Scribd
Upload
920 views

Mcafee Enterprise Security Manager Data Source Configuration Reference Guide 10-8-2019

McAfee Enterprise Security Manager Data Source Configuration Reference Guide

Uploaded by

P Marian
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
920 views

Mcafee Enterprise Security Manager Data Source Configuration Reference Guide 10-8-2019

McAfee Enterprise Security Manager Data Source Configuration Reference Guide

Uploaded by

P Marian
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 557

McAfee Enterprise Security Manager

Data Source Configuration Reference


Guide
Contents
ESM data source overview 21
ESM data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Supported data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Adding data sources 58


Add data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configure receivers to create data sources automatically. . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configure auto create rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Add child data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Add client data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Add ASP data sources with different encoding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Managing data sources 61


Set date formats for data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Select Tail File data source collection method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Locate data source clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Migrate data sources to Receivers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Move data sources to another system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Import data sources from a .csv file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configuring McAfee data sources 64


McAfee Advanced Threat Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Configure McAfee Advanced Threat Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Add McAfee Advanced Threat Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
McAfee Correlation Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Add McAfee Correlation Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
McAfee Data Loss Prevention Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Configure McAfee Data Loss Prevention Monitor (McAfee DLP Monitor). . . . . . . . . 66
Add McAfee Data Loss Prevention Monitor (McAfee DLP Monitor). . . . . . . . . . . . . . 67
Map McAfee DLP Monitor fields to McAfee ESM fields. . . . . . . . . . . . . . . . . . . . . . . . . 68
McAfee Database Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configure McAfee Database Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configure Database Activity Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Add McAfee Database Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Map McAfee Database Security events to McAfee ESM fields. . . . . . . . . . . . . . . . . . . 72
McAfee Email and Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Configure McAfee Email and Web Security 6.x.x or later (CEF). . . . . . . . . . . . . . . . . . 72
Configure McAfee Email and Web Security 5.x.x (syslog). . . . . . . . . . . . . . . . . . . . . . . 73
Add McAfee Email and Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Map McAfee Email and Web Security 6.x.x fields to McAfee ESM fields. . . . . . . . . . . . . . . . . . . . . . . . . 74
McAfee Email and Web Security 5.x.x events to McAfee ESM fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
McAfee ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Configure the Database Server user account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Configure the application server user account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Differences in configuration options for ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Add McAfee ePolicy Orchestrator as a data source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Add McAfee ePolicy Orchestrator as a device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Integrate McAfee ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
McAfee ePO device authentication problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
McAfee Firewall Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Configure McAfee Firewall Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Add McAfee Firewall Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
McAfee Firewall Enterprise log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
McAfee MVISION Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Configure MVISION Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Add MVISION Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
MVISION Cloud log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
McAfee MVISION ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Add MVISION ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
MVISION ePO log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
McAfee MVISION Mobile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Configure McAfee MVISION Mobile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Add McAfee MVISION Mobile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
McAfee MVISION Mobile log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
McAfee Network Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configure McAfee Network Security Manager 7.x.x. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configure McAfee Network Security Manager 6.x.x. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Add McAfee Network Security Manager (syslog delivery). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
McAfee Network Security Manager (syslog) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . 92
Configure McAfee Network Security Manager 6.x.x or later (SQL pull). . . . . . . . . . . . . . . . . . . . . . . . . 93
Add McAfee Network Security Manager to a device (SQL pull). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Add McAfee Network Security Manager (SQL pull). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
McAfee Network Security Manager (SQL pull) events to McAfee fields. . . . . . . . . . . . . . . . . . . . . . . . . 95
McAfee Network Threat Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Configure McAfee Network Threat Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Add McAfee Network Threat Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Associate sensor groups with McAfee Network Threat Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
McAfee Network Threat Response field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
McAfee Next Generation Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configure McAfee Next Generation Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Add McAfee Next Generation Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 3


McAfee Next Generation Firewall log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
McAfee Risk Advisor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Enable McAfee Risk Advisor data acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Integrate McAfee Risk Advisor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
McAfee UTM Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Configure McAfee UTM Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Add McAfee UTM Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
McAfee UTM Firewall log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
McAfee Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Configure McAfee Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Add McAfee Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Configuring 3rd-party data sources 107


A10 Networks Load Balancer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Configure A10 Networks Load Balancer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Configure A10 Networks Load Balancer from the command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Add A10 Networks Load Balancer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
A10 Networks Load Balancer log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
A10 Networks Load Balancer troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Accellion Secure File Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Configure Accellion Secure File Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Add Accellion Secure File Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Accellion Secure File Transfer log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Access Layers Portnox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Configure Access Layers Portnox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Add Access Layers Portnox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Access Layers Portnox log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Adiscon Rsyslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configure Adiscon Rsyslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Add Adiscon Rsyslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Adtran Bluesocket. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Configure Adtran Bluesocket. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Add Adtran Bluesocket. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
AdTran Bluesocket log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Adtran NetVanta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Configure Adtran NetVanta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Add Adtran NetVanta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Adtran NetVanta log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
AirTight Networks SpectraGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Configure AirTight Networks SpectraGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Add AirTight Networks SpectraGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
AirTight Networks SpectraGuard log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Alcatel-Lucent NGN Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Configure Alcatel-Lucent NGN Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

4 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Add Alcatel-Lucent NGN Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Alcatel-Lucent NGN Switch log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Alcatel-Lucent VitalQIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Configure Alcatel-Lucent VitalQIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Add Alcatel-Lucent VitalQIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Alcatel-Lucent VitalQIP log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Amazon CloudTrail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Configure Amazon CloudTrail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Add Amazon CloudTrail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Amazon CloudTrail log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Apple Mac OS X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Configure Apple Mac OS X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Add Apple Mac OS X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Apple Mac OS X log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Arbor Networks Pravail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Configure Arbor Networks Pravail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Add Arbor Networks Pravail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Arbor Networks Pravail log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
ArcSight Common Event Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Configure ArcSight Common Event Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Add ArcSight Common Event Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
ArcSight Common Event Format log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Aruba ClearPass. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configure Aruba ClearPass. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Add Aruba ClearPass. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Aruba ClearPass log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Attivo Networks BOTsink. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Configure Attivo Networks BOTsink. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Add Attivo Networks BOTsink. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Attivo Networks BOTsink log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Axway SecureTransport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Configure Axway SecureTransport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Add Axway SecureTransport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Axway SecureTransport log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Barracuda Spam Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Configure Barracuda Spam Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Add Barracuda Spam Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Barracuda Spam Firewall log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Barracuda Web Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Configure Barracuda Web Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Add Barracuda Web Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Barracuda Web Application Firewall log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Barracuda Web Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 5


Configuring Barracuda Web Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Add Barracuda Web Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Barracuda Web Filter log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Bit9 Parity Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Configure Bit9 Parity Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Add Bit9 Parity Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Bit9 Parity Suite Basic (RFC 3164) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Bit9 Parity Suite - CEF (ArcSight) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Blue Coat Director. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Configure Blue Coat Director. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Add Blue Coat Director. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Blue Coat Director log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Blue Coat ProxySG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Create a custom log format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Enable Access Logging globally. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Configure Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Add Blue Coat ProxySG (syslog). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Add Blue Coat ProxySG (FTP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Blue Coat ProxySG log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Configure FileZilla FTP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Configure FTP Upload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Blue Coat ProxySG troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Blue Coat Reporter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Configure Blue Coat Reporter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Add Blue Coat Reporter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Blue Coat Reporter log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
BlueCat DNS/DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configure BlueCat DNS/DHCP Server using Linux syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configure BlueCat DNS/DHCP Server using the vendor documentation. . . . . . . . . . . . . . . . . . . . . . . 176
Add BlueCat DNS/DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Blue Ridge Networks BorderGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Configure Blue Ridge Networks BorderGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Add Blue Ridge Networks BorderGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Blue Ridge Network BorderGuard field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Brocade IronView Network Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Configure Brocade IronView Network Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Add Brocade IronView Network Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Brocade IronView Network Manager log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . 182
Brocade VDX Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Configure Brocade VDX Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Add Brocade VDX Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Brocade VDX Switch log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Check Point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

6 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Enable the LEA service on the Check Point management server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Create an OPSEC Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Check Point best practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Add Check Point parent data source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Add Check Point child data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Add a Check Point CLM or Secondary CMA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Check Point events to McAfee fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Check Point troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Cisco Firepower. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Configure Cisco Firepower Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Configure Cisco Firepower Defense Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Add Cisco Firepower Management Console - eStreamer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Cisco Firepower Management Console - eStreamer log format and field mapping. . . . . . . . . . . . . 192
Cisco Firepower Management Console - eStreamer supported events. . . . . . . . . . . . . . . . . . . . . . . . 193
Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Configure Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Add Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Cisco IOS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Configure Cisco IOS IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Add Cisco IOS IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Cisco IOS IPS field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Cisco Meraki. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Configure Cisco Meraki. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Add Cisco Meraki. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Cisco Meraki field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Cisco NX-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Configure Cisco NX-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Add Cisco NX-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Cisco NS-OX log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Cisco PIX ASA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Configure Cisco PIX ASA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Add Cisco PIX ASA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Cisco PIX ASA field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Cisco Unified Computing System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Configure Cisco Unified Computing System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Add Cisco Unified Computing System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Cisco Unified Computing System log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Cisco Wireless LAN Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Configure Cisco Wireless LAN Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Add Cisco Wireless LAN Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Cisco Wireless LAN Controller log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Citrix NetScaler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Configure Citrix NetScaler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 7


Add Citrix NetScaler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Citrix NetScaler log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Citrix Secure Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Configure Citrix Secure Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Add Citrix Secure Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Citrix Secure Gateway log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Cluster Labs Pacemaker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Configure Cluster Labs Pacemaker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Add Cluster Labs Pacemaker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Cluster Labs Pacemaker log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Code Green Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Configure Code Green Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Add Code Green Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Code Green Data Loss Prevention log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Cofense Intelligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Configure Cofense Intelligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Add Cofense Intelligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Cofense Intelligence log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Cofense Triage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Configure Cofense Triage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Add Cofense Triage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Cofense Triage log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Cooper Power Systems Cybectec RTU. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Configure Cooper Power Systems Cybectec RTU. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Add Cooper Power Systems Cybectec RTU. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Cooper Power Systems Cybectec RTU log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . 228
Cooper Power Systems Yukon IED Manager Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Configure Cooper Power Systems Yukon IED Manager Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Add Cooper Power Systems Yukon IED Manager Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Cooper Power Systems Yukon IED Manager Suite log format and field mapping. . . . . . . . . . . . . . . 231
Corero IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Configure Corero IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Add Corero IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Corero IPS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
CyberArk Enterprise Password Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Configure CyberArk Enterprise Password Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Add CyberArk Enterprise Password Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
CyberArk Enterprise Password Vault log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . 236
CyberArk Privileged Identity Management Suite (DEF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Configure CyberArk Privileged Identity Management Suite (CEF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Add CyberArk Privileged Identity Management Suite (CEF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
CyberArk Privileged Identity Management Suite CEF log format and field mapping. . . . . . . . . . . . . 238
CyberArk Privileged Threat Analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

8 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Configure CyberArk Privileged Threat Analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Add CyberArk Privileged Threat Analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
CyberArk Privileged Threat Analytics log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . 241
Damballa Failsafe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Configure Damballa Failsafe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Add Damballa Failsafe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Damballa Failsafe log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Dell Aventail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Configure Dell Aventail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Add Dell Aventail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Dell Aventail field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Dell PowerConnect Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configure Dell PowerConnect Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Add Dell PowerConnect Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Dell PowerConnect Switches log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Dell SonicOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Configure Dell SonicOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Add Dell SonicOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Dell SonicOS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
DG Technology - InfoSec MEAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Configure DG Technology - InfoSec MEAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Add DG Technology - InfoSec MEAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
DG Technology - InfoSec MEAS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Econet Sentinel IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Configure Econet Sentinel IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Add Econet Sentinel IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Econet Sentinel IPS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
EdgeWave iPrism Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Configure EdgeWave iPrism Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Add EdgeWave iPrism Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
EdgeWave iPrism Web Security log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Enforcive Cross-Platform Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Configure Enforcive Cross-Platform Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Add Enforcive Cross-Platform Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Enforcive Cross-Platform Audit log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Entrust IdentityGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Configure Entrust IdentityGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Add Entrust IdentityGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Entrust IdentityGuard log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Extreme Networks ExtremeWare XOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Configure Extreme Networks ExtremeWare XOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Add Extreme Networks ExtremeWare XOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Extreme Networks ExtremeWare XOS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . 267

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 9


F5 Networks FirePass SSL VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Configure F5 Networks FirePass SSL VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Add F5 Networks Firepass SSL VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
F5 Networks Firepass SSL VPN log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
F5 Networks Local Traffic Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Configure F5 Networks Local Traffic Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Add F5 Networks Local Traffic Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Fidelis XPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Configure Fidelis XPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Add Fidelis XPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Fidelis XPS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
FireEye Malware Protection System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Configure FireEye Malware Protection System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Add FireEye Malware Protection System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
FireEye Malware Protection System log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Fluke Networks AirMagnet Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Configure Fluke Networks AirMagnet Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Add Fluke Networks AirMagnet Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Fluke Networks AirMagnet Enterprise log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . 279
Force10 Networks FTOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Configure Force10 Networks FTOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Add Force10 Networks FTOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Force10 Networks FTOS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Forcepoint Websense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Configure Forcepoint Websense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Add Forcepoint Websense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Forcepoint Websense log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
ForeScout CounterACT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Configure ForeScout CounterACT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Add ForeScout CounterACT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
ForeScout CounterACT log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Configure ForeScout CounterACT for CEF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Add ForeScout CounterACT for CEF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
ForeScout CounterACT for CEF log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Fortinet FortiGate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Configure Fortinet FortiGate using the command line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Configure Fortinet FortiGate UTM through the Management Console. . . . . . . . . . . . . . . . . . . . . . . . 290
Add Fortinet FortiGate UTM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Fortinet FortiGate UTM log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Fortinet FortiMail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Configure Fortinet FortiMail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Add Fortinet FortiMail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Fortinet FortiMail log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

10 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Fortinet FortiManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Configure Fortinet FortiManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Add Fortinet FortiManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Fortinet FortiManager log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Fortscale User and Entity Behavior Analytics (UEBA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Configure Fortscale User and Entity Behavior Analytics (UEBA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Add Fortscale User and Entity Behavior Analytics (UEBA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Fortscale User and Entity Behavior Analytics (UEBA) log format and field mapping. . . . . . . . . . . . . 300
FreeRADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Configure FreeRADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Add FreeRADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
FreeRADIUS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Gigamon GigaVUE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Configure Gigamon GigaVUE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Add Gigamon GigaVUE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Gigamon GigaVUE log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Globalscape Enhanced File Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Configure Globalscape Enhanced File Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Add Globalscape Enhanced File Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Globalscape Enhanced File Transfer log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Gurucul Risk Analytics Data Forwarder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Configure Gurucul Risk Analytics Data Forwarder (CEF logs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Configure Gurucul Risk Analytics Data Forwarder (JSON logs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Add Gurucul Risk Analytics Data Forwarder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Gurucul Risk Analytics log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
HBGary Active Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Configure HBGary Active Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Add HBGary Active Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
HBGary Active Defense log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Hewlett-Packard 3Com Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Configure Hewlett-Packard 3Com Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Add Hewlett-Packard 3Com Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Hewlett-Packard 3Com Switches log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Hewlett-Packard LaserJet Printers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Add Hewlett Packard LaserJet Printers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Configure Hewlett-Packard LaserJet Printers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Hewlett Packard LaserJet Printers log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Hewlett-Packard ProCurve. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Configure Hewlett-Packard ProCurve. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Add Hewlett-Packard ProCurve. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Hewlett-Packard ProCurve log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
HyTrust Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Configure HyTrust Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 11


Add HyTrust Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
HyTrust Appliance log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
IBM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Configure IBM Guardium. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Add IBM Guardium. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Configure IBM Websphere Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
IBM Guardium log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Indegy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Configure Indegy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Add Indegy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Indegy log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Infoblox NIOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Configure Infoblox NIOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Add Infoblox NIOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Configure Syslog for a grid member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
InterSect Alliance Snare for Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Configure InterSect Alliance Snare for Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Add InterSect Alliance Snare for Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
InterSect Alliance Snare for Windows log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . 336
Interset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Configure Interset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Add Interset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Integrate Interset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Interset log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Juniper Networks JUNOS Structured-Data Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Configure Juniper Networks JUNOS Structured-Data Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Add Juniper Networks JUNOS Structured-Data Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Juniper Networks JUNOS Structured-Data Format log format and field mapping. . . . . . . . . . . . . . . 342
Juniper Networks NetScreen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Configure Juniper Networks NetScreen using the command-line interface. . . . . . . . . . . . . . . . . . . . 343
Add Juniper Networks NetScreen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Juniper Networks NetScreen log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Juniper Networks Network and Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Configure Juniper Networks Network and Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Add Juniper Networks Network and Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Juniper Networks Network and Security Manager log format and field mapping. . . . . . . . . . . . . . . 348
Kaspersky Administration Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Configure Kaspersky Administration Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Add Kaspersky Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Kapersky Administration Kit log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Lastline Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Configure Lastline Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Add Lastline Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

12 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Lastline Enterprise log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Locum RealTime Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Configure Locum RealTime Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Add Locum RealTime Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Locum RealTime Monitor log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
LOGbinder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Configure LOGbinder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Add LOGbinder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
LOGbinder log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Lumension Bouncer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Configure Lumension Bouncer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Add Lumension Bouncer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Lumension Bouncer (CEF) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Lumension Bouncer (syslog) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Lumension LEMSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Configure Lumension LEMSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Add Lumension LEMSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Lumension LEMSS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Malwarebytes Breach Remediation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Configure Malwarebytes Breach Remediation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Add Malwarebytes Breach Remediation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Malwarebytes Breach Remediation log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Malwarebytes Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Configure Malwarebytes Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Add Malwarebytes Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Malwarebytes Management Console log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . 370
Microsoft Azure Event Hubs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Configure Microsoft Azure Event Hubs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Add Microsoft Azure Event Hubs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Microsoft DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Configure Microsoft DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Add Microsoft DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Microsoft Windows DNS log sample. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Microsoft Forefront Endpoint Protection 2010. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Configure Microsoft Forefront Endpoint Protection 2010. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Add Microsoft Forefront Endpoint Protection 2010. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Microsoft Forefront Endpoint Protection 2010 log format and field mapping. . . . . . . . . . . . . . . . . . 376
Microsoft Internet Authentication Service (IAS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Configure Microsoft Internet Authentication Service (IAS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Configure Microsoft IAS (Formatted ASP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Add Microsoft IAS (Formatted ASP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Microsoft IAS (formatted ASP) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Configure Microsoft IAS (database compatible). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 13


Add Microsoft IAS (Database Compatible). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Microsoft IAS (database compatible) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . 381
Microsoft Internet Information Services (IIS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Configure Microsoft IIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Add Microsoft IIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Microsoft IIS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Install Microsoft IIS Advanced Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Configure Microsoft IIS Advanced Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Microsoft Network Policy Server (NPS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Configure Microsoft Network Policy Server (NPS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Configure Microsoft NPS (Database Compatible). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Add Microsoft NPS (Database Compatible). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Microsoft NPS (database compatible) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . 389
Configure Microsoft NPS (Formatted ASP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Add Microsoft NPS (Formatted ASP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Microsoft NPS (formatted ASP) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Configuring Microsoft NPS (XML ASP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Add Microsoft NPS (XML ASP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Microsoft NPS (XML ASP) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Microsoft Office 365. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Configure Microsoft Office 365. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Add Microsoft Office 365. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Microsoft Office 365 log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Microsoft SQL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Add Microsoft MSSQL Error Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Microsoft Windows DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Configure Microsoft Windows DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Add Microsoft Windows DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Microsoft Windows DHCP log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Microsoft Windows Event Log WMI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Configure Microsoft Windows Event Log WMI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Add Microsoft Windows Event Log WMI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Microsoft Windows Event Log log format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Motorola AirDefense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Configure Motorola AirDefense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Add Motorola AirDefense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Motorola AirDefense log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
NetFort Technologies LANGuardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Configure NetFort Technologies LANGuardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Add NetFort Technologies LANGuardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
NetFort Technologies LANGuardian log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . 409
NetWitness Spectrum. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Configure NetWitness Spectrum. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

