Getting Data In

Mcafee syslog-ng connection

junier16
Explorer

Good afternoon,  I will like to set up Mcafee Epo to send data to syslog-ng. I have the Mcafee portion setup on to send data to the syslog server on port 6514. The problem that i'm having is that i not sure what needs to be done on the server (centos 7) side to establish the connection. 

 

* The firewall is configured for the port used

Labels (2)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'll presume the syslog server is independent of both the McAfee and Splunk servers.  The usual flow is EPO -> syslog -> Splunk.  Any or all three of those could be CentOS servers so at which point are you having the problem?

---
If this reply helps you, an upvote would be appreciated.

junier16
Explorer

when i click  on test connection after adding the registered server the connection failed, so im not able to connect syslog server with ePO ( i think is because tls required) . I also see that the Splunk Add on required syslog to work. Is there another way to get data from ePo to Splunk ?

0 Karma

Tomas_K
Explorer

Hi,

We had the same problem with rsyslog yesterday and found out that *.key file had no read access.

So from:

-rw-------

To:

-rw-r--r--

/Tomas

0 Karma

junier16
Explorer

Did changing the permission for .key solved the issue ?

0 Karma

Tomas_K
Explorer

Hi,

Yes it did! We are up and running. At least Test connection and Eicar test event.

/Tomas

0 Karma

tlay
Explorer

I have been fighting this battle for a while now off and on.

ePO has different places to configure logging depending on the product and it's still not totally clear to me.  But from what I have found standard McAfee syslog (registered syslog server) and App Control (registered SolidCore syslog appear) to be CEF TLS Syslog.  The "default" port is 6514 as you mention.  That means that you need to have a certificate on your syslog server on 6514TCP.  For further information check out some light reading of standards IETF 5424 + 5425.  DLP is different, but looks like it may work with the same setup.  That's because it can be UDP (which can be without TLS) or TCP.

Then you need to have some form to monitor the syslog collection to get it to your Splunk server.  The easiest way to do that is to have the forwarder monitor on the system and send it over.  If that's the case you probably want to add the Splunk Add-on for McAfee ePO Syslog on to your forwarder along with the sourcetype to ease the burden on your indexer.

We use a product called NXLog for now, and with the app McAfee ePO Syslog app, we are able to collect and parse with the sourcetype mcafee:epo:syslog.  It looks kind of ugly in the raw event, but the fields seem to be parsed perfectly, which is the important thing.

For DLP we are going to see what's best DBConnect or syslog.  If you use DBConnect you have to basically reverse engineer the fields using querys provided by ePO as the fields change from version to version.  Hopefully they will standardize that in the coming releases because seems to be awfully tedious.

-Tony

junier16
Explorer

Can you share you conf file statement that you used ?  Im using the below statement with the the cert, but syslog is not listening to the port.

 

source source_6514_tls {
tcp(port(6514)
tls(
key-file("/etc/syslog-ng/cert.d/server.key")
cert-file("/etc/syslog-ng/cert.d/server.crt")
peer-verify(optional-untrusted)
)
flags(no-multi-line)
);
};

destination dest_6514_local { file("/var/log/syslog/logs"); };

log {source(source_6514_tls); destination(dest_6514_local); };
0 Karma

leejones1964
New Member

Did you ever get the config correct?  I need the same thing and am not having any success with the right configuration.

0 Karma

junier16
Explorer

no i never did. I used DBconnect to ingest the events

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I've been successful using Splunk DB Connect to pull information from the EPO database, but that was a while ago and things could have changed since then.

But let's back up a little.  Where are you when you click on "test connection"?  Have you checked your firewalls to make sure none are blocking the connections?  Which Splunk add-on are you talking about?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!