To add Palo Alto to the McAfee SIEM:
Configure Palo Alto Syslog Server Setup
Select the Device tab and add the Syslog server profile
Add the profile to log settings for informational level
Apply log forwarding to utilize new profile Enable the Security policy to forward logs using the new Syslog profile
After selecting the Receiver, select the Add Data Source icon.
Data Source Vendor – Palo Alto
Data Source Model – Palo Alto firewall ASP
Data Format – Default.
Data Retrieval – Default.
Under the device tab, click log settings > system
Select the following
syslog: under each severity level, enable syslog
Define the syslog server
Under the device tab, click log destinations > syslog to open the syslog settings.
Add name (case sensitive and unique)
server - ip address of the syslog server (SIEM receiver)
port -default is 514
Facility - choose a level from the drop down list
Click ok and activate
Enable send traffic log at session end:
under policies, click security to open security rules
Select a zone from source or destination zone and click filter by zone
ensure send traffic log at session end is enabled .
ensure send traffic log at session start is set to deny
Select the log forwarding profile from the drop down menu.
Profile should contain IP of the receiver.
Websense can do a SQL pull - You will need the database name, IP, and port ( usually 1433)
Your McAfee SIEM user account's database permissions are not sufficient to query all instances of a Websense database. In this scenario, the Receiver is unable to collect data from all instances of the database. For example, you have a Websense database called wslogdb70. As it grows the database will create instances of the database name, such as wslogdb70_1, wslogdb70_2, and so on, where it stores the current data.
While the DB user account might have permissions to successfully query the primary database, it might not have permissions to query the additional instances.
In the preceding example, the user account being utilized by the McAfee SIEM Receiver will require sysadmin rights to wslogdb70.
This inherently gives the user rights to all instances of that database that are created, eliminating the chance that the Receiver stops collecting data when a new instance is created.
Means we need to add log forwarding profile in all the palo alto security policy rule????
Please be informed that Palo Alto Next Generation firewall is already supported by McAfee as data source so it is easy to find the data source guide at the McAfee Website, regarding the Websense DLP is not supported and you can add it as a generic data source. please use this doc to parse the logs correctly.
Check this document to know more how to parse correctly:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24926/en_US/How%20to%20write%20a%20McAfee%20ESM%20Custom%20Parser%20and % 20troubleshoot%20a%20data%20source.pdf