14 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Add NetWitness Spectrum. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
NetWitness Spectrum log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Niara. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Configure Niara. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Add Niara. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Niara log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Nortel Networks Contivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Configure Nortel Networks Contivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Add Nortel Networks Contivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Nortel Networks Contivity log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Nortel Networks Passport 8000 Series Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Configure Nortel Networks Passport 8000 Series Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Add Nortel Networks Passport 8000 Series Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Nortel Networks Passport 8000 Series Switches log format and field mapping. . . . . . . . . . . . . . . . . 419
Novell eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Configuring Novell eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Add Novell eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Novell eDirectory log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Novell Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Configure Novell Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Add Novell Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Novell Identity and Access Management log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . 424
Oracle Audit (SQL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Configure Oracle Audit (SQL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Add Oracle Audit (SQL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Oracle Audit (SQL) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Oracle Audit (syslog). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Configure Oracle Audit (syslog). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Add Oracle Audit (syslog). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Oracle Audit (syslog) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Oracle Audit (XML). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Configure Oracle Audit (XML). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Add Oracle Audit (XML). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Oracle Audit (XML) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Oracle Unified Auditing (SQL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Configure Oracle Unified Auditing (SQL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Oracle Internet Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Configuring Oracle Internet Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Add Oracle Internet Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Oracle Internet Directory Server log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Configure McAfee Collector for Oracle Internet Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Palo Alto Networks PAN-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Configure Palo Alto Networks PAN-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 15


Add Palo Alto Networks PAN-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Palo Alto Networks PAN-OS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Proofpoint Messaging Security Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Configure Proofpoint Messaging Security Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Add Proofpoint Messaging Security Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Proofpoint Messaging Security Gateway log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . 441
Raytheon SureView. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Configure Raytheon SureView. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Add Raytheon SureView. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Raytheon SureView log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Raz-Lee Security iSecurity Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Configure Raz-Lee Security iSecurity Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Add Raz-Lee Security iSecurity Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Raz-Lee Security iSecurity Suite log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Red Hat JBoss Application Server/WildFly 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Configure Red Hat JBoss Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Configure WildFly 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Add Red Hat JBoss Application Server/WildFly 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Red Hat JBoss Application Server/WildFly 8 log format and field mapping. . . . . . . . . . . . . . . . . . . . . 449
RedSeal Networks RedSeal 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Configure RedSeal Networks RedSeal 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Add RedSeal Networks RedSeal 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
RedSeal Networks RedSeal 6 log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
ReversingLabs N1000 Network Security Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Configure ReversingLabs N1000 Network Security Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Add ReversingLabs N1000 Network Security Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
ReversingLabs N1000 Network Security Appliance log format and field mapping. . . . . . . . . . . . . . 454
RioRey DDOS Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Configure RioRey DDOS Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Add RioRey DDOS Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
RioRey DDOS Protection log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Riverbed Steelhead. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Configure Riverbed Steelhead using the Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Configure Riverbed Steelhead using the command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Add Riverbed Steelhead. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Riverbed Steelhead log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
RSA Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Configure RSA Authentication Manager 8 and later from the Security Console. . . . . . . . . . . . . . . . . 460
Configure RSA Authentication Manager 7.1 SP2 or later for Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Configure RSA Authentication Manager 7.1 SP2 or later for Windows. . . . . . . . . . . . . . . . . . . . . . . . . 461
Add RSA Authentication Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
RSA Authentication Manager field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
SafeNet Hardware Security Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

16 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Configure SafeNet Hardware Security Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Add SafeNet Hardware Security Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
SafeNet Hardware-Security-Modules log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . 465
Skycure Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Configuring Skycure Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Add Skycure Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Skycure Enterprise log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Sophos Web Security and Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Configure Sophos Web Security and Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Add Sophos Web Security and Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Sophos Web Security and Control log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
SS8 BreachDetect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Configure SS8 BreachDetect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Add SS8 BreachDetect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
SS8 BreachDetect log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
SS8 DataBreach JSON Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
SSH Communications Security CryptoAuditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Configure SSH Communications Security CryptoAuditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Add SSH Communications Security CryptoAuditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
SSH Communications Security CryptoAuditor log format and field mapping. . . . . . . . . . . . . . . . . . . 477
STEALTHbits StealthINTERCEPT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Configure STEALTHbits StealthINTERCEPT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Add STEALTHbits StealthINTERCEPT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
STEALTHbits StealthINTERCEPT log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Symantec Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Configure Symantec Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Configure Symantec Data Loss Prevention for common event format (CEF). . . . . . . . . . . . . . . . . . . 481
Add Symantec Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Symantec Data Loss Prevention CEF log format and field mappings. . . . . . . . . . . . . . . . . . . . . . . . . . 483
Symantec Data Loss Prevention log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Symantec Endpoint Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Configure Symantec Endpoint Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Add Symantec Endpoint Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Symantec Endpoint Protection log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Symantec Messaging Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Configure Symantec Messaging Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Add Symantec Messaging Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Symantec Messaging Gateway log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Symantec PGP Universal Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Configure Symantec PGP Universal Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Add Symantec PGP Universal Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Symantec PGP Universal Server log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Symantec Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 17


Configure Symantec Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Add Symantec Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Symantec Web Gateway log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
ThreatConnect Threat Intelligence Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Add ThreatConnect Threat Intelligence Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
ThreatConnect Threat Intelligence Platform log format and field mapping. . . . . . . . . . . . . . . . . . . . 495
Configure ThreatConnect Threat Intelligence Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
TippingPoint SMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Configure TippingPoint SMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Add TippingPoint SMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
TippingPoint SMS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Tofino Firewall LSM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Configure Tofino Firewall LSM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Add Tofino Firewall LSM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Tofino Firewall LSM log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Topia Technology Skoot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Configure Topia Technology Skoot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Add Topia Technology Skoot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Topia Technology Skoot log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
TrapX Security DeceptionGrid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Configure TrapX Security DeceptionGrid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Add TrapX Security DeceptionGrid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
TrapX Security DeceptionGrid log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Trend Micro Control Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Add Trend Micro Control Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Trend Micro Deep Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Configure Trend Micro Deep Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Add Trend Micro Deep Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Trend Micro Deep Security log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Trend Micro Deep Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Configure Trend Micro Deep Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Add Trend Micro Deep Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Trend Micro Deep Security Manager log format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Trend Micro OfficeScan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Configure Trend Micro OfficeScan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Add Trend Micro OfficeScan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Trend Micro OfficeScan log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Trustwave Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Configure Trustwave Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Add Trustwave Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Trustwave Data Loss Prevention log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Trustwave Network Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Configure Trustwave Network Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

18 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Add Trustwave Network Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Trustwave Network Access Control log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Tychon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Add Tychon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Tychon field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Type80 Security Software SMA_RT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Configure Type80 Security Software SMA_RT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Add Type80 Security Software SMA_RT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Type80 Security Software SMA_RT log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Unix Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Configure Unix Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Add Unix Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Verdasys Digital Guardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Configure Verdasys Digital Guardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Add Verdasys Digital Guardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Verdasys Digital Guardian log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
VMware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Configure VMware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Add VMware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
VMware log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
VMware AirWatch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Configure VMware AirWatch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Add VMware AirWatch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
VMware AirWatch log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
VMware vCenter Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Configure VMware vCenter Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Add VMware vCenter Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
VMware vCenter Server log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Vormetric Data Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Configure Vormetric Data Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Add Vormetric Data Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Vormetric Data Security Manager log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
WatchGuard Technologies Firebox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Configure WatchGuard Technologies Firebox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Add WatchGuard Technologies Firebox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
WatchGuard Technologies Firebox log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Websense Enterprise SQL Pull. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Configure Websense Enterprise SQL Pull. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Add Websense Enterprise SQL Pull. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Websense Enterprise SQL Pull log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
WurldTech OpShield. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Configure WurldTech OpShield. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Add WurldTech OpShield. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 19


WurldTech OpShield field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Ximus Wi-Fi Arrays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Configure Xirrus Wi-Fi Arrays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Add Xirrus Wi-Fi Arrays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Xirrus 802.11abgn Wi-Fi Arrays log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
ZeroFox Riskive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Configure ZeroFox Riskive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Add ZeroFox Riskive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
ZeroFox Riskive log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
ZScaler Nanolog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Configure ZScaler Nanolog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Add ZScaler Nanolog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
ZScaler Nanolog log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

Troubleshooting 553
General troubleshooting tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Check data source health. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Data source not sending events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Received data is not parsed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Parsed data not displayed on dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Settings and policies not implemented. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Generic syslog configuration details 555

20 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


ESM data source overview

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 21


ESM data sources
This guide details how to configure data sources to send log data in the proper format to a McAfee Event Receiver.
The information in this document regarding McAfee or third-party products or services is provided for the education and
convenience of McAfee customers only.
All information contained herein is subject to change without notice, and is provided AS IS without guarantee or warranty as to
the accuracy or applicability of the information to any specific situation or circumstance.
A data source holds the location and connection information of your network's sources of data. It acts as a connector to your
source of data.
Data Sources exist on a McAfee Event Receiver (ERC).
Define a Data Source for each network item from which you want to collect data.
Data Sources hold your Rules.

Client data sources


Note: If the data source is already a parent or child, or if it is a WMI data source and Use RPC is selected, this option is
unavailable.
You can add more than one client data source with the same IP address and use the port number to differentiate them. This
allows you to segregate your data using a different port for each data type, then forward the data using the same port it came
into.
When you add a client data source, select whether to use the parent data source port or another port.
Client data sources have these characteristics:
• They don't have VIPS, Policy, or Agent rights.
• They appear on the system navigation tree but not on the Data Sources table.
• They share policy and rights as the parent data source.
• They must be in the same time zone because they use the parent's configuration.
Note: Client WMI data sources can have independent time zones because the query sent to the WMI server determines the time
zone.

Correlation data sources


After configuring a correlation data source, you can:
• Roll out the correlation’s default policy
• Edit the base rules in this correlation's default policy
• Add custom rules and components
• Roll out the policy
• Enable or disable each rule
• Set the value of each rule's user-definable parameters
When adding a correlation data source, select McAfee as the vendor and Correlation Engine as the model.
Enabling the correlation data source allows McAfee ESM to send alerts to the receiver correlation engine.

Supported data sources


A data source might not be supported by all versions of McAfee ESM. Check compatibility before adding the data source. Some
data sources have additional requirements.

Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

A10 Load Balancer Load Balancer All ASP Syslog 10.0 and later AX Series
Networks

Accellion Secure File Application All ASP Syslog 10.0 and later
Transfer

22 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Access Layers Portnox NAC 2.x ASP Syslog 10.0 and later

Adtran Bluesocket Wireless All ASP Syslog 10.0 and later


Access Point

NetVanta Network All ASP Syslog 10.0 and later


Switches and
Routers

AirTight SpectraGuard Application All ASP Syslog 10.0 and later


Networks

Alcatel- NGN Switch Switch All ASP Syslog 10.0 and later
Lucent
VitalQIP Applications / All ASP Syslog 10.0 and later
Host / Server /
Operating
Systems / Web
Content /
Filtering /
Proxies

Amazon CloudTrail Generic N/A ASP API 10.0 and later

American Uninterruptible Power All ASP Syslog 10.0 and later


Power Power Supply Supplies
Conversion

Apache Apache HTTP Applications / 1.x, 2.x Code Based Syslog 9.1 to 9.3.2
Software Server Host / Server /
Foundation Operating
Systems / Web
Content /
Filtering /
Proxies

Apache Web Apache Web Applications / 1.x, 2.x ASP Syslog 10.0 and later
Server Server Host / Server /
Operating
Systems / Web
Content /
Filtering /
Proxies

Apple Inc. Mac OS X Applications / All ASP Syslog 10.0 and later
Host / Server /
Operating
Systems / Web
Content /
Filtering /
Proxies

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 23


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Arbor Peakflow SP Network 2.x and later ASP Syslog 10.0 and later
Networks Switches and
Routers

Peakflow X Network 2.x Code Based Syslog 9.1 to 9.3.2


Switches and
Routers

Peakflow X Network All ASP Syslog 10.0 and later


Switches and
Routers

Pravail IDS / IPS All ASP Syslog 10.0 and later

ArcSight Common Event Format All ASP Syslog 10.0 and later
Event Format

Aruba Aruba OS Wireless N/A Code Based Syslog 10.0 and later
Access Point

ClearPass Wireless 5.x ASP Syslog 10.0 and later


Access Point

Attivo BOTsink Generic 3.3 and later ASP Syslog 10.0 and later
Networks

Avecto Privilege IAM / IDM 3.x ASP ePO - SQL 10.0 and later
Guard (ePO)

Axway SecureTransportApplications / All ASP Syslog 10.0 and later


Host / Server /
Operating
Systems / Web
Content /
Filtering /
Proxies

Barracuda Spam Firewall Security 3.x, 4.x ASP Syslog 10.0 and later
Networks Appliances /
UTMs

Web Security All ASP Syslog 10.0 and later


Application Appliances /
Firewall UTMs

Web Filter Security All ASP Syslog 10.0 and later


Appliances /
UTMs

BeyondTrust BeyondInsight Auditing 6.0 and later ASP Syslog 10.0 and later

BeyondTrust Vulnerability All N/A N/A 10.0 and later


REM Systems

24 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

BeyondTrust Vulnerability All N/A N/A 10.0 and later


Retina Systems

Bit9 Bit9 Security Application All ASP Syslog 10.0 and later
Platform /
Parity Suite -
CEF

Bit9 Security Application All ASP Syslog 10.0 and later


Platform /
Parity Suite

Carbon Black IDS / IPS All ASP Syslog 10.0 and later

Blue Coat Director Web Content / All ASP Syslog 10.0 and later
Filtering /
Proxies

ProxySG Web Content / 4.x-6.x ASP Syslog 10.0 and later Access Log
Filtering /
Proxies

Reporter Application 9.5.1 ASP Syslog 10.0 and later Cloud Access
Log

Blue Lance, LT Auditor+ Application 9.x Code Based SQL 9.1 to 9.3.2
Inc. for Novell
NetWare

Blue Ridge BorderGuard Firewall 5000, 6000 ASP Syslog 10.0 and later
Networks

BlueCat BlueCat DNS/ Application All ASP Syslog 10.0 and later
Networks DHCP Server

Bradford Campus NAC / Network All ASP Syslog 10.0 and later
Networks Manager Switches and
Routers

Bro Network Bro Network Network All ASP Syslog 10.0 and later
Security Security Security
Monitor Monitor

Brocade BigIron, Network 7.5 and later ASP Syslog 10.0 and later
FastIron and Switches and
NetIron Routers

IronView NAC / Network All ASP Syslog 10.0 and later


Network Switches and
Manager Routers

VDX Switch Network All ASP Syslog 10.0 and later


Switches and
Routers

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 25


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

CA DataMinder - DLP All ASP Syslog 10.0 and later CEF Format
Technologies CEF

SiteMinder Web Access All ASP Syslog 10.0 and later

Cerner Cerner P2 Healthcare All Code Based McAfee Event 10.0 and later
Sentinel Auditing Format

Check Point Check Point Firewall All ASP OPSEC 10.0 and later Firewall 1,
Edge,
Enterprise,
Express, NG,
NGX,
SmartEvent,
and VPN

Check Point Firewall All ASP Syslog 10.0 and later Using Splunk
via Splunk app

Cimcor CimTrak Configuration All Code Based McAfee Event 10.0 and later
Management Management Format
Console

Cisco ASA NSEL Firewall / Flow All Netflow Netflow 10.0 and later

CATOS v7xxx Host / Server / 6.x, 7.x ASP Syslog 10.0 and later
Operating
Systems /
Network
Switches and
Routers

Firepower Other All ASP Syslog 10.0 and later


Management
Center - CSA Console Host / Server / Code Based SQL 10.0 and later
eStreamer Operating
Systems /
IDS / IPS

IDS / IPS 5.x, 6.x ASP eStreamer 10.0 and later

Firepower IDS / IPS 5.3.x, 5.4.x, 6.x ASP Syslog 10.0 and later
Management
Center - IDS / IPS All ASP Syslog 10.0 and later
Syslog

Identity Other All ASP Syslog 10.0 and later


Services
Engine

IDS (4.x+ IDS / IPS 4.x and later SDEE 10.0 and later
RDEP
protocol)

26 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

IOS IDS / IPS / 12.x and later ASP Syslog 10.0 and later ACL, IOS FW,
Network IOS IDS and
Switches and DSP
Routers

IOS ACL Network 12.x and later Use Cisco IOS


Switches and data source.
Routers

IOS EAP IDS / IPS / 12.x and later Use Cisco IOS
Network data source.
Switches and
Routers

IOS Firewall Firewall / 12.x and later Use Cisco IOS


Network data source.
Switches and
Routers

IOS IDS IDS / IPS / 12.x and later Use Cisco IOS
Network data source.
Switches and
Routers

IOS IPS (SDEE Application All SDEE HTTP 10.0 and later
protocol) Protocol

IronPort Email Security 6.x, 7.x ASP Syslog 10.0 and later
Email
Security

IronPort Web Web Content / 6.x, 7.x ASP Syslog 10.0 and later
Security Filtering /
Appliance Proxies

Meraki Wireless All ASP Syslog 10.0 and later

MDS Network All ASP Syslog 10.0 and later


Switches and
Routers

NAC NAC / Network All ASP Syslog 10.0 and later Formerly
Appliance Switches and Clean Access
Routers

NAC NAC / Network 4.x Code Based HTTP 9.1 to 9.3.2


Appliance Switches and
(Clean Routers
Access)

NX-OS IDS / IPS / 4.x, 5.x ASP Syslog 10.0 and later
Network
Switches and
Routers

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 27


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Open TACACS Authentication All ASP Syslog 10.0 and later


+

PIX IDS IDS / IPS / 12.x and later Use Cisco


Network PIX/ASA/
Switches and FWSM data
Routers source.

PIX/ASA/ Firewall / IDS / 5.x and later ASP Syslog 10.0 and later
FWSM IPS

Secure ACS IDS / IPS 3.x, 4.x ASP Syslog 10.0 and later

Unified Applications All ASP Syslog 10.0 and later


Communications

Unified Applications / All ASP Syslog 10.0 and later


Computing Host / Server /
System Operating
Systems / Web
Content /
Filtering /
Proxies

VSM/VPN Virtual Private 2.x - 4.x Code Based Syslog 9.1 to 9.3.2
Concentrator Network

WAAS Applications / All ASP Syslog 10.0 and later


Host / Server /
Operating
Systems / Web
Content /
Filtering /
Proxies

WAP200 Wireless All ASP Syslog 10.0 and later


Access Point

Wireless Network All ASP Syslog 10.0 and later


Control Switches and
System Routers

Wireless LAN Network All ASP Syslog 10.0 and later


Controller Switches and
Routers

Citrix NetScaler Flow All IPFix IPFix 10.0 and later


(AppFlow)

NetScaler Web Content / All ASP Syslog 10.0 and later Secure
Filtering / Gateway and
Proxies NetScaler Web
also
supported

28 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Secure Web Content / All ASP Syslog 10.0 and later


Gateway Filtering /
Proxies

Cluster Labs Pacemaker Application 1.x ASP Syslog 10.0 and later

Code Green Data Loss DLP 8.x ASP Syslog 10.0 and later
Prevention

Cofense Cofense Correlation ASP Syslog 10.0 and later CEF format is
Intelligence supported.

Cofense Email Security 2.0 and later ASP Syslog 10.0 and later CEF format is
Triage supported.

