1 2 Previous Next 11 Replies Latest reply on Sep 26, 2016 12:06 AM by hlckalana

    Siem Collector v11

    zakhter

      Hi All,

      Has anyone setup collection for DHCP and DNS using Collector v11 while at SIEM 9.5.2 MR9?

       

      Collector v10 setup along with .Net, has worked without any issue but v11 has never worked.

       

      Please share your experience if it has worked and if there is additional setup has to be done.

       

      Regards,

      Zahid

        • 1. Re: Siem Collector v11
          btkarp

          @zakhter what does your log file tell you is happening? Does the agent collector for any period of time before failing? If the agent service fails almost immediately after being restarted, it is a known issue. If you contact McAfee Support they can provide you with a beta workaround copy (I believe this is just a temporary version until a final update can be released)

          • 2. Re: Siem Collector v11
            zakhter

            Thanks for your reply.

             

            Old install stopped after rebooting the server and McAfee support is not able to resolve as of yet -

            New install is not working - tcpdump is indicating incoming traffic but no logs are getting parsed.

            • 3. Re: Siem Collector v11
              btkarp

              I am certainly not a McAfee Support engineer but in my experience if the logs are making it to the Event Receiver but are not parsing, it is usually because the logs are in a format that the parser is not expecting - I would start by investigating if you have the ability to adjust what fields are shown within the logs - I know for a similar issue we had for IIS logs, not all of the fields were selected which caused parser issues. I believe by default the Parsers assume the log file will contain all fields. If that still does not help and logs continue to be seen making it to the Event Receiver, I would turn on "Log Unknown Events" in the Data Source profile and see if you can get the logs to show up as "Unknown Events" in the UI.

               

              Again, just running off the top of my head how I would begin troubleshooting - if you are working with Support already, Im sure you are much further along in the investigation than what I have provided. Good luck!

              • 4. Re: Siem Collector v11
                zakhter

                Thanks for all your feedbacks.

                 

                Not a big fan of collector.  Has anyone used other way to collect DNS, DHCP logs?  Any tweaks can be done in WMI to collect these logs?

                • 5. Re: Siem Collector v11
                  zakhter

                  Not a big fan of collector.  Has anyone used other way to collect DNS, DHCP logs?  Any tweaks can be done in WMI to collect these logs

                  • 6. Re: Siem Collector v11
                    s.schreiner

                    We have it up and running on a Windows Server 2008R2 Server with McAfee Windows Event Collector 11.00.4150.1575 and DNS / DHCP data sources on different servers throughout the network as Generic log tail Client.

                    On the ESM side we are up to 9.6.0, but this was although running on 9.5.0 MR2 and 9.5.2

                     

                    We tried the DHCP (ASP) and DNS (ASP) data source as device directly in ESM, but returned to SIEM Collector due to better logging / debugging options.

                     

                    If you need advice, drop me a note.

                    • 7. Re: Siem Collector v11
                      syed_rizvi

                      zakhter, to avoid collector agent, you can use 9.6 file tail function to pull DNS logs. You would need to share logs via CIFS and ensure proper logging is enabled on the DNS server for parser to work correctly. Here are the step.

                       

                      1. Configure DNS Server logging properties.

                      dns logs.jpg

                      2. Change DNS Server logging location(default is system32\dns\) (optional, but recommended)

                      3. Share the folder where the logs are located and give SIEM AD account read only permissions.

                      4. Configure data source and select tail option.

                      dns logs2.jpg

                      Regards,

                      Syed

                      • 8. Re: Siem Collector v11
                        s.schreiner

                        Syed,

                         

                        although this is not "my" question, I wondered, if you tested the settings with having "read only" permission on the share.

                        During my tests I get an error in ESM GUI, stating that "write access" failed, while "read access" succeeded.

                         

                        If I go for SHARE: Modify and NTFS: RWX, then the Device can be successfully tested, but it delivers no data ...

                         

                        Opened a service request at McAfee and they came back with "tail needs write access" - so, who is right?

                        (From a security perspective, I would prefer having only read access to the log files ...)

                         

                         

                        Regards


                        Stefan

                        • 9. Re: Siem Collector v11
                          syed_rizvi

                          - The error message about not having write access is expected and can be ignored. I have used this method a few times.

                           

                          s.schreiner wrote:

                          the Device can be successfully tested, but it delivers no data ...

                           

                          If you haven't already, use TCPDUMP on ERC to validate port 445 traffic between ERC and DNS Server. Once confirmed, you might be running into parsing issue. Make sure you increase log level on DNS server under debug properties.

                          1 2 Previous Next