Vendor - McAfee¶
Product - EPO¶
This source requires a TLS connection; in most cases enabling TLS and using the default port 6514 is adequate. The source is understood to require a valid certificate.
Ref | Link |
---|---|
Splunk Add-on | https://splunkbase.splunk.com/app/5085/ |
Product Manual | https://kc.mcafee.com/corporate/index?page=content&id=KB87927 |
Sourcetypes¶
sourcetype | notes |
---|---|
mcafee:epo:syslog | none |
Source¶
source | notes |
---|---|
policy_auditor_vulnerability_assessment | Policy Auditor Vulnerability Assessment events |
mcafee_agent | McAfee Agent events |
mcafee_endpoint_security | McAfee Endpoint Security events |
Index Configuration¶
key | index | notes |
---|---|---|
mcafee_epo | epav | none |
Filter type¶
MSG Parse: This filter parses message content
Options¶
Variable | default | description |
---|---|---|
SC4S_LISTEN_MCAFEE_EPO_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_MCAFEE_EPO | no | Enable archive to disk for this specific source |
SC4S_DEST_MCAFEE_EPO_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
SC4S_SOURCE_TLS_ENABLE | no | This must be set to yes so that SC4S listens for encrypted syslog from ePO |
Additional setup¶
You must create a certificate for the SC4S server to receive encrypted syslog from ePO. A self-signed certificate is fine. Generate a self-signed certificate on the SC4S host:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /opt/sc4s/tls/server.key -out /opt/sc4s/tls/server.pem
Uncomment the following line in /lib/systemd/system/sc4s.service
to allow the docker container to use the certificate:
Environment="SC4S_TLS_DIR=-v /opt/sc4s/tls:/etc/syslog-ng/tls:z"
Troubleshooting¶
from the command line of the SC4S host, run this: openssl s_client -connect localhost:6514
The message:
socket: Bad file descriptor
connect:errno=9
indicates that SC4S is not listening for encrypted syslog. Note that a netstat
may show the port open, but it is not accepting encrypted traffic as configured.
It may take several minutes for the syslog option to be available in the registered servers
dropdown.
Verification¶
An active site will generate frequent events use the following search to check for new events
Verify timestamp, and host values match as expected
index=<asconfigured> (sourcetype=mcafee:epo:syslog")
Product - Web Gateway¶
Ref | Link |
---|---|
Splunk Add-on | https://splunkbase.splunk.com/app/3009/ |
Product Manual | https://kc.mcafee.com/corporate/index?page=content&id=KB77988&actp=RSS |
Sourcetypes¶
sourcetype | notes |
---|---|
mcafee:wg:kv | none |
Index Configuration¶
key | index | notes |
---|---|---|
mcafee_wg | netproxy | none |
Filter type¶
MSG Parse: This filter parses message content
Options¶
Variable | default | description |
---|---|---|
SC4S_LISTEN_MCAFEE_WG_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_LISTEN_MCAFEE_WG_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_MCAFEE_WG | no | Enable archive to disk for this specific source |
SC4S_DEST_MCAFEE_WG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
SC4S_SOURCE_TLS_ENABLE | no | This must be set to yes so that SC4S listens for encrypted syslog from Mcafee Web Gateway |
Troubleshooting¶
from the command line of the SC4S host, run this: openssl s_client -connect localhost:6514
The message:
socket: Bad file descriptor
connect:errno=9
indicates that SC4S is not listening for encrypted syslog. Note that a netstat
may show the port open, but it is not accepting encrypted traffic as configured.
It may take several minutes for the syslog option to be available in the registered servers
dropdown.
Verification¶
An active site will generate frequent events use the following search to check for new events
Verify timestamp, and host values match as expected
index=<asconfigured> (sourcetype=mcafee:wg:kv")
Product - Network Security Platform¶
Ref | Link |
---|---|
Product Manual | https://docs.mcafee.com/bundle/network-security-platform-10.1.x-product-guide/page/GUID-373C1CA6-EC0E-49E1-8858-749D1AA2716A.html |
Sourcetypes¶
sourcetype | notes |
---|---|
mcafee:nsp | none |
Source¶
source | notes |
---|---|
mcafee:nsp:alert | Alert/Attack Events |
mcafee:nsp:audit | Audit Event or User Activity Events |
mcafee:nsp:fault | Fault Events |
mcafee:nsp:firewall | Firewall Events |
Index Configuration¶
key | index | notes |
---|---|---|
mcafee_nsp | netids | none |
Filter type¶
MSG Parse: This filter parses message content
Options¶
Variable | default | description |
---|---|---|
SC4S_LISTEN_MCAFEE_NSP_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_LISTEN_MCAFEE_NSP_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_MCAFEE_NSP | no | Enable archive to disk for this specific source |
SC4S_DEST_MCAFEE_NSP_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
Verification¶
An active site will generate frequent events use the following search to check for new events
Verify timestamp, and host values match as expected
index=netids sourcetype=mcafee:nsp