Cooper Cybectec RTU Network 5.x, 6.x ASP Syslog 10.0 and later
Power Switches and
Systems Routers

Yukon IED Application All ASP Syslog 10.0 and later


Manager
Suite

Corero Corero IPS IDS / IPS All ASP Syslog 10.0 and later

Corvil Security Security 10.0 and later ASP Syslog 10.0 and later
Analytics Management

Critical Watch Critical Watch Vulnerability All N/A N/A 10.0 and later
FusionVM Systems

CyberArk Enterprise Application 5.x ASP Syslog 10.0 and later


Password
Vault

Privileged Application All ASP Syslog 10.0 and later


Identity
Management
Suite - CEF

Privileged UEBA 3.1 ASP Syslog 10.0 and later CEF format is
Threat supported.
Analytics

CyberGuard CyberGuard Firewall 5.x Code Based Syslog 9.1 to 9.3.2 Includes FS,
SG, SL

Cyberoam Cyberoam UTM / Firewall 10.0 and later ASP Syslog 10.0 and later
UTM and
NGFW

Cylance CylancePROTECT
Antivirus 1.4.2 and later ASP Syslog 10.0 and later

Cyrus Cyrus IMAP Messaging 2.x ASP Syslog 10.0 and later
and SASL

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 29


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

D-Link NetDefend UTM All ASP Syslog 10.0 and later


UTM Firewall

Damballa Failsafe Anti-Malware All ASP Syslog 10.0 and later

Dell SonicWALL Virtual Private 10.x ASP Syslog 10.0 and later
Aventail Network

SonicWALL Firewall All ASP Syslog 10.0 and later


SonicOS

PowerConnect Network All ASP Syslog 10.0 and later


Switches Switches and
Routers

DenyAll rWeb Firewall / DoS rweb 4.1, ASP Syslog 10.0 and later
4.1.1.1, 4.1.3.2

DG Mainframe MainFrame 5.x, 6.x ASP Syslog 10.0 and later DG


Technology - Event Technology
InfoSec Acquisition MEAS agent,
System DB2/IMS/
Datacom/
IDMS, CICS,
FTP,
MasterConsole,
RACF/Top
Secret/ACF2,
Telnet, VSAM/
BDAM/PDS,
TCP/IP, SMP/E,
Authorized
Load Libraries,
RMF
Performance
Data, Batch
Job and
Started, Tasks
Start/Stop,
Top Secret,
Type 80

Digital Digital Vulnerability All N/A N/A 10.0 and later


Defense Defense Systems
Frontline

Digital Digital DLP All ASP Syslog 10.0 and later


Guardian Guardian

Econet Sentinel IPS IDS / IPS All ASP Syslog 10.0 and later

EdgeWave iPrism Web Web Content / All ASP Syslog 10.0 and later
Security Filtering /
Proxies

30 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Enforcive System z SMF MainFrame All ASP Syslog 10.0 and later Formerly
DB2 Bsafe, AS/400,
DB2/IMS/
Datacom/
IDMS, FTP,
RACF/Top
Secret/ACF2,
Telnet, VSAM/
BDAM/PDS

Enterasys Dragon IPS IDS / IPS 1.x-7.x ASP Syslog 10.0 and later
Networks
Dragon IDS / IPS 1.x-7.x Code Based SQL 9.1 to 9.3.2
Sensor

Dragon IDS / IPS 1.x-7.x Code Based SQL 9.1 to 9.3.2


Squire

Enterasys N Network 7.x ASP Syslog 10.0 and later


and S Switches and
Switches Routers

Enterasys Network 7.x ASP Syslog 10.0 and later


Network Switches and
Access Routers
Control

Entrust IdentityGuard Application All ASP Syslog 10.0 and later

Epic Clarity - CEF Healthcare 2015 and later ASP Syslog 10.0 and later Specific
Application auditing
events
Clarity - SQL Healthcare 2010, 2012, ASP SQL 10.0 and later
Pull Application 2014

Ergon Airlock WAF Firewall 6.0 and later ASP Syslog 10.0 and later

Exabeam Exabeam UEBA 2.8 and later ASP Syslog 10.0 and later
UEBA

Extreme ExtremeWare Network 7.x, 8.x ASP Syslog 10.0 and later Alpine,
Networks XOS Switches and BlackDiamond
Routers and Summit

F5 Networks BIG-IP Access Network All ASP Syslog 10.0 and later
Policy Switches and
Manager Routers

BIG-IP Web Content / All ASP Syslog 10.0 and later


Application Filtering /
Security Proxies
Manager -
CEF

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 31


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Firepass SSL Virtual Private All ASP Syslog 10.0 and later
VPN Network

Local Traffic Web Content / All ASP Syslog 10.0 and later
Manager - Filtering /
LTM Proxies

FairWarning Patient Privacy Application 2.9.x Code Based McAfee Event 10.0 and later
Monitoring Security Format

Fidelis Fidelis XPS Network All ASP Syslog 10.0 and later
Security
Applicance

FireEye FireEye Antivirus/ 5.x and later ASP Syslog 10.0 and later
Malware Malware
Protection
System - CEF

Fluke AirMagnet Network 8.x ASP Syslog 10.0 and later


Networks Enterprise Switches and
Routers

Force10 FTOS Network All ASP Syslog 10.0 and later


Networks Switches and
Routers

ForeScout CounterACT Network 5.x and 6.x ASP Syslog 10.0 and later
Switches and
Routers

CounterACT Network 7.x and later ASP Syslog 10.0 and later
CEF Switches and
Routers

Fortinet FortiAuthenticator
Authentication 3.x ASP Syslog 10.0 and later

FortiGate Antivirus All Code Based Syslog 9.1 to 9.3.2


Antivirus

FortiGate Firewall 3.x Code Based Syslog 9.1 to 9.3.2


Firewall

FortiGate IDS IDS / IPS All Code Based Syslog 9.1 to 9.3.2

FortiGate Firewall All ASP Syslog 10.0 and later


UTM -
Comma
Delimited

FortiGate Firewall All ASP Syslog 10.0 and later


UTM - Space
Delimited

FortiMail

32 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

FortiManager Firewall All ASP Syslog 10.0 and later

FortiWeb Firewall All ASP Syslog 10.0 and later


Web
Application
Firewall

Fortscale Fortscale UEBA 2.7 and later ASP Syslog 10.0 and later
UEBA

FreeRADIUS FreeRADIUS Authentication All ASP Syslog 10.0 and later

Fujitsu IPCOM Firewall / IDS / All ASP Syslog 10.0 and later
IPS

Generic Advanced Other All ASP Syslog 10.0 and later


Syslog Parser

CIFS/SMB File Other N/A Code Based File pull 10.0 and later ELM only
Source

FTP/FTPS File Other N/A Code Based File pull 10.0 and later ELM only
Source

HTTP/HTTPS Other N/A Code Based File pull 10.0 and later ELM only
File Source

McAfee Event Other N/A Code Based McAfee Event 10.0 and later
Format Format

NFS File Other N/A Code Based File pull 10.0 and later ELM only
Source

SCP File Other N/A Code Based File pull 10.0 and later ELM only
Source

SFTP File Other N/A Code Based File pull 10.0 and later ELM only
Source

GFI GFI LanGuard VA Scanner All Code Based File pull 10.0 and later

Gigamon GigaVUE Switches and All ASP Syslog 10.0 and later
Routers

GitHub GitHub Application 2.13.0 and ASP Syslog 10.0 and later
Enterprise later

Global GNAT Box Firewall 5.3.x ASP Syslog 10.0 and later
Technology
Associates

Globalscape Globalscape File Transfer 7.x ASP McAfee Event 10.0 and later
EFT Format

Good Good Mobile Application All ASP Syslog 10.0 and later
Technology Control

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 33


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Google Search Application All ASP Syslog 10.0 and later


Appliance

Gurucul Gurucul Risk UEBA 6.2 and later ASP Syslog 10.0 and later
Analytics

HBGary Active Defense UTM All ASP Syslog 10.0 and later

Hewlett- 3Com Switches and All ASP Syslog 10.0 and later
Packard Switches Routers

LaserJet Printers All ASP Syslog 10.0 and later


Printers

OpenVMS Operating SYSLOG Client ASP Syslog 10.0 and later Supported
Systems for OpenVMS through
1.x "SYSLOG
Client for
OpenVMS", by
Framework
Solutions LLC

ProCurve Network All ASP Syslog 10.0 and later


Switches and
Routers

Virtual Application 4.4x ASP Syslog 10.0 and later


Connect Devices

Hitachi ID Identity and Authentication ASP Syslog 10.0 and later


Systems Access
Management
Suite

HyTrust HyTrust NAC 3.x, 4.x ASP Syslog 10.0 and later
CloudControl

IBM DB2 LUW 10.0 Database 8.x, 9.x, 10.x 10.0 and later Supported
and later, DB2 through
for Z/OS with McAfee Data
CorreLog, DB2 Center
for iSeries (AS/ Security Suite
400) with Raz- for Databases
Lee

Guardium Database 6.x, 7.x ASP Syslog 10.0 and later


Activity
Monitoring

ISS Real Host / Server / 5.5 - 7.x Code Based SQL 9.1 to 9.3.2
Secure Server Operating
Sensor Systems

ISS Security All Code Based SQL 10.0 and later


SiteProtector Management

34 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

MainFrame MainFrame All Use DG


Technoloty
MEAS Parser.

Proventia GX Other All ASP Syslog 10.0 and later

System Z DB2 Database All Use DG


Technoloty
MEAS Parser.

Tivoli Host / Server / All ASP Syslog 10.0 and later Linux Agent
Endpoint Operating Required
Manager - Systems /
BigFix Other

Tivoli Identity IAM / IDM All ASP SQL 10.0 and later
Manager -
SQL Pull

WebSphere Application 7.0 and later ASP File pull 10.0 and later
Application
Server

WebSphere Application 4.x ASP Syslog 10.0 and later


DataPower
SOA
Appliances

z/OS, z/VM MainFrame Use DG


Technoloty
MEAS Parser.

Imperva WAF/DAM - Database All ASP Syslog 10.0 and later


CEF

Infoblox NIOS Application All ASP Syslog 10.0 and later

InfoExpress CyberGatekeeper
Network All Code Based Syslog 9.1 to 9.3.1
LAN Switches and
Routers

InterSect Snare for AIX Other All ASP Syslog 10.0 and later
Alliance
Snare for Other All ASP Syslog 10.0 and later
Solaris

Snare for Other All ASP Syslog 10.0 and later


Windows

Interset Interset UEBA 4.1 ASP Syslog 10.0 and later

Invincea Enterprise - Host / Server / All ASP Syslog 10.0 and later
CEF Operating
Systems /
Other

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 35


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

IPFIX IPFIX Network Flow All IPFix IPFix 10.0 and later
Collection

Ipswitch WS_FTP Application All ASP Syslog 10.0 and later

iScan Online iScan Online Vulnerability All N/A N/A 10.0 and later
Systems

Itron Itron Smart Grid All ASP Syslog 10.0 and later
Enterprise Application
Edition

Jflow Jflow (Generic) Network Flow 5, 7, 9 Netflow 10.0 and later


Collection

Juniper Juniper Secure VPN All ASP Syslog 10.0 and later
Networks Access/MAG

JUNOS - Network All ASP Syslog 10.0 and later


Structured- Switches and
Data Format Routers

JUNOS Network All ASP Syslog 10.0 and later


Router Switches and
Routers

NetScreen / Network All ASP Syslog 10.0 and later


IDP Switches and
Routers

NetScreen Firewall 4.x, 5.x, 6.x Code Based Syslog 9.1 to 9.3.2
Firewall

NetScreen IDS / IPS 3.x, 4.x Code Based Syslog 9.1 to 9.3.2
IDP

NetScreen VPN 5.x - 7.x Code Based Syslog 9.1 to 9.3.2


SSL VPN
Secure
Access

Network and Applications / All ASP Syslog 10.0 and later


Security Host / Server /
Manager - Operating
NSM Systems

Secure VPN 5.x-7.x ASP Syslog 10.0 and later


Access
version 7

Steel Belted Radius Server 5.x and later ASP Syslog 10.0 and later
Radius

Kaspersky Administration Antivirus All ASP SQL 10.0 and later


Kit - SQL Pull

36 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

KEMP LoadMaster Network 4.x, 5.x ASP Syslog 10.0 and later
Technologies Switches and
Routers

Kerio Kerio Control Firewall All ASP Syslog 10.0 and later
Technologies

Lancope StealthWatch IDS / IPS / 4.x-5.6 Code Based Syslog 9.1 to 9.3.2
Network
Switches and
Routers

StealthWatch IDS / IPS / 6.x and later ASP Syslog 10.0 and later
Network
Switches and
Routers

LANDESK LANDESK Vulnerability All N/A N/A 10.0 and later


Systems

Lastline Lastline UTM 7.3 and later ASP Syslog 10.0 and later CEF syslog
Enterprise format is
covered by the
data source.

Legacy Event Center Other All ASP Syslog 10.0 and later

Informant IDS / IPS All ASP Syslog 10.0 and later

Lieberman Enterprise Application All ASP Syslog 10.0 and later XML
Random
Password
Manager

Locum RealTime Application All ASP Syslog 10.0 and later


Monitor

LOGbinder LOGbinder for Application 4.0, 5.0, 5.1 ASP Syslog 10.0 and later CEF and
SharePoint Standard
(SP) Syslog
formats are
LOGbinder Application 2.0, 2.5, 3.0, ASP Syslog 10.0 and later covered by the
for Exchange 3.1 LOGbinder
(EX) data source.

LOGbinder Application 1.5, 2.0, 2.1, ASP Syslog 10.0 and later
for SQL 2.5
Server (SQL)

Lumension Device Control DLP 8 ASP Syslog 10.0 and later


- Endpoint
Manager
Security Suite
(L.E.M.S.S.)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 37


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Bouncer - Application 5.x and later ASP Syslog 10.0 and later
CEF

Bouncer Application 4.x ASP Syslog 10.0 and later

Lumension Vulnerability All N/A N/A 10.0 and later


Systems

Malwarebytes Breach Antivirus / 2.6.2 ASP Syslog 10.0 and later CEF syslog
Remediation Anti-Malware format is
covered by the
data source.

Malwarebytes Management Antivirus / 1.7 ASP Syslog 10.0 and later Management
Console Anti-Malware Console, part
of
Malwarebytes
Enterprise
Endpoint
Security,
sends security
events
generated by
Malwarebytes
Anti-Malware
and
Malwarebytes
Anti-Exploit
running on
managed
endpoints.
ESM supports
CEF formatted
syslog.

MailGate, MailGate Applications / 3.5 ASP Syslog 10.0 and later


Ltd. Server Security
Management /
Host / Server /
Operating
Systems

McAfee Advanced Antimalware 3.2.2.4x and ASP Syslog / DXL 10.0 and later
Threat later
Defense

AntiSpyware Antivirus All ASP ePO - SQL 10.0 and later


(ePO)

Application Web Content / All ASP ePO - SQL 10.0 and later
and Change Filtering /
Control (ePO) Proxies

38 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Asset Asset All ASP Syslog 10.0 and later


Manager Management
Sensor

Correlation Other All Correlation 10.0 and later


Engine

McAfee Database All ASP Syslog 10.0 and later


Database
Security - CEF

McAfee Database All ASP ePO - SQL 10.0 and later


Database
Security
(ePO)

Deep Other All ASP ePO - SQL 10.0 and later


Defender
(ePO)

Email Web Content / 6.x and later ASP Syslog 10.0 and later
Gateway - Filtering /
CEF Proxies

EWS v5 / Web Content / 5.x ASP Syslog 10.0 and later


Email Filtering /
Gateway Proxies
Original
Format -
Legacy

IronMail - Web Content / All ASP Syslog 10.0 and later


Legacy Filtering /
Proxies

Endpoint Application All ASP ePO - SQL 10.0 and later


Encryption
(ePO)

Endpoint Antivirus 2.0 and later ASP Syslog 10.0 and later
Protection for
Mac (ePO)

Endpoint Firewall 10.2 and later ASP ePO - SQL 10.0 and later
Security
Firewall (ePO)

Endpoint Auditing 10.2 and later ASP ePO - SQL 10.0 and later
Security
Platform
(ePO)

Endpoint Application 10.2 and later ASP ePO - SQL 10.0 and later
Security
Threat

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 39


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes
Prevention
(ePO)

Endpoint Application 10.2 and later ASP ePO - SQL 10.0 and later
Security Web
Control (ePO)

ePO Audit Other All ASP ePO - SQL 10.0 and later
Log (ePO)

ePolicy Other All ASP ePO - SQL 10.0 and later


Orchestrator

ePolicy Applications / 3.x and later ASP ePO - SQL 10.0 and later
Orchestrator Security
Agent (ePO) Management /
Host / Server /
Operating
Systems

Firewall Firewall / IDS / 8.x ASP Syslog 10.0 and later


Enterprise IPS

Firewall for Firewall 8.x ASP Syslog 10.0 and later


Linux (ePO)

Host Data DLP All ASP ePO - SQL 10.0 and later
Loss
Prevention
(ePO)

Host IDS / IPS 6.x and later ASP ePO - SQL 10.0 and later
Intrusion
Prevention
(ePO)

Informant IDS / IPS All ASP Syslog 10.0 and later

McAfee ACE Correlation All 10.0 and later

McAfee Application All Code Based 10.0 and later


Application
Data Monitor

McAfee Database All Code Based 10.0 and later


Database
Activity
Monitoring
(DAM)

McAfee
Enterprise
Log Manager

McAfee
Enterprise

40 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes
Security
Manager

McAfee Event
Receiver

McAfee Event
Receiver/ELM

McAfee Web Content / All ASP ePO - SQL 10.0 and later
Security for Filtering /
Domino Proxies
Windows
(ePO)

McAfee Web Content / All ASP ePO - SQL 10.0 and later
Security for Filtering /
Microsoft Proxies
Exchange
(ePO)

McAfee Vulnerability All N/A N/A 10.0 and later


Vulnerability Systems
Manager

McAfee Antivirus All ASP ePO - SQL 10.0 and later


MOVE
AntiVirus
(ePO)

MVISION Mobile Device All ASP GWAPI 11.1.1 and


Mobile Management later

McAfee All ASP GWAPI 11.2.0 and


MVISION ePO later

McAfee Other All ASP ePO - SQL 10.0 and later


Network
Access
Control (ePO)

McAfee DLP DLP All ASP Syslog 10.0 and later


Monitor

McAfee IDS / IPS 6.x and later ASP SQL 10.0 and later
Network
Security
Manager -
SQL Pull

McAfee IDS / IPS 6.x and later ASP Syslog 10.0 and later
Network
Security
Manager

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 41


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Network IDS / IPS 4.0.0.5, 4.1 ASP Code-Based 10.0 and later
Threat API
Response

McAfee Next IDS / IPS All ASP Syslog 10.0 and later
Generation
Firewall -
Stonesoft

Nitro IPS IDS / IPS All ASP Syslog 10.0 and later

One Time Authentication 3.1 ASP Syslog 10.0 and later


Password

McAfee Policy Policy Server All ASP ePO - SQL 10.0 and later
Auditor (ePO)

SaaS Email Email Security All ASP File Pull 10.0 and later
Protection

SaaS Web Web Content / All ASP Syslog 10.0 and later
Protection Filtering /
Proxies

SiteAdvisor Other All ASP ePO - SQL 10.0 and later


(ePO)

Threat Reputation 1.0.0 ASP ePO - DXL 10.0 and later


Intelligence Server
Exchange

UTM Firewall Firewall All ASP Syslog 10.0 and later

VirusScan Antivirus All ASP ePO - SQL 10.0 and later


(ePO)

Web Gateway Web Content / All ASP Syslog 10.0 and later
Filtering /
Proxies

WebShield Web Content / All ASP Syslog 10.0 and later


Filtering /
Proxies

MEDITECH Caretaker HealthCare All ASP Syslog 10.0 and later


Application

Microsoft ACS - SQL Pull Applications / All ASP SQL 10.0 and later
Host / Server /
Operating
Systems

Adiscon Applications / All Code Based Syslog 10.0 and later


Windows Host / Server /
Events

42 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes
Operating
Systems

Assets via Asset All 10.0 and later


Active
Directory

Advanced UEBA All ASP Syslog 10.0 and later


Threat
Analytics

Azure Event Other All ASP GWAPI 11.2.0 and


Hubs later

Event Applications / 2008 WMI MEF - McAfee 10.0 and later


Forwarding Host / Server / SIEM Agent
Operating
Systems

Exchange Applications / 2007, 2010, ASP File pull / 10.0 and later Message
Host / Server / 2013 McAfee SIEM Tracking Logs
Operating Agent
Systems

Forefront HIPS 2010 ASP SQL 10.0 and later


Client
Security

Forefront HIPS 2010 ASP SQL 10.0 and later See System
EndPoint Center 2012
Protection Endpoint
Protection.

