Hi -  As I mentioned, if you decide to post a sample log we can take a look at it. Thanks.

              • 4. Re: lancope integration
                mariajohn14

                This is the sample log for High Total Traffic event ,


                High Total Traffic


                <131>Oct 11 23:56:01 GDRFA-SW-SMC01 StealthWatch[1990]: Lancope|StealthWatch|Notification:16|High Total Traffic|4| msg=The total traffic inbound + outbound exceeds the acceptable total traffic values.:Observed 1.18G bytes. Expected 5.05G bytes, tolerance of 75 allows up to 1.16G bytes. dst=0.0.0.0 src=10.x.xx.xxx start=2015-10-11T23:55:00Z end= cat={alarm_category_name} Alarm_ID=5M-1B50-EVDI-T69N-M Source_HG=T1 Target_HG=Unknown Source_HostSnapshot=https://10.0.x.xx/smc/getHostSnapshot?domainid=123&hostip=10.2.xx.xxx&date=2015- 10-11T23:55:00Z Target_HostSnapshot=https://10.0.x.xx/smc/getHostSnapshot?domainid=123&hostip=0.0.0.0&date=2015-10-1 1T23:55:00Z dtp= protp= FC_Name=GDRFA-SW-FC01 FC_IP=10.0.x.xx Domain=123


                • 5. Re: lancope integration
                  mariajohn14

                  We use the below syslog format @ lancope device, then mcafee SIEM is start parsing the events as we expected.  

                   

                  syslog format :

                  alarm_id: {alarm_id} start_active_time: {start_active_time} alarm_type_name: {alarm_type_name} source_ip: {source_ip}target_ip: {target_ip} target_hostname: {target_hostname} target_zone_id: {target_zone_id} target_zone_name: {target_zone_name} port: {port} protocol: {protocol} domain_name: {domain_name} details: {details} alarm_severity_name: {alarm_severity_name}