topic Re: Mcafee syslog-ng connection in Getting Data In

Mcafee syslog-ng connection

junier16 — Tue, 01 Dec 2020 18:53:47 GMT

Good afternoon, I will like to set up Mcafee Epo to send data to syslog-ng. I have the Mcafee portion setup on to send data to the syslog server on port 6514. The problem that i'm having is that i not sure what needs to be done on the server (centos 7) side to establish the connection.

* The firewall is configured for the port used

Re: Mcafee syslog-ng connection

richgalloway — Tue, 01 Dec 2020 20:32:00 GMT

I'll presume the syslog server is independent of both the McAfee and Splunk servers. The usual flow is EPO -> syslog -> Splunk. Any or all three of those could be CentOS servers so at which point are you having the problem?

Re: Mcafee syslog-ng connection

junier16 — Mon, 07 Dec 2020 19:55:52 GMT

when i click on test connection after adding the registered server the connection failed, so im not able to connect syslog server with ePO ( i think is because tls required) . I also see that the Splunk Add on required syslog to work. Is there another way to get data from ePo to Splunk ?

Re: Mcafee syslog-ng connection

richgalloway — Mon, 07 Dec 2020 21:12:04 GMT

I've been successful using Splunk DB Connect to pull information from the EPO database, but that was a while ago and things could have changed since then.

But let's back up a little. Where are you when you click on "test connection"? Have you checked your firewalls to make sure none are blocking the connections? Which Splunk add-on are you talking about?

Re: Mcafee syslog-ng connection

tlay — Wed, 23 Dec 2020 18:08:39 GMT

I have been fighting this battle for a while now off and on.

ePO has different places to configure logging depending on the product and it's still not totally clear to me. But from what I have found standard McAfee syslog (registered syslog server) and App Control (registered SolidCore syslog appear) to be CEF TLS Syslog. The "default" port is 6514 as you mention. That means that you need to have a certificate on your syslog server on 6514TCP. For further information check out some light reading of standards IETF 5424 + 5425. DLP is different, but looks like it may work with the same setup. That's because it can be UDP (which can be without TLS) or TCP.

Then you need to have some form to monitor the syslog collection to get it to your Splunk server. The easiest way to do that is to have the forwarder monitor on the system and send it over. If that's the case you probably want to add the Splunk Add-on for McAfee ePO Syslog on to your forwarder along with the sourcetype to ease the burden on your indexer.

We use a product called NXLog for now, and with the app McAfee ePO Syslog app, we are able to collect and parse with the sourcetype mcafee:epo:syslog. It looks kind of ugly in the raw event, but the fields seem to be parsed perfectly, which is the important thing.

For DLP we are going to see what's best DBConnect or syslog. If you use DBConnect you have to basically reverse engineer the fields using querys provided by ePO as the fields change from version to version. Hopefully they will standardize that in the coming releases because seems to be awfully tedious.

-Tony

Re: Mcafee syslog-ng connection

junier16 — Thu, 21 Jan 2021 14:48:05 GMT

Can you share you conf file statement that you used ? Im using the below statement with the the cert, but syslog is not listening to the port.

source source_6514_tls {
tcp(port(6514)
tls(
key-file("/etc/syslog-ng/cert.d/server.key")
cert-file("/etc/syslog-ng/cert.d/server.crt")
peer-verify(optional-untrusted)
)
flags(no-multi-line)
);
};

destination dest_6514_local { file("/var/log/syslog/logs"); };

log {source(source_6514_tls); destination(dest_6514_local); };

Re: Mcafee syslog-ng connection

leejones1964 — Wed, 02 Jun 2021 14:20:24 GMT

Did you ever get the config correct? I need the same thing and am not having any success with the right configuration.

Re: Mcafee syslog-ng connection

junier16 — Thu, 03 Jun 2021 20:05:35 GMT

no i never did. I used DBconnect to ingest the events

Re: Mcafee syslog-ng connection

Tomas_K — Fri, 13 Aug 2021 07:47:28 GMT

Hi,

We had the same problem with rsyslog yesterday and found out that *.key file had no read access.

So from:

-rw-------

To:

-rw-r--r--

/Tomas

Re: Mcafee syslog-ng connection

junier16 — Fri, 13 Aug 2021 12:55:58 GMT

Did changing the permission for .key solved the issue ?

Re: Mcafee syslog-ng connection

Tomas_K — Fri, 13 Aug 2021 14:13:51 GMT

Hi,

Yes it did! We are up and running. At least Test connection and Eicar test event.

/Tomas