Forefront Firewall / All ASP File pull 10.0 and later


Threat Host / Server /
Management Operating
Gateway / Systems / Web
Internet Content /
Security and Filtering /
Acceleration - Proxies /
W3C Virtual Private
Networks

Forefront IDS / IPS 2010 ASP SQL 10.0 and later


Threat
Management
Gateway -
SQL Pull

Forefront IDS / IPS 2010 ASP Syslog 10.0 and later


Unified
Access
Gateway

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 43


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Internet Web Content / 2008, 2008 R2, ASP File Pull 10.0 and later Database-
Authentication Filtering / 2012 Compatible
Service - Proxies Format
Database
Compatible
Format

Internet Web Content / 2000, 2003, ASP File Pull 10.0 and later IAS Legacy
Authentication Filtering / 2008 Format
Service - Proxies
Formatted

Internet Web Content / 2008 R2, 2012 ASP File Pull 10.0 and later DTS
Authentication Filtering / Compliant
Service - XML Proxies Format

Internet Host / Server / All Code Based Syslog 9.1 to 9.3.2


Information Operating
Services Systems / Web
Content /
Filtering /
Proxies

Internet Host / Server / All ASP File pull / 10.0 and later
Information Operating McAfee SIEM
Services - FTP Systems / Web Agent
Content /
Filtering /
Proxies

Internet Host / Server / All ASP File pull / 10.0 and later
Information Operating McAfee SIEM
Services - Systems / Web Agent
SMTP Content /
Filtering /
Proxies

Internet Host / Server / All ASP File pull / 10.0 and later
Information Operating McAfee SIEM
Services Systems / Web Agent
Content /
Filtering /
Proxies

Microsoft Other All WMI WMI 10.0 and later


Active
Directory

Microsoft Other 2007, 2010 WMI WMI 10.0 and later


Exchange
Server

44 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Microsoft Database All WMI WMI 10.0 and later


SQL Server

MSSQL Database 2000 and later 10.0 and later Supported


through
McAfee Data
Center
Security Suite
for Databases

MSSQL Error Database All ASP SQL C2 10.0 and later


Log

MSSQL Database 2000, 2005, Code Based MEF - McAfee 10.0 and later
Server C2 2008 SIEM Agent
Audit

Network Policy Server All ASP Syslog 10.0 and later


Policy Server

Office 365 Applications ASP API 10.1.0 and Premium


Enterprise later Azure AD
Account
Required

Operations Host / Server / All Code Based SQL 9.1 to 9.3.2


Manager Operating
Systems

PhoneFactor Application All ASP Syslog 10.0 and later

SharePoint Host / Server / 2007, 2010 ASP Syslog 10.0 and later
File
Management

System HIPS 2012 ASP SQL 10.0 and later Supported


Center 2012 through the
EndPoint Endpoint
Protection Protection -
SQL Pull data
source.

System Security 2007 Code Based MEF - McAfee 10.0 and later
Center Management SIEM Agent
Operations
Manager

Windows Debug DHCP 2003, 2008 ASP File pull / 10.0 and later
DHCP Logs McAfee SIEM
Agent

Windows Debug DNS 2003, 2008 ASP File pull / 10.0 and later
DNS Logs McAfee SIEM
Agent

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 45


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Windows Applications / All ASP Syslog 10.0 and later


Event Log - Host / Server /
CEF Operating
Systems

Windows Applications / XP, Windows 7, WMI WMI 10.0 and later Windows 8 is
Event Log - Host / Server / Windows 8, supported in
WMI Operating Windows 10, ESM version
Systems Server 2003, 10.0 and later.
Server 2008,
Server 2012,
Server 2016

Mirage CounterPoint NAC / Network 2.3.1 Code Based Syslog 9.1 to 9.3.2
Networks Switches and
Routers

Motorola AirDefense Wireless All ASP Syslog 10.0 and later


Switch

AirDefense Wireless All Code Based Syslog 9.1 to 9.3.2


Enterprise Switch

NetApp Data ONTAP Storage 7.x ASP Syslog 10.0 and later

DataFort Storage Switch All ASP Syslog 10.0 and later

FAS Storage All 10.0 and later Use NetApp


Data OnTap
data source.

NetFlow Generic Flow 5, 7, 9 NetFlow NetFlow 10.0 and later


NetFlow

NetFort LANGuardian Applications / All ASP Syslog 10.0 and later


Technologies Security
Management /
Host / Server /
Operating
Systems

NetIQ Security Network 5.1 ASP Syslog 10.0 and later


Manager Switches and
Routers /
Security
Management

Sentinel Log Network All ASP Syslog 10.0 and later


Manager Switches and
Routers /
Security
Management

NetWitness Informer - CEF Application All ASP Syslog 10.0 and later

46 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Spectrum - Malware All ASP Syslog 10.0 and later URL


CEF Integration

NGS NGS SQuirreL Vulnerability All N/A N/A 10.0 and later
Systems

Niara Niara UEBA 1.5 and later ASP Syslog 10.0 and later

Niksun NetDetector Other All ASP Syslog 10.0 and later

Nokia IPSO Firewall All Code Based Syslog 9.1 to 9.3.2

Nortel Contivity VPN Network 7.x Code Based Syslog 9.1 to 9.3.2
Networks Switches and
Routers

Contivity VPN Network 7.x ASP Syslog 10.0 and later


Switches and
Routers

Passport Network 7.x ASP Syslog 10.0 and later


8000 Series Switches and
Switches Routers

VPN Gateway Virtual Private 8.x ASP Syslog 10.0 and later
3050 Network

Novell eDirectory Applications / All ASP Syslog 10.0 and later


Security
Management /
Host / Server /
Operating
Systems

Identity and IAM / IDM All ASP Syslog 10.0 and later
Access
Management
- IAM

nPulse CPX Flow and Packet All N/A N/A 10.0 and later URL
Packet Capture Integration
Capture

ObserveIT ObserveIT UBA 7.5 and later ASP File pull / 10.0 and later
McAfee SIEM
Agent

OpenVAS OpenVAS Vulnerability All N/A N/A 10.0 and later


Systems

OpenVPN OpenVPN VPN 2.1 and later ASP Syslog 10.0 and later

Oracle Directory Authentication 11 ASP Syslog 10.0 and later Also covers:
Server Sun ONE
Server and
Sun Java

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 47


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes
Enterprise Directory
Edition Server
Enterprise
Edition

Identity IAM / IDM 9.1.0.1 ASP SQL 10.0 and later


Manager -
SQL Pull

Internet Authentication 11 ASP File pull / 10.0 and later


Directory McAfee SIEM
Agent

MySQL on Database 5.1, 5.5, 5.6, 10.0 and later Supported


Linux and 5.7 on through
Linux McAfee Data
Center
Security Suite
for Databases

Oracle Database 8.1.7 and later 10.0 and later Supported


running on through
Sun Solaris, McAfee Data
IBM AIX, Linux, Center
HP-UX, Security Suite
Microsoft for Databases
Windows,
including
Oracle RAC
and Oracle
Exadata

Oracle Audit - Database 9i, 10g, 11g, ASP SQL 10.0 and later Supports
SQL Pull 12c standard and
fine grain
audits as well
as Unified
Audits
introduced in
12c.

Oracle Audit - Database 10g, 11g, 12c ASP SQL 10.0 and later
XML File Pull

Oracle Audit Database 9i, 10g, 11g, ASP Syslog 10.0 and later
12c

Audit Vault Database / 12.x ASP Syslog 10.0 and later


and Database Firewall
Firewall

Real Database 11g ASP File Pull 10.0 and later Parses the
Application Event

48 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes
Clusters - Manager Log
RAC (evmd.log)

Solaris Basic Host / Server / 9.x, 10.x ASP Syslog 10.0 and later
Security Operating
Module - Systems
BSM

WebLogic Other 8.1.x ASP Syslog 10.0 and later

Osiris Host Integrity Host / Server / ASP Syslog 10.0 and later ISAKMP,
Monitor Operating RADIUS,
Systems / SECURITY,
IDS / IPS Accounting,
RIP, VR
messages only

Palo Alto Palo Alto Firewall All ASP Syslog 10.0 and later
Networks Firewalls

Postfix Postfix Application All ASP Syslog 10.0 and later

PostgreSQL PostgreSQL Database 10.0 and later 10.0 and later Supported
running on through
Linux McAfee Data
Center
Security Suite
for Databases

PostgreSQL Database All ASP Syslog 10.0 and later

PowerTech Interact - CEF Host All ASP Syslog 10.0 and later

Prevoty Prevoty Application 3.2.1 ASP Syslog 10.0 and later Requires
Security Log4j on
Prevoty

Proofpoint Messaging Application 7.2 and below ASP Syslog 10.0 and later
Security
Gateway

Qualys Qualys Vulnerability All N/A N/A 10.0 and later


QualysGuard Systems

Quest ChangeAuditor Applications All WMI WMI 10.0 and later


for Active
Directory

Radware AppDirector Network All ASP Syslog 10.0 and later


Switches and
Routers

AppWall Firewall All ASP Syslog 10.0 and later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 49


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

DefensePro IDS / IPS 2.4.3 and later Code Based Syslog 9.1 to 9.3.2

DefensePro IDS / IPS 2.4.3 and later ASP Syslog 10.0 and later

LinkProof/ Network All ASP Syslog 10.0 and later


FireProof Switches and
Routers

Rapid7 Rapid7 Vulnerability 3.x and later N/A N/A 10.0 and later
Metasploit Pro Systems

Rapid7 Vulnerability All N/A N/A 10.0 and later


Nexpose Systems

Raytheon SureView Application All ASP Syslog 10.0 and later

Raz-Lee iSecurity Suite Application All ASP Syslog 10.0 and later
Security

Red Hat JBoss / WildFly Application Jboss 7.x ASP Syslog 10.0 and later
v8 Server WildFly v8.x

RedSeal RedSeal 6 Risk All ASP Syslog 10.0 and later


Networks Compliance

Reversing N1000 IDS / IPS 3.2.1.2 ASP Syslog 10.0 and later
Labs Network
Security
Appliance

RioRey DDoS Firewall / DoS RIOS 5.0, 5.1, ASP Syslog 10.0 and later
Protection 5.2

Riverbed Steelhead Security 5.x ASP Syslog 10.0 and later


Appliances /
UTMs

RSA Authentication Authentication 7.x ASP Syslog 10.0 and later


Manager

SafeNet Hardware Application All ASP Syslog 10.0 and later


Security Security
Modules

Saint Saint Vulnerability All N/A N/A 10.0 and later


Systems

SAP SAP Version 5 Applications / 5.x and 6.x ABAP Module Syslog 10.0 and later
Security and ASP
Management /
Host / Server /
Operating
Systems

Sybase Database 12.5 and later 10.0 and later Supported


through

50 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes
McAfee Data
Center
Security Suite
for Databases

Savant Savant - CEF Anti-Malware 3.x ASP Syslog 10.0 and later
Protection

Secure Zenwall Applications / All ASP Syslog 10.0 and later


Crossing Security
Management /
Host / Server /
Operating
Systems

SecureAuth IEP - Single Authentication 5.x ASP Syslog 10.0 and later
Sign On

Securonix Risk and UEBA Code Based McAfee Event 10.0 and later
Threat Format
Intelligence

SendMail Sentrion Messaging All Use Unix -


Linux data
source.

Sentrigo Hedgehog - Database All ASP Syslog 10.0 and later


CEF

sFlow Generic sFlow Network Flow All sFlow sFlow 10.0 and later
Collection

Silver Spring Network Smart Grid All ASP File pull / 10.0 and later
Networks Infrastructure McAfee SIEM
Agent

Skycure Skycure Mobile All ASP Syslog 10.0 and later


Enterprise Security

Skyhigh Cloud Security DLP 2.2 and later ASP Syslog 10.0 and later CEF format is
Networks Platform supported.

SnapLogic SnapLogic Cloud All ASP Syslog 10.0 and later


Integration

Software DB2 Access Database All ASP Syslog 10.0 and later
Product Recording
Research Services
DBARS

SonicWALL SonicWall Firewall All Code Based Syslog 9.1 to 9.3.2


Firewall/VPN

SonicWall IPS IDS / IPS All Code Based Syslog 9.1 to 9.3.2

Sonus GSX VOIP All ASP Syslog 10.0 and later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 51


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Sophos Email Security Email Security All ASP Syslog 10.0 and later
and Data
Protection

Sophos Antivirus All Code Based SQL 10.0 and later


Antivirus

UTM and UTM / Firewall 9.1 ASP Syslog 10.0 and later
Next-Gen
Firewall

Web Security Web Content / All ASP Syslog 10.0 and later
and Control Filtering /
Proxies

SourceFire 3D Defense IDS / IPS 4.10 Use Cisco


Center Firepower
Management
Center -
eStreamer

Snort NIDS IDS / IPS All Use


SourceFire
NS/RNA data
source.

FireSIGHT IDS / IPS 5.x, 6.x Code Based eStreamer 10.0 and later Use Cisco
Management Firepower
Console - Management
eStreamer Center -
estreamer

SourceFire IDS / IPS All ASP Syslog 10.0 and later Includes Snort
NS/RNA IDS

Squid Squid Web Content / 1.x Code Based Syslog 9.1 to 9.3.2
Filtering /
Proxies

Squid Web Content / 2.5 ASP Syslog 10.0 and later


Filtering /
Proxies

SS8 BreachDetect Correlation 3.7 and later ASP File pull 10.0 and later

SSH CryptoAuditor Auditing 1.5 ASP Syslog 10.0 and later


Communications
Security

STEALTHbits StealthINTERCEPT
HIDS 3.1.262.1 ASP Syslog 10.0 and later CEF format is
supported.

StillSecure Strata Guard Firewall / 5.x, 6.x ASP Syslog 10.0 and later
Security
Management /

52 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes
IDS / IPS /
Virtual Private
Networks

Stonesoft Next IDS / IPS All Use McAfee


Corporation Generation Next
Firewall Generation
Firewall -
Stonesoft

Sun iPlanet Web Server All Code Based Syslog 9.1 to 9.3.2

Symantec Altiris Asset 7.x and later 10.0 and later


Management
Console

Antivirus Antivirus 8.x, 9.x Code Based SQL 10.0 and later
Corporate
Edition
Server

Critical IDS / IPS 5.2 Code Based SQL 9.1 to 9.3.2


System
Protection

Critical IDS / IPS 5.2 ASP SQL 10.0 and later


System
Protection

Endpoint Antivirus 11.x Code Based Syslog 9.1 to 9.3.2


Protection

Endpoint Antivirus 11.x, 12.x ASP Syslog 10.0 and later


Protection

PGP Host / Server / All ASP Syslog 10.0 and later


Universal Operating
Server Systems

Symantec DLP All ASP Syslog 10.0 and later


Data Loss
Prevention

Symantec Messaging 2.x and later ASP Syslog 10.0 and later
Messaging
Gateway

Symantec Web Content / All ASP Syslog 10.0 and later


Web Gateway Filtering /
Proxies

Synology DiskStation Application All ASP Syslog 10.0 and later


Manager

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 53


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Tenable Tenable Vulnerability 3.x, 4.x, 5.x, N/A N/A 10.0 and later
Nessus Systems 6.x

Teradata Teradata Database 12, 13, 13.10, 10.0 and later Supported
14, 15, and through
15.1 on Linux McAfee Data
Center
Security Suite
for Databases

ThreatConnectThreat UEBA 3.x and later ASP Syslog 10.0 and later
Intelligence
Platform

Thycotic Secret Server Authentication 8 ASP Syslog 10.0 and later

TippingPoint SMS Security 2.x and later ASP Syslog 10.0 and later
Management

TippingPoint Security 1.x, 2.x Code Based Syslog 9.1 to 9.3.2


Management

UnityOne IDS / IPS All ASP Syslog 10.0 and later

TITUS Message Application All WMI WMI 10.0 and later Supported
Classification through
Microsoft
Windows
Event Log

Tofino Tofino Firewall Firewall All ASP Syslog 10.0 and later
Security LSM

Topia Skoot Application All ASP Syslog 10.0 and later


Technology

Townsend AS/400 - CEF Host / Server / All ASP Syslog 10.0 and later
Security Operating
Systems

Trapezoid Trust Control Application All ASP Syslog 10.0 and later
Suite

TrapX DeceptionGrid Generic 5.x and later ASP Syslog 10.0 and later
Security

Trend Micro Control Antivirus / 3.x, 5.x, 6.x Code Based SQL 9.1 to 9.3.2
Manager Vulnerability
Systems

Control Antivirus / 5.x ASP SQL 10.0 and later


Manager - Vulnerability
SQL Pull Systems

54 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Deep Antivirus / All ASP Syslog 10.0 and later


Discovery - Vulnerability
CEF Systems

Deep Security HIDS 6.x and later ASP Syslog 10.0 and later
- CEF

Deep Security HIDS 6.x and later ASP Syslog 10.0 and later
Manager -
CEF

InterScan Web Content / All ASP Syslog 10.0 and later


Web Security Filtering /
Suite Proxies

OfficeScan Antivirus / All ASP File pull 10.0 and later


Vulnerability
Systems

OSSEC FIM / HIDS 1.x, 2.x ASP Syslog 10.0 and later

Tripwire Tripwire / Vulnerability All N/A N/A 10.0 and later


nCircle IP360 Systems

Tripwire Database / 4.x ASP Syslog 10.0 and later


Enterprise Security
Management

Tripwire For Database / 4.x ASP Syslog 10.0 and later


Server Security
Management

Trustwave Data Loss DLP 8.x ASP Syslog 10.0 and later
Prevention

Network NAC 3.x ASP Syslog 10.0 and later


Access
Control

WebDefend Web Content / 4.x ASP Syslog 10.0 and later


Filtering /
Proxies

Tufin SecureTrack Firewall / All ASP Syslog 10.0 and later


Auditing

Type80 SMA_RT Host / Server / All Code Based Syslog 9.1 to 9.3.2
Security Operating
Software Systems

SMA_RT Host / Server / All ASP Syslog 10.0 and later


Operating
Systems

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 55


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

UNIX Linux Host / Server / All ASP Syslog 10.0 and later
Operating
Systems

UNIX OS Host / Server / Solaris, Red Code Based Syslog 9.1 to 9.3.2
Operating Hat Linux, HP-
Systems UX, IBM AIX
and SUSE

VanDyke VShell Application 2.x, 3.x ASP Syslog 10.0 and later
Software

Vericept Content 360 DLP 8.x ASP Syslog 10.0 and later Supported
through
Trustwave
DLP

VMware AirWatch Mobile Device 7.3, 8.0 ASP Syslog 10.0 and later
Management

vCenter Application All ASP Code Based 10.0 and later


Server API

VMware Application 1.x-5.x ASP Syslog 10.0 and later

Voltage SecureData DLP 5.7 ASP Syslog 10.0 and later


Security Enterprise

Vormetric Data Security Application 4.x ASP Syslog 10.0 and later

WatchGuard Firebox and X Firewall 8.x-11.x ASP Syslog 10.0 and later
Technologies Series

Wave Safend DLP All ASP Syslog 10.0 and later


Systems Corp Protector

Websense Cloud Web HIDS All ASP File pull / 10.0 and later
Security McAfee SIEM
Agent

Websense - Web Content / 7.7 and later ASP Syslog 10.0 and later
CEF, Key Filtering /
Value Pair Proxies

Websense Web Content / 6.x, 7.x ASP SQL 10.0 and later
Enterprise - Filtering /
SQL Pull Proxies

Wurldtech OpShield Control 1.7.1 ASP Syslog 10.0 and later


Systems /
Firewall

Xirrus 802.11abgn Switches and All ASP Syslog 10.0 and later
Wi-Fi Arrays Routers

56 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Versions Method of
Vendor Product Name Device Type Supported Parser Collection ESM Version Notes

Zenprise Secure Mobile Security 5.x and later ASP Syslog 10.0 and later
Gateway Mobile
Gateway

ZeroFOX ZeroFOX Application All ASP Syslog 10.0 and later

Zscaler Nanolog Web Content / All ASP Syslog 10.0 and later
Streaming Filtering /
Service (NSS) Proxies

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 57


Adding data sources
Add data sources
Add a data source to a receiver.
Note: This is the basic process for adding a data source. Instructions specific to individual data sources are given separately.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
5. Configure the data source using the configuration instructions.
6. (Optional) Click Advanced and configure the settings.

