1 of 1 people found this helpful
This should explain everything you need to know https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 26000/PD26553/en_US/SIEM-Collector-Produ…
Thanks for the speedy reply, that looks perfect. Just one more question though - I have a number of Windows data sources that are already having their logs taken via WMI. If I then wanted to harvest SQL/IIS logs from these same boxes using the agent, could you recommend best practice to achieve this. I have tried to add the agent as a child data source, but it won't allow me to change from WMI to syslog.
That is correct. You can't make many changes if you're using child data sources, not to mention client data sources.
If you want to keep the WMI, the receiver will not allow you to have two data sources sharing the same IP address. There are some workarounds to use hostname for one and IP address for another but in your case for the ones from which you want to collect SQL/IIS I would recommend collecting only using the SIEM Collector. The SIEM collector can collect all the events you're already collecting via WMI and also encrypt this traffic.
Many thanks and best regards.