@zakhter what does your log file tell you is happening? Does the agent collector for any period of time before failing? If the agent service fails almost immediately after being restarted, it is a known issue. If you contact McAfee Support they can provide you with a beta workaround copy (I believe this is just a temporary version until a final update can be released)
Thanks for your reply.
Old install stopped after rebooting the server and McAfee support is not able to resolve as of yet -
New install is not working - tcpdump is indicating incoming traffic but no logs are getting parsed.
I am certainly not a McAfee Support engineer but in my experience if the logs are making it to the Event Receiver but are not parsing, it is usually because the logs are in a format that the parser is not expecting - I would start by investigating if you have the ability to adjust what fields are shown within the logs - I know for a similar issue we had for IIS logs, not all of the fields were selected which caused parser issues. I believe by default the Parsers assume the log file will contain all fields. If that still does not help and logs continue to be seen making it to the Event Receiver, I would turn on "Log Unknown Events" in the Data Source profile and see if you can get the logs to show up as "Unknown Events" in the UI.
Again, just running off the top of my head how I would begin troubleshooting - if you are working with Support already, Im sure you are much further along in the investigation than what I have provided. Good luck!
Thanks for all your feedbacks.
Not a big fan of collector. Has anyone used other way to collect DNS, DHCP logs? Any tweaks can be done in WMI to collect these logs?
Not a big fan of collector. Has anyone used other way to collect DNS, DHCP logs? Any tweaks can be done in WMI to collect these logs
We have it up and running on a Windows Server 2008R2 Server with McAfee Windows Event Collector 11.00.4150.1575 and DNS / DHCP data sources on different servers throughout the network as Generic log tail Client.
On the ESM side we are up to 9.6.0, but this was although running on 9.5.0 MR2 and 9.5.2
We tried the DHCP (ASP) and DNS (ASP) data source as device directly in ESM, but returned to SIEM Collector due to better logging / debugging options.
If you need advice, drop me a note.
zakhter, to avoid collector agent, you can use 9.6 file tail function to pull DNS logs. You would need to share logs via CIFS and ensure proper logging is enabled on the DNS server for parser to work correctly. Here are the step.
1. Configure DNS Server logging properties.
2. Change DNS Server logging location(default is system32\dns\) (optional, but recommended)
3. Share the folder where the logs are located and give SIEM AD account read only permissions.
4. Configure data source and select tail option.
although this is not "my" question, I wondered, if you tested the settings with having "read only" permission on the share.
During my tests I get an error in ESM GUI, stating that "write access" failed, while "read access" succeeded.
If I go for SHARE: Modify and NTFS: RWX, then the Device can be successfully tested, but it delivers no data ...
Opened a service request at McAfee and they came back with "tail needs write access" - so, who is right?
(From a security perspective, I would prefer having only read access to the log files ...)
- The error message about not having write access is expected and can be ignored. I have used this method a few times.
the Device can be successfully tested, but it delivers no data ...
If you haven't already, use TCPDUMP on ERC to validate port 445 traffic between ERC and DNS Server. Once confirmed, you might be running into parsing issue. Make sure you increase log level on DNS server under debug properties.