Configure receivers to create data sources automatically


Set up receivers to create data sources automatically using pre-defined rules that come with the receiver or rules that you create.

Task
1. Click the Get Events and Flows icon on the actions toolbar to pull events or flows.
2. From the McAfee ESM dashboard, click and select Configuration.

3. On the system navigation tree, select the receiver, then click the Properties icon.
4. On the Receiver Properties page, click Data Sources → Auto Learn.
5. On the Auto Learn page, click Configure.
6. On the Auto Add Rule Editor page, select Enable auto creation of data sources.
7. Click Add, then select the auto add rules you want the receiver to use to create data sources automatically.
8. To apply selected rules to the existing auto learned data, click Run Now.

Configure auto create rules


Create, edit, and arrange custom rules that the Receiver uses to automatically create data sources.

Task
1. From the McAfee ESM dashboard, click and select Configuration.

2. On the system navigation tree, select the receiver, then click the Properties icon .
3. On the Receiver Properties page, click Data SourcesAuto Learn → Configure .
4. Select Enable to turn on auto creation of data sources.
5. If you want to create or change a rule, click Add or select a rule and click Edit.
a. On the Configure auto add rule page, configure the settings.

Category Option Definition

Top pane Description A text label that helps users identify


what the rule accomplishes.

Type The type of rule you want to create.

Enabled Toggles the rule on or off.

58 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Category Option Definition

Auto Learn Matching Criteria IP/CIDR and Host Name The network location and host name
from which traffic must originate to
trigger the rule.

Port The port that traffic must come


through to trigger the rule.

Vendor and Model The rule triggers only when traffic


originates from this vendor and model
of device.

Data Source/Client Creation Parameters Name The name for the data source. This
field supports variables to represent IP
address, model, and host name. For
example, you can type Data source -
{MODEL}_{HOST}_{IP}.

Data source type Sets the new data source as a Data


Source or a Client.

Parent Assigns a device to act as the parent of


the new data source.

Client Type Assigns a client type to the new data


source.

Vendor and Model The new data source appears in the


system with this vendor and model.

Time Zone The time zone to assign to the data


source.

Zone (Optional) The zone where the new


data source appears.

Storage Pool If you want the data generated by the


data source (not clients) to be stored
on the ELM, click Storage Pool and select
the storage pool.

b. Click OK.
6. On the Auto Add Rule Editor page, use the arrows to arrange the rules in the order you want.
7. Click Run Now to apply the rules to the current auto learn results.

Results
Auto creation happens when alerts are pulled from the Receiver, either manually or automatically by McAfee ESM.

Add child data sources


Add child data sources to organize your data sources.

Task
1. On the system navigation tree, select Receiver Properties, then click Data Sources.
2. On the data sources table, select the primary data source to which you want to add a data source.
3. Click Add Child, then fill out the fields as you would for a parent data source.
4. Click OK.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 59


Add client data sources
To increase the number of data sources allowed on the Receiver, add a client to an existing data source.

Before you begin


Add data sources to the Receiver.

Task
1. From the McAfee ESM dashboard, click and select Configuration.

2. On the system navigation tree, select the receiver, then click the Properties icon .
3. Click Data Sources.
4. Select the data source that you want to add the client to, then click Clients.
5. Configure the data source.
a. Enter a name for the client.
b. Set the time zone where the client is located.
c. Select a Date Order.
d. Enter an IP address or host name. Clients can have duplicate IP addresses because the port differentiates them.
e. Select Require syslog TLS to apply Transport Layer Security (TLS) encryption for syslog.
f. Set the port.
g. Select Match by type to match clients by type, then select the vendor and model of this client.

Results
Events go to the data source (parent or client) that is more specific. For example, you have two client data sources, one with an IP
address of 1.1.1.1 and the second with an IP address of 1.1.1.0/24, which covers a range. Both are the same type. If an event
matches 1.1.1.1, it goes to the first client because it is more specific.

Add ASP data sources with different encoding


McAfee ESM reads UTF-8 encoded data. Format ASP data sources that generate data with different encoding to ensure the
Receiver can read that data.

Task
1. On the system navigation tree, click a Receiver, then click the Add Data Source icon .
2. Select Generic in the Data Source Vendor field, then Advanced Syslog Parser in the Data Source Model field.
3. Enter the information requested, and select the correct encoding in the Encoding field.

60 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Managing data sources
Set date formats for data sources
Select the format for dates included in data sources.

Task
1. On the system navigation tree, select a Receiver, then click the Add data source icon .
2. Click Advanced, then make a selection in the Date Order field:
◦ Default - Uses the default date order (month before day). When using client data sources, clients using this setting will inherit
the date order of the parent data source.
◦ Month before day - The month goes before the day (04/23/2014).
◦ Day before month - The day goes before the month (23/04/2014).
3. Click OK.

Select Tail File data source collection method


When adding data sources, you must choose a collection method if you select NFS File Source or CIFS File Source for data retrieval.
Collection methods are:
• Copy files — The system copies whole logs from the remote share to the Receiver to be processed. If log files are large and
updated with new information infrequently, copying the whole log file can be inefficient and time consuming.
• Tail files — Logs are read remotely and only new events are read. Each time the log is read, it reads from the position where it
stopped previously. If the file changes significantly, this is detected and the whole file is reread from the beginning.

Task
1. From the McAfee ESM dashboard, click and select Configuration.

2. On the system navigation tree, select the receiver, then click the Properties icon .

3. Click the Add data source icon on the actions toolbar.


4. Provide the information requested, selecting CIFS File Source or NFS File Source in the Data Retrieval field.
5. In the Collection Method field, select Tail File(s), then fill in these fields:
◦ Delimited Multiline Events — Select to specify if the events have dynamic length.
◦ Event Delimiter — Enter a string of characters that signal the end of an event and the beginning of another. These delimiters
vary greatly and depend on the type of log file.
◦ Delimiter is regex — Select if the value in the Event Delimiter field is to be parsed as a regular expression rather than a static value.
◦ Tail Mode — Select Beginning to parse files completely that are encountered on the first run, or End to note the file size and
collect only new events.
◦ Recurse subdirectories — Select to read collection from child directories (subdirectories), looking for matches with the wildcard
expression field. If not selected, it searches only the parent directory files.
6. Fill in remaining fields, then click OK.

Locate data source clients


You can have more than 65,000 clients. Use search to locate a specific data source client.

Task
1. From the McAfee ESM dashboard, click and select Configuration.

2. On the system navigation tree, select the receiver, then click the Properties icon .
3. Click Data Sources → Clients.
4. In the Search field, enter the information you want to search for, then click Search.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 61


Migrate data sources to Receivers
Reallocate or redistribute data sources between Receivers on the same system.
Migrate data sources to new Receivers and balance data sources between Receivers. Or, if you replace your Receiver, you can
transfer your data sources from your current Receiver to the new one.

Task
1. From the McAfee ESM dashboard, click and select Configuration.

2. On the system navigation tree, select the receiver, then click the Properties icon .
3. Click Data Sources.
4. Select the data sources to be migrated, then click Migrate.
5. Select the new Receiver in the Destination Receiver field, then click OK.

Move data sources to another system


Move data sources from secured Receivers to Receivers on unsecured locations on different systems. Select data sources to be
moved, save them and their raw data to a remote location, then you can import the data sources to another Receiver.

Before you begin


Verify that you have device management rights on both Receivers.
There are limitations when exporting data source information:
• You can't transport flow data sources (for example, IPFIX, NetFlow, or sFlow).
• The source events of correlated events do not display.
• If you change correlation rules on the second Receiver, the correlation engine doesn't process those rules. When you transport
correlation data, they system inserts those events from the file.

Task
1. On the system navigation tree, select Receiver Properties.
2. To select the data sources and remote location, do the following:
a. Select the data source, then click Edit.
b. Click Advanced, then select Export in NitroFile.
Note: The data is exported to a remote location and is configured using profile. The system now copies raw data generated
by this data source to the remote share location.
3. To create raw data file, do the following:
a. Access the remote share location where the raw data is saved.
b. Save the raw data that has been generated in a location that allows you to move the file to the second Receiver (such as a
jump drive that you can carry to the unsecured location).
4. To create a file that describes data sources, do the following:
a. Select the data source, then click Import.
b. Locate the file of data sources you moved and click Upload.
c. On the Remote share profile list, select the location where you saved the raw data files. If the profile isn't listed, click Remote share
profile and add the profile.
Note: The data sources are added to the second Receiver and accesses the raw data through the remote share profile.
5. To import raw data and data source files, do the following:
a. On the second Receiver system navigation tree, access Data Sources, then click Import.
b. Locate the file of data sources you moved and click Upload.
c. On the Remote share profile list, select the location where you saved the raw data files. If the profile is not listed, click Remote
share profile and add the profile.
6. Click OK.

Import data sources from a .csv file


Import a list of data sources, which eliminates the need to add, edit, or remove them manually.

62 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


You use this option:
• To import raw data source data copied from a Receiver in a secured location to a Receiver in an unsecured location.
• To edit the data sources on a Receiver by adding data sources to the existing list, editing existing data sources, or removing
existing data sources.

Task
1. Export a list of data sources currently on the Receiver.
a. On the system navigation tree, select Receiver Properties, then click Data Sources.
b. Click Export, then click Yes to confirm the download.
c. Select the location for the download, change the file name if needed, then click Save.
d. Access and open this file.
2. Add, edit, or remove data sources on the list.
a. In column A, specify whether to add, edit, or remove the data source.
b. If adding or editing data sources, enter the information in the spreadsheet columns.
Note: You can't edit the policy or the name of the data source.
c. Save the changes made to the spreadsheet.
Note: You can't edit a data source to make it a data source from a client data source or the other way around.
3. Import the list to the Receiver.
a. On the system navigation tree, select Receiver Properties, then click Data Sources.
b. Click Import, then select the file and click Upload.
Note: You can't change the policy or the name of the data source.
c. To import the changes, click OK.
d. If there are errors in the formatting of the changes, a Message Log describes the errors.
e. Click Download Entire File, then click Yes.
f. Select the location for the download to be saved, change the name of the file if needed, then click Save.
g. Open the file that downloaded.
h. Correct the errors, then save and close the file.
i. Close Message Log and Import Data Sources, then click Import and select the file that you saved.
j. Click OK.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 63


Configuring McAfee data sources
Configure data sources made by McAfee.

McAfee Advanced Threat Defense


Configure McAfee Advanced Threat Defense
Enable the Advanced Threat Defense off-box syslog and send it to the ESM.

Task
1. Log on to Advanced Threat Defense.
2. Click the Manage icon and select Syslog Setting from the left menu.

Option Definition

Off Box System Log Enabled

IP Address IP address of the receiver

Port 514

Transport TCP

3. Test the connection.


4. Set Security Level to Medium or higher.
Using a lower setting may result in too many events being sent to the receiver.
5. Click Submit.
6. If you want to test the data source, manually upload a file in the Analysis section of Advanced Threat Defense, wait a few
minutes, and then check McAfee ESM.
Troubleshooting help is found on the Knowledge Center.

Add McAfee Advanced Threat Defense


The Advanced Threat Defense can generate Indicators of Compromises (IOCs) and pass that information to McAfee ESM. Use the
Cyber Threat Manager to view IOC details. This can help you detect future attacks and assist in incident response or forensics.

Task
1. From McAfee ESM, select a receiver and click the Add Data Source icon.

Option Definition

Data Source Vendor McAfee

Data Source Model Advanced Threat Defense

Name A name to identify the device.

IP Address The IP address of the Advanced Threat Defense device.

Mask 32

Time Zone The time zone where the Advanced Threat Defense device is
located.

2. Click OK and click Yes when prompted to add Advanced Threat Defense as a cyber threat feed source.

64 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


A cyber threat feed source is an automatic way to provide McAfee ESM with IOCs. You can view and manage IOCs with the
Cyber Threat Manager dashboard.
The Cyber Threat Feed Wizard opens.
3. On the Main tab, type a name for the feed and click Next.
4. Type your Advanced Threat Defense credentials and click Connect to test your settings.
5. If you want to populate watchlists, select the Watchlist tab and configure the watchlists.
6. If you want to detect past occurrences of this IOC, select the Backtrace tab and run a backtrace.
7. Click Finish and then click Yes to apply the settings.

McAfee Correlation Engine


Add McAfee Correlation Engine
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model Correlation Engine

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

Time Order Tolerance The maximum time that events can be logged out of chronologic order.

Use Local Data Not available if the receiver is connected to a Data Streaming Bus.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 65


Option Definition
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee Data Loss Prevention Monitor


Configure McAfee Data Loss Prevention Monitor (McAfee DLP Monitor)
Configure McAfee DLP Monitor to forward logs.

Task
1. In the navigation pane, expand Application Security, point to Options, then click Logging Profiles.
2. Above the Logging Profiles area, click Create.
3. For Configuration, select Advanced.
4. For Profile Name, type a unique name for the logging profile.
5. Select Remote Storage, then select Reporting Server for the Type.
6. If you do not want data to be logged locally while it is being logged remotely, deselect Local Storage.
7. For Protocol, select UDP.
8. For Server IP, type the IP address of the McAfee Event Receiver.
9. For Server Port, type 514 (the default port used for Syslog).
10. (Optional) To ensure that system logging takes place, even when the logging utility is competing for system resources, select
Guarantee Logging.
11. (Optional) To log details about brute force attacks, DoS attacks, IP enforcer attacks, or web scraping attacks, select Report
Detected Anomalies. Examples of log details can include start and end time, number of dropped requests, and attacking IP
addresses.
12. Click Create.

66 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Add McAfee Data Loss Prevention Monitor (McAfee DLP Monitor)
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model Network DLP Monitor

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 67


Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Map McAfee DLP Monitor fields to McAfee ESM fields

Expected log format


CEF:Version|DeviceVendor|DeviceProduct|DeviceVersion|deviceEventClassId|Name|Severity|Extension

Log sample
<13>RTS: CEF:0|McAfee|iGuard|9.2|CNN wget|CNN wget|Medium|cs1=Policy for prevenct cs1Label=policies cn1=2 cn1Label=MatchC

Field mapping

Log fields McAfee ESM fields

request URL

cs2 Subject

cs1 Object

fname Filename

cs3 Object_Type

cn1 Message_Text

Name Message

duser Destination_Username

suser Source User

cnt Event Count

68 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Log fields McAfee ESM fields

shost Hostname

proto Protocol

src

spt Source Port

smac Source MAC

dst Destination IP address

dpt Destination Port

dmac Destination MAC

app Application

start, end, rt, tstamp, collection First Time, Last Time

McAfee Database Security


Configure McAfee Database Security

Task
1. Log on to McAfee® Database Security console.
2. Select System → Interfaces → Syslog.
3. Select Use syslog.
4. Configure the correct syslog host/port (IP address and port of the McAfee Event Receiver).
5. Select transport protocol.
6. Set syslog format to CEF.
7. Click Save.

Configure Database Activity Monitoring


Configure system setting to enable McAfee Application Data Monitor as a data source.

Before you begin


Communication to McAfee ESM may be over TCP or UDP through a specific port. The IP address and port designated in the
Database Activity Monitoring server settings must be opened on the firewall for out-bound communication to the ESM. Port 514
is the default port for syslog communication - however it may be configured.
You must have administrative credentials to perform the integration setup of the McAfee Application Data Monitor connector.

Task
1. Log on to the McAfee ePO server.
2. Click Menu → Server Settings → Database Activity Monitoring → Syslog → Edit.
3. Configure the Syslog parameters.

Option Value

Status Selected (enabled)

Host IP address of the designated ESM receiver

Port Communication port designated for ESM Syslog (default =


514)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 69


Option Value

Transport TCP or UDP (default = UDP)

Maximum Packet Length (default = 1)

Facilities (default = user)

Format CEF

4. Enable syslog rules.


a. Click Menu and select Policy Catalog.
b. Click the policy in scope of the syslog relay.
c. Select the rules to enable the syslog relay.
d. From the Actions menu, click Apply Actions.
e. Select Syslog and then select a log level (default is Trace).
5. Add McAfee Application Data Monitor as an ESM data source.
a. From McAfee ESM dashboard, select a receiver and click Add Data Source.
b. Configure the data source.

Option Value

Data Source Vendor McAfee

Data Source Model McAfee Database Security - CEF (ASP)

Data Format Default

Data Retrieval Default

Enabled Parsing

Name <desired naming convention>

IP Address <IP address of DAM server>

Host Name <optional>

Syslog Relay None

Mask 0

Required syslog TSLS <not selected>

Port 514

Support Generic Syslogs Do nothing

Generic Rule Assignment <N/A>

Time Zone GMT, 00:00 Greenwich Mean Time: Dublin, Edinburgh

Add McAfee Database Security


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.

70 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model Database Security - CEF

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device

Syslog Relay Leave Default

Mask Leave Default

Require Syslog TLS Deselected

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 71


Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Map McAfee Database Security events to McAfee ESM fields

Expected log format


computer date time IP protocol source destination original client IP source network destination network action status ru

Log sample
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal Establish 0x0 - HTTP

Field mapping

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

McAfee Email and Web Security


Configure McAfee Email and Web Security 6.x.x or later (CEF)

Task
1. Open and log on to the Appliance Management Console.
2. Select System → Logging → Alerting and SNMP → System Log Settings.
3. Click Enable system log events.
4. To enable CEF format, select the Logging format ArcSight.
5. Select Off-box system log and click Add Server.
6. Add the McAfee Event Receiver IP address and port (default is 514).

72 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Configure McAfee Email and Web Security 5.x.x (syslog)

Task
1. Open and log on to the Appliance Management Console.
2. Select System → Logging → Alerting and SNMP → System Log Settings.
3. Click Enable system log events.
4. To enable standard non-formatted syslog messages, select the Logging format Syslog.
5. Select Off-box system log and click Add Server.
6. Add the McAfee Event Receiver IP address and port (default is 514).

Add McAfee Email and Web Security


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model For Syslog, select EWS v5 / Email Gateway Original Format - Legacy (ASP).
For CEF, select Email Gateway - CEF (ASP).

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the McAfee Event Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 73


Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Map McAfee Email and Web Security 6.x.x fields to McAfee ESM fields

Expected log format (CEF)


|Device Vendor|Device Product|Signature ID|Name|Severtiy| act=<action> app=<application> msg=<message> dst=<destination

Log sample (CEF)


Jan 1 01:23:45 bridge : CEF:0|McAfee|Email Gateway|7.0|12345|Email Status|5|act=service app=smtp msg=Email blocked with

Field mapping (CEF)

Log fields McAfee ESM fields

Signature ID Sid

74 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Log fields McAfee ESM fields

Name Message

Severity Severity

sourceServiceName Policy Name

email-subject Message Text

virus-names Threat Name

Device Vendor and Device Product Category

email-attachments, dlpfile, imagefile Filename

deviceDirection Direction

fsize Bytes Sent

number-email-recipients Recipient Count

suser From

duser To

act Device Action

app Application

act Command Name

dst Destination IP

src Source IP

dhost Hostname

rt First Time, Last Time

dpt Destination Port

spt Source Port

dmac Destination MAC

smac Source MAC

cnt Event Count

msg Reason

McAfee Email and Web Security 5.x.x events to McAfee ESM fields

Log format (syslog)


The expected format for this device is:
timestamp Application=<app> Event=<event> status=<status> User=<username> source=<source ip> virusname=<Virus.Name> filen

Log sample (syslog)


This is a sample log from a McAfee Email and Web Security device:
<22>Jan 1 01:23:45 mx1 Application=http, Event='Anti-virus engine detection', status='The content was categorized as a P

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 75


Mappings (syslog)
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

timestamp First Time, Last Time

Application Application

Event Message

status Reason

from From

to To

User Source User

source Source IP

relay Destination IP

virusname Threat Name

filename, attachment Filename

spamrules Signature Name

size Bytes Sent

subject Subject

McAfee ePolicy Orchestrator


Configure the Database Server user account
This task applies to device options and data source configuration options. Both require a McAfee ePO database user account,
which enables the McAfee Event Receiver to collect the data from the McAfee ePO database.

Task
1. Log on to the McAfee ePO database server.
2. Start SQL Server Management Studio → Enterprise Manager.
3. Expand the Console Root node several times to view the items under the Security folder.
4. Right-click the Logins icon, then select New Login.
5. On the General page, do the following:
a. InLogin name, enter a user name (such as, epo) that the McAfee Event Receiver uses to connect to the McAfee ePO database.
b. Select SQL Server Authentication, then enter and confirm a password.
c. From the Default database menu, select the McAfee ePO database from the Database drop-down list.
Caution: If you leave the Default database as master, the McAfee Event Receiver fails to pull events.
6. Select the User Mapping page.
a. Select the database where the user’s logon is mapped.
b. For Database role membership, select db_datareader.
7. Click OK to save.
8. Log off from the SQL Server Management Studio/Enterprise Manager.

76 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Configure the application server user account
This task applies only to the device configuration option. The McAfee ESM user account must have rights that allow ESM to use
enhanced integration features such as McAfee ePO tagging and actions, McAfee® Risk Advisor, and McAfee® Threat Intelligence
Exchange (TIE).

Task
1. Log on to the McAfee ePO console using an account with the appropriate rights.
2. Select Menu → Permission Sets → User Management.
3. Click Actions → New.
4. Name the group McAfee SIEM.
5. Add rights so that the McAfee ESM account works properly. With the new group selected, scroll down to Systems, then select
Edit.
6. In Systems , select these options, then click Save.
a. For Actions, select Wake up agents, view Agent Activity Log.
b. For Tag use, select Apply, exclude, and clear tags.
7. To assign users to the group, in the User Management section, select Menu → Users.
8. Select New User and define these options:
a. Enter the New User name.
b. Set the Logon status to Enabled.
c. Set the Authentication type to ePO authentication and enter the password.
d. Set the Manually assigned permission sets to Selected permission sets and McAfee SIEM, then click Save.

Differences in configuration options for ePolicy Orchestrator


Additional McAfee ESM features are available when McAfee ePO is configured as a device in McAfee ESM. This table lists most of
the difference in features available for each configuration.

McAfee ePO connected as a device McAfee ePO connected as a data source

McAfee ePO listed in the ESM device tree as a device McAfee ePO listed in the ESM device tree as a data source

Associated McAfee ePO applications listed as child data N/A


sources under the device

Assign tags in McAfee ePO from ESM for source or N/A


destination IP addresses and events generated by alarms

Automatic enablement of McAfee® Threat Intelligence N/A


Exchange (TIE) reporting in McAfee ESM over McAfee® Data
Exchange Layer (DXL), if a TIE server is connected to McAfee
ePO

Enablement of McAfee® Risk Advisor data acquisition N/A

Automatic enablement of McAfee ACE correlation rules for N/A


TIE and Risk Advisor

Automatic enablement of Alarms and Watchlists for TIE N/A

Ability to query multiple McAfee ePO devices for custom N/A


reports or views in McAfee ESM

Add McAfee ePolicy Orchestrator as a data source


Log in to ESM and add the data source to a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 77


Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model ePolicy Orchestrator (ASP)

Data Format Default

Data Retrieval SQL (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

User ID The McAfee ePO database user name

Password The McAfee ePO database password

Port The McAfee ePO database port (default is 1433)

Database Name The McAfee ePO database name

Database Instance The database instance, if any

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

78 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Option Definition

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Add McAfee ePolicy Orchestrator as a device


After successfully logging on to the McAfee ESM console, you can add a McAfee ePO device via the Device wizard. You must have
the user names and passwords, created previously, for the McAfee ePO Application Server and the McAfee ePO database server.

Task
1. From the device tree, select Physical Display, then click the Add Device icon from the Action toolbar.
2. In the Add Device Wizard, select McAfee ePolicy Orchestrator (v4.6 or newer), then click Next.
3. Enter a name for the McAfee ePO device, then click Next.
a. Select the McAfee Event Receiver that connects to the McAfee ePO device.
b. Enter the application IP address of the McAfee ePO Application Server.
c. Enter the application port (default is 8443).
d. Enter the application user name for the McAfee ePO web interface.
e. Enter the application password for the McAfee ePO web interface.
f. When McAfee ePO is added on the ESM, the ESM can check for the presence of a Threat Intelligence Exchange (TIE) server.
If one is present, the ESM begins listening and retrieving events from the Data Exchange Layer (DXL). To use this feature,
select Enable DXL.
4. Test the McAfee Event Receiver’s ability to connect to McAfee ePO by clicking Connect. When the connection is successful, click
Next.
If the connection fails, verify the user credentials and that no firewall policies are blocking the connection between the McAfee
Event Receiver and McAfee ePO.
Caution: Select Require user authentication only if each McAfee ePO user has a separate account for each device.
a. Enter the database IP address of the McAfee ePO database server.
b. Enter the database port (default is 1433).
c. Enter the database user name.
d. Enter the database password.
e. Enter the database name.
f. If using database instances, enter the database instance name.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 79


5. Test the McAfee Event Receiver’s ability to connect to the McAfee ePO database by clicking Connect. When the connection is
successful, click Next.
If the connection fails, make sure that you are using the correct user credentials, and that no firewall policies are blocking the
connection between the McAfee Event Receiver and McAfee ePO.
A status window appears while McAfee ePO is added as a device in ESM.
6. When McAfee ePO is successfully added, click Finish.
7. In the ESM device tree, expand the new McAfee ePO device.
a. Confirm the connection to the McAfee ePO host
b. Identify the McAfee products discovered by ESM as installed extensions in McAfee ePO.

Integrate McAfee ePolicy Orchestrator


McAfee Enterprise Security Manager can start McAfee ePO directly from its interface, allowing the user to view endpoint details
stored in McAfee ePO.
This advanced integration assumes that McAfee ePO has been added as a device, and that the local network settings have been
properly configured in Asset Manager. If the local network settings have already been configured, skip to section 6.2.
Note: This configuration example assumes one McAfee ePO server with a local SQL database. In configurations where the
McAfee ePO server is connected to a secondary SQL database server, contact McAfee support for assistance.

Enable the ability to start ePolicy Orchestrator from McAfee ESM

Task
1. From ESM System Properties, select ESM Management.
2. Click Local Network.
3. Enter the IP addresses and optional subnets that make up the Local Network, then click OK.
McAfee ESM now allows the user to start McAfee ePO and view details specific to a managed endpoint.

Start ePolicy Orchestrator from McAfee ESM to view details about Managed Assets

Task
1. Select an event from the McAfee ESM views that contain source or destination IP addresses associated with a managed asset
in McAfee ePO.
2. In the upper left of the component window, click the menu icon.
3. Select Actions → View in ePOfrom the expanded menu.
4. Select a McAfee ePO device (if applicable), then click OK.
◦ If only one McAfee ePO device or data source appears on the system, the McAfee ePO interface starts.
◦ If more than one McAfee ePO devices or data sources appear on the system, select the one you want to access. The McAfee
ePO interface starts for that device.
◦ If an event or flow is selected from a table component in McAfee ESM, with both a source IP address and destination IP
address from the local network, the user must also select which IP address is used in the lookup. Once the IP address is
identified, the McAfee ePO interface starts.
5. When prompted for authentication with McAfee ePO, enter the appropriate McAfee ePO credentials to log on.
Once authenticated, the asset information window for McAfee ePO displays details related to the endpoint that you selected
from the event in McAfee ESM.

Assign ePolicy Orchestrator tags from McAfee ESM


With viewing managed endpoints on the McAfee ePO server, McAfee ESM supports assigning ESM tags to assets and alarms
directly from the console.

Task
1. Select an event from the ESM views that contain source or destination IP addresses associated with a managed asset in ESM.
2. In the upper left of the component window, click the menu icon.
3. From the expanded menu, select Actions → ePO Tagging.
4. Select a policy tag from the list, then click Assign.

80 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


5. (Optional) Once you assign an ESM tag to the endpoint, select Wake up client.
6. When finished, click Close.
7. (Optional) To access the ESM tagging options:
a. Select an ESM device in the ESM device tree, then click the Properties icon above the device tree.
b. To display the tagging options, select ePO Tagging from the left side of the ePO Properties window.

McAfee ePO device authentication problems


McAfee ePO authentication credentials must be added to ESM before using McAfee ePO tags or actions.
There are two types of authentication:
• Single global account — If the user belongs to a group that has access to a McAfee ePO device, the integration features can be
used after entering the global credentials.
• Separate account for each device per user — The user must have permission to view the device in the ESM device tree.
Select a method of authentication to employ when using tags or actions. If the credentials are not found or are invalid, the user is
prompted to enter valid credentials, which must be saved to allow future communication with the device.

Configure separate account authentication


Global account authentication is the default setting in ESM. You must configure separate account authentication.

1. Verify that Require user authentication is selected when adding the McAfee ePO device on the ESM, or when configuring its
connection settings.
2. Enter the credentials on the ESM options page.
a. On the system navigation bar of the ESM console, click options, then click ePO Credentials.
b. Select a McAfee ePO device and click Edit.
c. Provide the user name and password for the selected device, then click Test Connection.
d. Click OK when the test passes.

McAfee Firewall Enterprise


Configure McAfee Firewall Enterprise

Task
1. From the McAfee Firewall Enterprise Admin Console, select Monitor → Audit Management, then click the Firewall Reporter/Syslog tab.
2. In the Export audit to syslog servers section, click New on the toolbar.
3. Enter the IP address of the McAfee Event Receiver where the logs are sent.
4. From the Remote Facility drop‐down list, select a syslog facility to help identify the audit export.
5. (Optional) Click in the Description cell and type a description of the audit export entry.
6. Verify these settings from the advanced options, then press OK.
◦ Port: 514
◦ Format: SEF
7. Save the changes.

Add McAfee Firewall Enterprise


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 81


Option Definition

Data Source Vendor McAfee

Data Source Model Firewall Enterprise (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Mask Default

Require Syslog TLS Leave unchecked

Support Generic Syslogs Default

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

82 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Option Definition

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee Firewall Enterprise log format and field mapping

Log format
The expected format for this device is:
computer date time IP protocol source destination original client IP source network destination network action status ru

Log sample
This is a sample log from a McAfee Firewall Enterprise device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal Establish 0x0 - HTT

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

McAfee MVISION Cloud


Configure MVISION Cloud

Task
1. From the Enterprise Connector interface, go to Enterprise Integration → SIEM Integration.
2. Change the value of SIEM Server to ON.
3. Select Common Event Format (CEF).
4. Set the Syslog Protocol value to UDP.
5. For the Syslog Server value, enter the IP address of the McAfee Event Receiver.
6. For the Syslog Port value, type 514.
7. Change the value for Send Shadow service Anomalies to SIEM to All Anomalies.
8. Change the value for Send Sanctioned service Incidents to SIEM to All Incidents.
9. Click SAVE.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 83


Add MVISION Cloud
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model MVISION Cloud

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to Communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.

84 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Option Definition
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

MVISION Cloud log format and field mapping

Log format
The expected format for this device is:
<PRIORITY>DATE TIME HOSTNAME CEF:0|DEVICE VENDOR|DEVICE PRODUCT|DEVICE VERSION|SIGNATURE ID|NAME|SEVERITY|KEY=VALUE KEY=

Log sample
This is a sample log from MVISION Cloud:
<14>Feb 14 14:18:36 MHLABAP50 CEF:0|McAfee MVISION Cloud|Anomalies|4.1.0.1|CloudAccess|Alert.Policy|10|start=2001-01-01

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

severity Severity

start First Time, Last Time

destinationHost Destination Hostname

suser (if IP address) Source IP

suser Source Username

Direction Direction

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 85


Log fields McAfee ESM fields

serviceName Service_Name

response Subtype

riscValue Reputation_Score

DeviceValue Operating_System

McAfee MVISION ePolicy Orchestrator


Add MVISION ePO
Add MVISION ePO as a data source.

Task
1. Configure the data source according to the instructions on the Knowledge Center.
2. Select a receiver.
3. Click the Properties icon.
4. From the Receiver Properties window, select Data Sources.
5. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model MVISION ePO

Data Format default

Data Retrieval API

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address Automatically populated when you enter the Hostname and click Look up.

Hostname arevents.mvision.mcafee.com

Authentication Hostname iam.mcafee-cloud.com

Username and Password Credentials you use to log on to mvision.mcafee.com

System Token 0oawz1wagXnxG7lUr2p6

Field 1 epo.evt.r

Use proxy Selected

Proxy IP Address IP address of the proxy server

Proxy Port 8080

86 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Option Definition

Proxy Username and Proxy Password Credentials for logging on to the proxy server

Support Generic Syslogs default

Generic Rule Assignment default

Time Zone Time zone where the data originates

6. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list. See
Configure zones in the ESM Product Guide.

External data source link Automatically selected when you import events from another receiver. You
can deselect the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 87


MVISION ePO log format and field mapping

Log format
The expected format for the log is:
{"detectedutc":{"name":"","type":"","value":""},"analyzermac":{"name":"","type":"","value":""},"sourceprocessname":{"nam

Log sample
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal Establish 0x0 - HTT

Field mapping

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

McAfee MVISION Mobile


Configure McAfee MVISION Mobile
Prepare MVISION Mobile to send data to McAfee SIEM.

Task
Configure the data source according the instructions on the Knowledge Center.

Add McAfee MVISION Mobile


Log in to ESM and add the data source to a receiver.

Before you begin


Get the system token, client key, and client secret token from McAfee Support.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model MVISION Mobile

Data Format

Data Retrieval API

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

88 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Option Definition

Name Name of data source

IP Address Automatically populated when you enter the Hostname and click Look up.

Hostname console.mcafee-mvision-mobile.com

Authentication Hostname token.mcafee-mvision-mobile.com

System Token Contact McAfee Support

Client Key Contact McAfee Support

Client Secret Key Contact McAfee Support

Use proxy Proxy, if required by installation. Enter the IP, port, and credentials for the
proxy server.

Support Generic Syslogs Parse as generic syslog

Generic Rule Assignment MVISION Mobile

Time Zone Time zone of the data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can deselect the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 89


Option Definition
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee MVISION Mobile log format and field mapping

Log format
The expected format for this device is:
computer date time IP protocol source destination original client IP source network destination network action status ru

Log sample
This is a sample log from McAfee MVISION Mobile:
<14>1 07 22 2018 15:37:56 UTC zconsole {"system_token":"system_token-Value","severity":3,"event_id":"event_id-Value","mit

Field mapping
This table shows the mapping between the data source and McAfee ESM fields .

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

McAfee Network Security Manager


Configure McAfee Network Security Manager 7.x.x

Task
1. Log on to the management interface as an administrator.
2. Click the Configure icon on the dashboard.
3. In the resource tree, click the root node (usually My Company).
4. Click the Fault Notification tab, then click Syslog.
5. Change these settings, then click Save:
◦ Enable Syslog Forwarder: Yes
◦ Server Name or IP address: Enter the IP/Hostname of your Receiver
◦ Port: 514
◦ With Severity: Informational and above
6. Click Edit.
7. Insert this text into the Message field:
|$IV_SENSOR_ALERT_UUID$|$IV_ALERT_TYPE$|$IV_ATTACK_TIME$|"$IV_ATTACK_NAME$"|$IV_ATTACK_ID$|$IV_ATTACK_SEVERITY$|$IV_AT

Make sure there are no newline characters entered in that field.


8. Click Save.

90 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Configure McAfee Network Security Manager 6.x.x

Task
1. Log on to the management interface as an administrator.
2. Click the Configure icon on the dashboard.
3. In the resource tree, click the root node (usually My Company).
4. Select Alert Notification → Syslog Forwarder.
5. Change these settings, then click Save:
◦ Enable Syslog Forwarder: Yes
◦ Host IP Address/Hostname: Enter the IP/Hostname of your Receiver
◦ Port: 514
◦ With severity level: Informational and above
6. Click Edit.
7. Insert this text into the Message field:
|$IV_SENSOR_ALERT_UUID$|$IV_ALERT_TYPE$|$IV_ATTACK_TIME$|"$IV_ATTACK_NAME$"|$IV_ATTACK_ID$|$IV_ATTACK_SEVERITY$|$IV_AT

Make sure there are no newline characters entered into that field.
8. Click Save.

Add McAfee Network Security Manager (syslog delivery)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model McAfee Network Security

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs <Default>

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 91


Option Definition

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee Network Security Manager (syslog) log format and field mapping

Log format
The expected format for this device is:
<SyslogForarderType>:|SENSOR_ALERT_UUID|ALERT_TYPE|ATTACK_TIME|ATTACK_NAME|ATTACK_ID|ATTACK_SEVERITY|ATTACK_SIGNATURE|
ATTACK_CONFIDENCE|ADMIN_DOMAIN|SENSOR_NAME|INTERFACE|SOURCE_IP|SOURCE_PORT|DESTINATION_IP|DESTINATION_PORT|CATEGORY|SUB_
DIRECTION|RESULT_STATUS|DETECTION_MECHANISM|APPLICATION_PROTOCOL|NETWORK_PROTOCOL|RELEVANCE|QUARANTINE_END_TIME|
MCAFEE_NAC_FORWARDED_STATUS|MCAFEE_NAC_MANAGED_STATUS|MCAFEE_NAC_ERROR_STATUS|MCAFEE_NAC_ACTION_STATUS|SENSOR_CLUSTER_ME
ATTACK_COUNT|VLAN_ID|LAYER_7_DATA|VLAN_ID|PROTECTION_CATEGORY|SOURCE_VM_NAME|TARGET_VM_NAME|SOURCE_VM_ESX_NAME|TARGET_VM
PROXY_SERVER_IP|

92 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Log sample
This is a sample log from a McAfee Network Security Manager device:
Oct 14 10:24:36 SyslogAlertForwarder: |1234567891234567891|Signature|2014-10-14 10:24:32 EST|"P2P: BitTorrent Meta-Info
Retrieving"|0x32c020a0|Medium|catch-most|Low|Exmaple|SENSR600A|3A-3B|123.234.128.64|24680|64.65.66.67|42356|PolicyViola
restricted-application|Inbound|Blocked|signature|N/A|udp|

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

ATTACK_TIME firsttime, lasttime

ATTACK_NAME Message

ATTACK_ID Signature ID

ATTACK_SEVERITY Severity

ADMIN_DOMAIN Domain

SENSOR_NAME Hostname

INTERFACE Interface

SOURCE_IP Source IP

SOURCE_PORT Source Port

DESTINATION_IP Destination IP

DESTINATION_PORT Destination Port

CATEGORY Category

SUB_CATEGORY Application

DIRECTION Direction

RESULT_STATUS Action

NETWORK_PROTOCOL Protocol

Configure McAfee Network Security Manager 6.x.x or later (SQL pull)


Before setting up an NSM data source, you need to run the NSM-SEIM Configuration Tool as described here.
Once the configuration tool is run, you can set up the data source on the ESM.

Task
1. Download the configuration tool.
a. Browse to the McAfee Product Download website.
b. Enter the customer grant number that was provided to you in the Download My Products search box.
c. Click Search. The product update files are located under the MFE → product name → version → downloads link.
d. View the Read the McAfee EULA and agree to its terms before proceeding.
e. Download the NSM-SEIMConfigurationTool files.
2. Run the NSM-SEIM Configuration Tool on the NSM server. The tool finds the default path to the NSM. If it does not locate it,
browse to its location.
3. Enter the NSM SQL user, password, and database name that you entered for the installation of the NSM.
4. Enter the SEIM user name and password to be used on the data source and McAfee Event Receiver IP address where the data
source is added. These are entered on the data source screen.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 93


Add McAfee Network Security Manager to a device (SQL pull)

Before you begin


The McAfee Network Security Manager user account you use needs permission to access the INFORMATION_SCHEMA.TABLE.
After successfully logging on to the McAfee ESM console, the data source needs to be added to a device in the ESM hierarchy:

Task
1. In the System Navigation Tree, select the Local ESM node or a group where you want to add the device.
2. Click the Add Device icon.
3. Select Network Security Manager (v7.1.3 or newer), then click Next.
4. Enter a name that is unique in this group for the NSM device in the Device Name field, then click Next.
5. In the Add Device Wizard, select the McAfee Event Receiver to associate this device with.
6. Enter the credentials to log on to the NSM device's web interface/API, then click Next.
7. Enter the target IP address or URL.
8. Enter the target SSH port number. Ensure that it is valid to be used with the specified IP address.
9. Add the user name, password, and an optional database name for the device.
10. Click Next. The ESM tests device communication and reports on the status of the connection. You can open System Properties after
successfully keying the device.

Add McAfee Network Security Manager (SQL pull)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model Network Security Manager – SQL Pull (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

User Name < User name set up on NSM for pulling from the database >

Password < Password set up on NSM for pulling from the database>

Port <Default is 3306>

Database Name <The name assigned when the database was set up>

94 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Option Definition

Version <Version of NSM>

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee Network Security Manager (SQL pull) events to McAfee fields

Log format
The expected format for this device is:
creationTime=" date time " alertType="…" category="…" subCategory="…" detectionMethod="…" attackId=" # " attackName="…"

Log sample
This is a sample of a log from the McAfee Network Security Manager device after SQL pull.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 95


creationTime="2012-06-22 19:37:01" alertType="Signature" category="Exploit" subCategory="Buffer Overflow" detectionMetho

Mappings
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

creationTime firsttime, lasttime

alerttype Object Type

category + subcategory Subject

detectionMethod Method

attackId Signature ID

attackName Message (smart learned if unknown)

severity severity plus a zero appended

alertCount Event Count

sourceIPAddr Source IP

sourcePort Source Port

targetIPAddr Destination IP

targetPort Destination Port

sourceUserId Source Username

destinationUserId Destination Username

result Action

appName Application

McAfee Network Threat Response


Configure McAfee Network Threat Response

Task
A McAfee Network Threat Response API user name and password must be generated on the Network Threat Response Device.
See the Network Threat Response documentation for instructions about how to set up the user name and password.

Add McAfee Network Threat Response


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

96 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


Option Definition

Data Source Model Network Threat Response (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

User ID This is the user name generated in step 3.1.

Password Password that was generated in step 3.1.

Sensor Groups Click Retrieve to get a list of sensor groups from NTR. Select at least one
sensor group to write out the data source.

Port Leave as default of 8443.

Connect Tests connection to data source.

Time Zone Time zone of data being collected.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 97


Option Definition

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Associate sensor groups with McAfee Network Threat Response


After adding an NTR data source, you can add, edit, or remove sensor groups.

Task
1. Navigate to Receiver Properties.
2. Select the NTR data source.
3. Click Clients.
From this screen you can see the sensor groups associated with the NTR data source as well as add, edit, or remove them.

McAfee Network Threat Response field mapping

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

NTR log fields McAfee ESM fields

Eventtime Firsttime

Eventtime Lasttime

Sip Source IP

Dip Destination IP

Dport Destination Port

Protocol Application_Protocol

incidentId Incident_ID

Filename Filename

Size File_Size

Host Hostname

Behavior Object

victimIP Victim_IP

98 McAfee Enterprise Security Manager Data Source Configuration Reference Guide


NTR log fields McAfee ESM fields

attackerIP Attacker_IP

url URL

incidentNTRURL Device_URL

Reputation Reputation_Name

Urlcategory URL_Category

Enginelist Engine_List

Dirtiness Reputation_Name

fileType File_Type

Sigcategory Category

Sha1 Sha1

Md5 File_Hash

Incidentid Incident_ID

Hostname hostname

Sport Source Port

McAfee Next Generation Firewall


Configure McAfee Next Generation Firewall

Task
1. Select Monitoring → System Status.
2. Expand the Servers branch.
3. Right-click the Log Server from which you want to forward log data, and select Properties to open the Log Server Properties.
4. Switch to the Log Forwarding tab.
5. Click Add to create a Log Forwarding rule. A new row is added to the table.
6. Configure the Log Forwarding rule to point to your McAfee ESM. Make sure that Format is set to McAfee ESM.
7. Click OK.

Add McAfee Next Generation Firewall


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model Next Generation Firewall – Stonesoft (ASP)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 99


Option Definition

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,

100 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee Next Generation Firewall log format and field mapping

Log sample
This is a sample log from a McAfee Next Generation Firewall (Stonesoft) device:
Timestamp="2013-11-21 00:00:00",LogId="1615132411",NodeId="10.1.0.2",Facility="Cluster protocol",Type="Diagnostic",Event=

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

ReceptionTime firsttime/lasttime

NodeId Device_IP.Device_IP

Facility application

Type/AlertSeverity severity

Situation/Event/SenderType : Facility message

Action action

Src src_ip

Dst dst_ip

Protocol protocol

SrcPort/IcmpType src_port

DstPort/IcmpCode dst_port

SrcIF Interface.Interface

AccTxBytes Bytes_Sent.Bytes_Sent

AccRxBytes Bytes_Received.Bytes_Received

Username/AuthName src_username

Sendertype objectname

Situation sid

McAfee Risk Advisor

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 101
Enable McAfee Risk Advisor data acquisition

Task
1. From the ESM device tree, select the McAfee ePO device, then click the Properties icon just above the device tree.
2. Select Device Management from the left side of the ePO Properties window, then click Enable for Enable MRA.
A window shows that the MRA configuration process started, which means that MRA acquisition is enabled.
3. Click OK.

Integrate McAfee Risk Advisor


You can get McAfee Risk Advisor data from multiple McAfee ePO servers.
The data comes via a database query from the McAfee ePO SQL Server database. The database query returns an IP address
reputation score list. Constant values for the low reputation and high reputation values are provided. All returned McAfee ePO
and McAfee Risk Advisor reputation lists are merged in ESM, with duplicate IP addresses retaining the highest score. The merged
reputation list is sent to McAfee ACE devices and used in scoring risk for Source IP and Destination IP fields.
When you add McAfee ePO to ESM, you are prompted to configure McAfee Risk Advisor data. When you click Yes, a data
enrichment source and two McAfee ACE scoring rules (if applicable) are created and added to the policy.
For more information about data enrichment and risk correlation scoring, see the McAfee Enterprise Security Manager Product
Guide.
Note: A risk correlation manager must be created to use the McAfee ACE scoring rules.

McAfee UTM Firewall


Configure McAfee UTM Firewall

Task
1. From the System menu, select Diagnostics | System Log tab | Remote Syslog tab.
2. Select Enable Remote Logging.
3. Enter the IP address or DNS host name for the McAfee Event Receiver in the Remote Host field.
4. Enter the Remote Port where the McAfee Event Receiver is listening for syslog messages. Typically, the default is correct.
5. Set the Filter Level to only send syslog messages at this level or higher.
6. (Optional) To force a more precise and standardized time stamp with every message, select Include extended ISO date. The date is
prepended to syslog messages before being sent.
7. Click Submit.

Add McAfee UTM Firewall


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model UTM Firewall (ASP)

Data Format Default

Data Retrieval Default

Name Name of data source

102 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask Default

Require Syslog TLS Leave unchecked

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 103
McAfee UTM Firewall log format and field mapping

Log format
The expected format for this device is:
computer date time IP protocol source destination original client IP source network destination network action status rul

Log sample
This is a sample log from a McAfee UTM Firewall device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal Establish 0x0 - HTTP

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

McAfee Web Gateway


Configure McAfee Web Gateway
Prepare the data source to send events to McAfee ESM.

Task
1. Configure the syslog daemon.
a. In File Editor, open the syslog daemon configuration file.
b. Locate the line similar to: *.info;mail.none;authpriv.none;cron.none /var/log/messages and replace it with *.info;daemon.!
=info;mail.none;authpriv.none;cron.none -/var/log/messages.
This prevents messages from being written to the /var/log/messages file, which could fill the /var partition.
c. At the end of the file, add a line: daemon.info;auth.=info @<syslog server IP address>:514.
2. Create a rule to send all access log data to the syslog server.
3. Create a rule to send the logline to syslog.
4. Download and install the McAfee SIEM (Nitro) logging ruleset and the CEF syslog format ruleset.
5. If you want to send audit logs to syslog, click Configuration → Alloiances → Log File Manager → Settings for the Audit Log and select Write audit
log to syslog.
Audit events are sent using the auth facility at the informational severity (6). So your rsyslog configuration would specify
auth.=info.

Add McAfee Web Gateway


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Format Default

104 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Retrieval Default

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device

Syslog Relay None

Mask Default

Require Syslog TLS Leave unchecked

Support Generic Syslogs Do nothing

Time Zone The time zone where the data source device is located

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 105
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

106 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Configuring 3rd-party data sources
Configure data sources that are not made by McAfee.

A10 Networks Load Balancer


Configure A10 Networks Load Balancer

Task
1. Log on to the A10 Networks Load Balancer user interface (UI), then select Config → System → Settings.
2. In the menu bar, select Log, then, in the Log Server field, enter the IP address of your McAfee Event Receiver.
3. Ensure that Log Server Port is set to 514, and leave all other settings at their default values.
4. Click OK.

Configure A10 Networks Load Balancer from the command line

Task
1. Log on to the command-line interface (CLI).
2. Type:
logging syslog 5
logging host IP address of McAfee Receiver port 514

Add A10 Networks Load Balancer


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor A10 Networks

Data Source Model Load Balancer

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source.

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay <Default>

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 107
Option Definition

Mask <Enable>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event
data for this data source (maximum of 512 characters). You
can access this URL by clicking the Launch Device URL icon
at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where
the ESM Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day).
When using client data sources, clients using this setting
inherit the date order of the parent data source.
◦ Month before day — The month goes before the day
(04/23/2018).
◦ Day before month — The day goes before the month
(23/04/2018).

Zone To assign this data source to a zone, select the zone from
the list.

External data source link Automatically selected when you import events from
another receiver. You can clear the checkbox which would
remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2.
The External data source link is applied to the logs being sent so
that when logs are imported, the ESM can differentiate the
forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source
data.

Data is NitroFile format Use this option when you are exporting raw data source
data.
Note: When you export data sources to a remote file, they
are exported in NitroFile format. If you import those files to
another Receiver automatically, Data is NitroFile is selected for
each of the data sources you are importing. This indicates
that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing manually is in NitroFile format,
select this option if the data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is
selected for any data source that has a checksum file. If you

108 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
import them manually, you must select it. The only
exception is when you are importing a data source file that
doesn't have a checksum file, but you want to view it
anyway.

A10 Networks Load Balancer log format and field mapping

Log format
The expected format for this device is:
SYSLOG Header [log source] message

Note: McAfee ESM supports only standard logs from this device. Custom logs generated by the AFLEX engine are not supported,
but custom rules for this product can be created in the ESM.

Log sample
System log:
Oct 24 2014 01:02:03Error [SYSTEM]NTP server us.pool.ntp.org is not reachable

AX log:
Oct 24 2014 04:05:06Error [AX] Unknown gzip error while decompressing packet

Logging log:
Oct 24 2014 07:08:09Error [LOGGING]Send log email to [email protected] failed.

Alternate delivery method:


<13>a10logd: [SYSTEM]<6> User "admin" with session ID 1 successfully saved the running configuration

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields ESM fields

Log Source Application

Server Name Domain

SLB server, NTP Server Hostname

Error Type, change Object Name

Email "To" address Destination Username

User Source Username

Group Name Group Name

A10 Networks Load Balancer troubleshooting


Standard logs from this device are supported by this data source, but custom logs generated by the AFLEX engine are not
supported. Custom rules for this product can be created in the ESM, but that is outside of the scope of this documentation.

Accellion Secure File Transfer


Configure Accellion Secure File Transfer

Task
1. From the Home menu, select Appliance, then click Configure.
2. In the Syslog Server field, enter the IP address of the McAfee ESM, then click Submit to save and exit.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 109
Add Accellion Secure File Transfer
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Accellion

Data Source Model Secure File Transfer (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the McAfee Event Receiver to communicate
over TLS

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event
data for this data source (maximum of 512 characters). You
can access this URL by clicking the Launch Device URL icon
at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where
the ESM Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:

110 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
◦ Default — Uses the default date order (month before day).
When using client data sources, clients using this setting
inherit the date order of the parent data source.
◦ Month before day — The month goes before the day
(04/23/2018).
◦ Day before month — The day goes before the month
(23/04/2018).

Zone To assign this data source to a zone, select the zone from
the list.

External data source link Automatically selected when you import events from
another receiver. You can clear the checkbox which would
remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2.
The External data source link is applied to the logs being sent so
that when logs are imported, the ESM can differentiate the
forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source
data.

Data is NitroFile format Use this option when you are exporting raw data source
data.
Note: When you export data sources to a remote file, they
are exported in NitroFile format. If you import those files to
another Receiver automatically, Data is NitroFile is selected for
each of the data sources you are importing. This indicates
that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing manually is in NitroFile format,
select this option if the data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is
selected for any data source that has a checksum file. If you
import them manually, you must select it. The only
exception is when you are importing a data source file that
doesn't have a checksum file, but you want to view it
anyway.

Accellion Secure File Transfer log format and field mapping

Log format
The expected format for this device is:
<date time> <device name> <application> <IP address> <user> <message> <destination user>

Log sample
This is a sample log from an Accellion Secure File Transfer device:
<123>1 2001-01-01T01:01:01-01:00 name0001 httpd - - - [12345]: (1.2.3.4) (User:username) [Web] Sent password reset reque

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 111
Log fields McAfee ESM fields

Device Name Hostname

Application Application

IP Address Source IP

User Source Username

Destination User Destination Username

Filename Filename

From email From

To email To

Email subject Subject

Access Layers Portnox


Configure Access Layers Portnox
See the Portnox documentation provided by Access Layers for information about how to set up the remote syslog service to send
data to the ESM.

Add Access Layers Portnox


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Access Layers

Data Source Model Portnox

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

112 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event
data for this data source (maximum of 512 characters). You
can access this URL by clicking the Launch Device URL icon
at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where
the ESM Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day).
When using client data sources, clients using this setting
inherit the date order of the parent data source.
◦ Month before day — The month goes before the day
(04/23/2018).
◦ Day before month — The day goes before the month
(23/04/2018).

Zone To assign this data source to a zone, select the zone from
the list.

External data source link Automatically selected when you import events from
another receiver. You can clear the checkbox which would
remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2.
The External data source link is applied to the logs being sent so
that when logs are imported, the ESM can differentiate the
forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source
data.

Data is NitroFile format Use this option when you are exporting raw data source
data.
Note: When you export data sources to a remote file, they
are exported in NitroFile format. If you import those files to
another Receiver automatically, Data is NitroFile is selected for
each of the data sources you are importing. This indicates
that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 113
Validate SHA1 checksum If the data you are importing manually is in NitroFile format,
select this option if the data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is
selected for any data source that has a checksum file. If you
import them manually, you must select it. The only
exception is when you are importing a data source file that
doesn't have a checksum file, but you want to view it
anyway.

Access Layers Portnox log format and field mapping

Log format
The expected format for this device is:
date time,message

Log sample
This is a sample log from an Access Layers Portnox device:
01/01/2001 00:00:00,recieved trap from unauthorized source 192.0.2.1

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Date, Time First Time, Last Time

device IP, switch IP, trap device Source IP

device mac, duplicate mac Source MAC

received IP Destination IP

device Hostname

device action, port action Command

port name Object

Adiscon Rsyslog
Configure Adiscon Rsyslog
Configure Rsyslog to send data to McAfee ESM.

Task
1. Create an event log monitoring service with Emulate %Param% properties from old EventLog Monitor and Include optional Event Parameters as
properties enabled.
2. Create or modify a rule set.
3. On the Syslog Target Options tab, configure the forwarding method, protocol, server (your McAfee Event Receiver), and port.
4. On the Syslog message Options tab, select Use legacy RFC3164 processing.
5. In the Message Format field, enter:
%sourceproc%,%id%,%timereported:::uxTimeStamp%,%user%,%category%,%Param0%;%Param1%;%Param2%;%Param3%;%Param4%;%Param5%

6. In Event Channels (Services → Event Log Monitor V2 → Event Channels tab) select the rule set you created, then select other events you
want to send to McAfee ESM.

114 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Add Adiscon Rsyslog
Add an Rsyslog data source to a McAfee Event Receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Adiscon Windows Events

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source.

IP Address/Hostname IP address and host name associated with the data source
device

Mask 32

Syslog Relay <None>

Require syslog TLS Enable to require the Receiver to communicate over TLS

Port 514

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event
data for this data source (maximum of 512 characters). You
can access this URL by clicking the Launch Device URL icon
at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where
the ESM Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day).
When using client data sources, clients using this setting
inherit the date order of the parent data source.
◦ Month before day — The month goes before the day
(04/23/2018).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 115
◦ Day before month — The day goes before the month
(23/04/2018).

Zone To assign this data source to a zone, select the zone from
the list.

External data source link Automatically selected when you import events from
another receiver. You can clear the checkbox which would
remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2.
The External data source link is applied to the logs being sent so
that when logs are imported, the ESM can differentiate the
forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source
data.

Data is NitroFile format Use this option when you are exporting raw data source
data.
Note: When you export data sources to a remote file, they
are exported in NitroFile format. If you import those files to
another Receiver automatically, Data is NitroFile is selected for
each of the data sources you are importing. This indicates
that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing manually is in NitroFile format,
select this option if the data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is
selected for any data source that has a checksum file. If you
import them manually, you must select it. The only
exception is when you are importing a data source file that
doesn't have a checksum file, but you want to view it
anyway.

Adtran Bluesocket
Configure Adtran Bluesocket

Task
1. Click Logging, select Event History, then click Syslog Forwarding.
2. Select the box next to Syslog Forwarding, then select the Syslog Forwarding Priority Level.
3. In the Syslog Receiver IP Address field, enter the IP address of your McAfee Event Receiver.
4. Pick a Logging Facility number between 0 and 9 (your preference), click Apply, then click Save.

Add Adtran Bluesocket


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

116 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Source Vendor Adtran

Data Source Model Bluesocket (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event
data for this data source (maximum of 512 characters). You
can access this URL by clicking the Launch Device URL icon
at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where
the ESM Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day).
When using client data sources, clients using this setting
inherit the date order of the parent data source.
◦ Month before day — The month goes before the day
(04/23/2018).
◦ Day before month — The day goes before the month
(23/04/2018).

Zone To assign this data source to a zone, select the zone from
the list.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 117
External data source link Automatically selected when you import events from
another receiver. You can clear the checkbox which would
remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2.
The External data source link is applied to the logs being sent so
that when logs are imported, the ESM can differentiate the
forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source
data.

Data is NitroFile format Use this option when you are exporting raw data source
data.
Note: When you export data sources to a remote file, they
are exported in NitroFile format. If you import those files to
another Receiver automatically, Data is NitroFile is selected for
each of the data sources you are importing. This indicates
that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing manually is in NitroFile format,
select this option if the data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is
selected for any data source that has a checksum file. If you
import them manually, you must select it. The only
exception is when you are importing a data source file that
doesn't have a checksum file, but you want to view it
anyway.

AdTran Bluesocket log format and field mapping

Log format
The expected format for this device is:
<pri>log_source: event=event_type&loglevel=severity&obj=object&ipaddr=source_ip&name=name&msg=message&

Log sample
This is a sample log for an Adtran Bluesocket device:
<133>user_tracking: event=user_logout_successful&loglevel=notice&obj=user&ipaddr=192.0.2.0&name=NAME3215&msg=user: NAME21

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

event Event Subtype, Messsage

loglevel Severity

obj Object

ipaddr Source IP

mac Source MAC

session duration Message_Text

118 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

log_source Application

role id Command

role name Domain

login time First Time, Last Time

name Source Username

hostname Hostname

Adtran NetVanta
Configure Adtran NetVanta

Task
1. Log on to your Adtran NetVanta device through a web browser, then click Logging.
2. Select the Event History checkbox, click the Syslog Forwarding tab, then select the Syslog Forwarding checkbox.
3. Select a Syslog Forwarding Priority Level between 0 and 5, with 0 reporting the most and 5 reporting only the most important events.
4. Enter the McAfee Receiver IP address in the Syslog Receiver IP Address section.
5. For the Logging Facility, enter a number between 0 and 9, then click Save.

Add Adtran NetVanta


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Adtran

Data Source Model NetVanta

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 119
Option Definition

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

120 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Adtran NetVanta log format and field mapping

Log format
The expected format for this device is:
Date Time Device-Type Event-Source:Message

Log sample
This is a sample log from an Adtran NetVanta device:
<13>Dec 02 14:03:35 Switch OPERATING_SYSTEM:SESSION User password-only login OK on portal TELNET 1 (10.19.243.125:2230)

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

portal, proto Application

Portal IP, src Source IP

Portal Port, Src Source Port

dst Destination IP

Dst Destination Port

Device-Type Hostname

Session ID Session ID

Interface Object

User Source Username

AirTight Networks SpectraGuard


Configure AirTight Networks SpectraGuard
See the AirTight Networks SpectraGuard documentation for Remote Syslog setup using the IP address of your McAfee Event
Receiver as the destination IP address.

Add AirTight Networks SpectraGuard


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor AirTight Networks

Data Source Model SpectraGuard

Data Format Default

Data Retrieval SYSLOG (Default)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 121
Option Definition

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,

122 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

AirTight Networks SpectraGuard log format and field mapping

Log format
<Source Mac Address>SpectraGuard Version : Start/Stop: Source [SourceName] Source Status. : Source IP://Domain/SubDomain

Log sample
This is a sample log from an AirTight Networks SpectraGuard device:
<00:00:00:FF:FF:FF>SpectraGuard Enterprise v6.5 : Start: Client [Username] is active. : 192.0.2.1://AAAA/BBBBB: 2001-01-

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Severity Severity

Source Mac Address Source MAC

Start/Stop Event Sub Type

SourceName Hostname

Domain Domain

Source IP Source IP

Date/Time First Time, Last Time

SubDomain Object

Alcatel-Lucent NGN Switch


Configure Alcatel-Lucent NGN Switch

Task
To configure a syslog file, enter these commands on the command line:
• syslog <syslog-id>
• description <description-string>
• address <ip-address>
• log-prefix log-prefix-string
• port <port #>
• level {emergency|alert|critical|error|warning|notice|inf|debug}
• facility <syslog-facility>

The following is a syslog configuration example:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 123
syslog 1

description "This is a syslog file."

address x.x.x.x

facility user

level warning

exit

Add Alcatel-Lucent NGN Switch


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Alcatel-Lucent

Data Source Model NGN Switch (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do Nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

124 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Alcatel-Lucent NGN Switch log format and field mapping

Log format
Thu Jun 13 03:39:36 MNT 2013::AUTHENTICATION::JohnSmith::1371074976970::10.10.10.15(10.10.10.15:64575):::Attempt to log
in:::Failed, no such user.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Category AUTHENTICATION

Source User JohnSmith

Source IP 10.10.10.15

Destination 64575

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 125
Alcatel-Lucent VitalQIP
Configure Alcatel-Lucent VitalQIP

Task
1. Log on to your Alcatel-Lucent VitalQIP device.
2. In the system configuration, set the IP address of your McAfee Event Receiver as a Syslog Redirect Host, then save your changes.

Add Alcatel-Lucent VitalQIP


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Alcatel-Lucent

Data Source Model VitalQIP

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

126 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Alcatel-Lucent VitalQIP log format and field mapping

Log format
The expected format for this device is:
<pri>application[pid]: message

Log sample
This is a sample log from an Alcatel-Lucent VitalQIP device:
<14>/opt/qip/usr/bin/dhcpd[12345]: DHCP_RenewLease: Host=EXAMPLEHOST IP=10.11.12.13 MAC=0011223344AA Domain=example.com

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 127
Log fields McAfee ESM fields

Subnet, IP Source IP

MAC Source MAC

Host Hostname

Domain Domain

Amazon CloudTrail
Configure Amazon CloudTrail
Amazon Web Services (AWS) CloudTrail can send a notification each time a log file is written to the Amazon S3 bucket. AWS
recommends using Amazon Simple Queue Service (SQS) to subscribe to event notifications for programmatically processing
notifications. To receive timely notifications in ESM for new Amazon CloudTrail logs, configure an SQS queue on AWS that
contains Simple Notification Service (SNS) push notifications when new log bundles are created in S3.
See Amazon documentation for details.

Add Amazon CloudTrail


Log in to ESM and add the data source to a receiver.

Before you begin


• You will need the Access Key ID and Secret Access Key for the CloudTrail server.
• You will need the URL of the CloudTrail SQS Queue.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Amazon

Data Source Model CloudTrail

Data Format Default

Data Retrieval API (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

AWS Access Key The user name used to log on to AWS.

AWS Secret Key The password used to log on to AWS.

128 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

SQS URL The URL that points to the SQS queue provided by AWS.

SQS Visibility The time that a message (log) stays hidden after it is
requested. If the message is not deleted by the collector, it is
restored after the timeout (default is 300 seconds).

SQS Poll Interval The interval between collection requests (default is 300
seconds).

Connect Performs a test connection to the AWS services. Make sure


that this test runs successfully before moving on. If errors
exist, collection might not work properly.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 129
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

6. Roll out policy to the new data source.

7. Click Get events and flows .


8. Wait a few minutes and then verify that data appears on your dashboards and that it is parsed correctly.

Amazon CloudTrail log format and field mapping

Log sample
This is a sample log from an Amazon CloudTrail device:
{"Records": [{"awsRegion": "us-west-2","eventID": "12ab34cd-f4d2-4222-ad86-ad4841234fed","eventName": "DescribeTags","ev

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

awsRegion Source_Zone

eventName Message

eventTime First Time, Last Time

userAgent User_Agent

userIdentity/userName Source User

eventSource Service_Name

sourceIPAddress Source User, Host

requestId Source GUID

eventID Dest. GUID

eventType Category

userIdentity/accountId Source_UserID

recipientAccountId Destination_UserID

Apple Mac OS X
Configure Apple Mac OS X
The syslog configuration is done on the command line. See your Apple Mac OS X product documentation for instructions on how
to access and use the Terminal program.

Task
1. Open the Terminal program, then make a backup of the syslog.conf file:
$ cp /etc/syslog.conf /tmp/syslog.conf.bkp

2. Open the configuration file in a text editor, for example, vi:


$ sudo vi /etc/syslog.conf

3. Insert this line at the end of the syslog.conf file:


*.* @x.x.x.x

130 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
where x.x.x.x is the IP address of your McAfee Event Receiver.
Note: A port can also be specified by adding :x to the end of the IP address, where x is the port number. If no port is
specified, default port 514 is used.
The line consists of a wildcard statement (*.*) and an action (@x.x.x.x) separated by tabs. It tells the syslog daemon to
forward a copy of all (*.*) events to the specified IP address.
4. Click Save, click Exit, then restart the syslogd service with these two commands:
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist

$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

5. Verify that the service is running:


$ ps -e | grep syslogd

Add Apple Mac OS X


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Apple Inc.

Data Source Model Mac OS X (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may


not be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 131
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Apple Mac OS X log format and field mapping

Log format
The expected format for this device is:
<date time> <hostname> <service> <message>

Log sample
Here is a sample log from an Apple Mac OS X device:
Jan 01 01:01:01 Example-Mac-mini.local com.apple.backupd[1234]: Backup completed successfully.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

132 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Username Source Username

“Run as” username (usually root) Destination Username

IP Address Source IP

Remote IP Address Destination IP

Port Source Port

Service / Daemon Application

Arbor Networks Pravail


Configure Arbor Networks Pravail
Refer to the Arbor Networks Pravail product documentation for instructions on sending syslog logs to a remote server. Use the
McAfee Event Receiver IP address for the address of the remote server.

Add Arbor Networks Pravail


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Arbor Networks

Data Source Model Pravail

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 133
Option Definition

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Arbor Networks Pravail log format and field mapping

Log format
The expected format for this device is:
Date Time Application: action Source IP Detection Type protocol/port (application) destination IP URL: url

134 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log sample
This is a sample log from an Arbor Networks Pravail device:
<13>Oct 22 09:49:32 HTX-ARBOR-00 pravail: Blocked Host: Blocked host 192.0.2.1 at 09:49 by TCP SYN Flood Detection using

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Date Time First Time, Last Time

Action Event Subtype

Source Source IP

Destination Destination IP

Detection Type Message

Protocol Protocol

Port Source Port

ArcSight Common Event Format


Configure ArcSight Common Event Format
This data source can be used with devices that generate ArcSight Common Event Format (CEF)-formatted events. If McAfee Event
Receiver doesn't support a specific vendor and model, this is a useful alternative.
Follow the directions for your vendor to enable ArcSight CEF-formatted events to be delivered to the McAfee Event Receiver. You
might need administrative rights.

Add ArcSight Common Event Format


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor ArcSight

Data Source Model Common Event Format (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 135
Option Definition
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing.

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.

136 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

ArcSight Common Event Format log format and field mapping

Log format
The expected format for this device is:
CEF:Version|Device Vendor|Device Product|Device Version|Signature

ID|Name|Severity|Extension

The format of the event is consistent, until Extension. At this point, there is no specific order of fields in CEF. The various key
value pairs that follow can be arranged in any order based on the decisions of the vendor.

Log sample
This is a sample log from an ArcSight Common Event Format device:
2014-04-21T18:35:15.546Z 192.168.2.5 CEF:0|McAfee|ESM|9.4.0|277-2121969963|TCP_NC_MISS|2|start=1398105379000 end=1398105

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Signature ID Signature ID

Name Message

act Event Subtype

dpt Dest Port

dst Dest IP

dmac Dest Mac

cnt Event Count

proto Protocol

spt Source Port

src Source IP

smac Source MAC

start Firsttime

end Lasttime

severity Severity

dproc Application

nitroCommandID Command

sntdom Domain

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 137
Log fields McAfee ESM fields

shost Host

fname, spriv, nitroObjectID Object

duser Dest User

suser Source User

Aruba ClearPass
Configure Aruba ClearPass

Task
1. Log on to the ClearPass Policy Manager, then navigate to Administration Menu → External Servers → Syslog Export Filters.
2. Copy the XML from the Syslog export file template, paste it into a blank file, and save it as an XML file, for example,
McAfee_SIEM_SyslogExportData.xml.
Note: Copying and pasting from a PDF may not work. Copy the XML from docs.mcafee.com or try pasting the content into a
plain text processor first. Some manipulation of the XML may be needed.
3. Change all instances of the text change.me.receiver.ip in the XML file to the IP address of the McAfee Event Receiver.
4. On the Syslog Export Filters page, select the Import link in the top right area of the page.
5. Click Browse to navigate to the XML file that you created.
Note: This file sets up the needed syslog export filters and populates the syslog target IP address.
6. Navigate to the Syslog Targets page and verify that the IP address of the McAfee Event Receiver is in the host Address field.

Syslog export file template


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader exportTime="Mon Aug 29 15:58:17 MDT 2016" version="6.6"/>
<DataFilter>
<DataFilter description="All Endpoints" name="[Endpoints]" qType="INSIGHT" conditionSetJoinType="AND">
<conditionSets conditionJoinType="AND">
<conditions value="" operator="EXISTS" columnName="MAC-Address" scope="Endpoint"/>
</conditionSets>
</DataFilter>
<DataFilter description="All ClearPass Guest" name="[ClearPass Guest]" qType="INSIGHT" conditionSetJoinType="OR">
<conditionSets conditionJoinType="OR">
<conditions value="" operator="EXISTS" columnName="Username" scope="Guest"/>
<conditions value="" operator="EXISTS" columnName="MAC-Address" scope="Guest"/>
</conditionSets>
</DataFilter>
<DataFilter description="All ClearPass System Events" name="[ClearPass System Events]" qType="INSIGHT" conditionSetJoinTy
<conditionSets conditionJoinType="AND">
<conditions value="" operator="EXISTS" columnName="Source" scope="CppmSystemEvent"/>
</conditionSets>
</DataFilter>
<DataFilter description="All ClearPass Configuration Audit" name="[ClearPass Configuration Audit]" qType="INSIGHT" condit
<conditionSets conditionJoinType="AND">
<conditions value="" operator="EXISTS" columnName="Action" scope="CppmConfigAudit"/>
</conditionSets>
</DataFilter>
<DataFilter description="All RADIUS Authentications " name="[RADIUS Authentications]" qType="INSIGHT" conditionSetJoinTyp
<conditionSets conditionJoinType="AND">
<conditions value="RADIUS" operator="EQUALS" columnName="Protocol" scope="Auth"/>
</conditionSets>
</DataFilter>
<DataFilter description="All RADIUS Failed Authentications" name="[RADIUS Failed Authentications]" qType="INSIGHT" condit
<conditionSets conditionJoinType="AND">
<conditions value="RADIUS" operator="EQUALS" columnName="Protocol" scope="Auth"/>
</conditionSets>
<conditionSets conditionJoinType="AND">
<conditions value="0" operator="NOT_EQUALS" columnName="Error-Code" scope="Auth"/>
</conditionSets>
</DataFilter>
<DataFilter description="All session log requests" name="[All Requests]" qType="SESSION" conditionSetJoinType="OR">
<conditionSets conditionJoinType="OR">
<conditions value="0" operator="NOT_EQUALS" columnName="Request-Id" scope="Common"/>
</conditionSets>
</DataFilter>
<DataFilter description="All TACACS Authentication " name="[TACACS Authentication]" qType="INSIGHT" conditionSetJoinType=
<conditionSets conditionJoinType="AND">
<conditions value="" operator="EXISTS" columnName="Username" scope="Tacacs"/>

138 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
</conditionSets>
</DataFilter>
<DataFilter description="All TACACS Failed Authentication" name="[TACACS Failed Authentication]" qType="INSIGHT" conditi
<conditionSets conditionJoinType="AND">
<conditions value="0" operator="NOT_EQUALS" columnName="Error-Code" scope="Tacacs"/>
</conditionSets>
</DataFilter>
<DataFilter description="All WEBAUTH Authentication " name="[WEBAUTH Authentication]" qType="INSIGHT" conditionSetJoinTy
<conditionSets conditionJoinType="AND">
<conditions value="WEBAUTH" operator="EQUALS" columnName="Protocol" scope="Auth"/>
</conditionSets>
</DataFilter>
<DataFilter description="All WEBAUTH Failed Authentications " name="[WEBAUTH Failed Authentications]" qType="INSIGHT" co
<conditionSets conditionJoinType="AND">
<conditions value="WEBAUTH" operator="EQUALS" columnName="Protocol" scope="Auth"/>
</conditionSets>
<conditionSets conditionJoinType="AND">
<conditions value="0" operator="NOT_EQUALS" columnName="Error-Code" scope="Auth"/>
</conditionSets>
</DataFilter>
<DataFilter description="All Application Authentications" name="[Application Authentication]" qType="INSIGHT" conditionS
<conditionSets conditionJoinType="AND">
<conditions value="Application" operator="EQUALS" columnName="Protocol" scope="Auth"/>
</conditionSets>
</DataFilter>
</DataFilter>
<SyslogTargets>
<SyslogTarget protocol="UDP" port="514" description="McAfee Receiver" hostAddress="change.me.receiver.ip"/>
</SyslogTargets>
<SyslogExportConfigurations>
<SyslogExportData description="" name="McAfee ESM Application Authenication" fieldGroupName="Application Authentication"
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Auth.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Host-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Protocol</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmNode.CPPM-Node</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Login-Status</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Service</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Source</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Roles</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Enforcement-Profiles</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM Audit" fieldGroupName="" enabled="true" exportEventFormat="CEF" export
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM ClearPass Config Audit" fieldGroupName="ClearPass Configuration Audit"
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>CppmConfigAudit.Name</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmConfigAudit.Action</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmConfigAudit.Category</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmConfigAudit.Updated-By</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmConfigAudit.Updated-At</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM ClearPass Guest" fieldGroupName="ClearPass Guest" enabled="true" filte
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Guest.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Guest.MAC-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Guest.Visitor-Name</SyslogExportDataColumn>
<SyslogExportDataColumn>Guest.Visitor-Company</SyslogExportDataColumn>
<SyslogExportDataColumn>Guest.Role-Name</SyslogExportDataColumn>
<SyslogExportDataColumn>Guest.Enabled</SyslogExportDataColumn>
<SyslogExportDataColumn>Guest.Created-At</SyslogExportDataColumn>
<SyslogExportDataColumn>Guest.Starts-At</SyslogExportDataColumn>
<SyslogExportDataColumn>Guest.Expires-At</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM ClearPass System Events" fieldGroupName="ClearPass System Events" enab
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>CppmNode.CPPM-Node</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmSystemEvent.Source</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmSystemEvent.Level</SyslogExportDataColumn>

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 139
<SyslogExportDataColumn>CppmSystemEvent.Category</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmSystemEvent.Action</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmSystemEvent.Timestamp</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM Endpoint" fieldGroupName="Endpoints" enabled="true" filterName="[Endpo
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Endpoint.MAC-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Endpoint.MAC-Vendor</SyslogExportDataColumn>
<SyslogExportDataColumn>Endpoint.IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Endpoint.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Endpoint.Device-Category</SyslogExportDataColumn>
<SyslogExportDataColumn>Endpoint.Device-Family</SyslogExportDataColumn>
<SyslogExportDataColumn>Endpoint.Device-Name</SyslogExportDataColumn>
<SyslogExportDataColumn>Endpoint.Conflict</SyslogExportDataColumn>
<SyslogExportDataColumn>Endpoint.Status</SyslogExportDataColumn>
<SyslogExportDataColumn>Endpoint.Added-At</SyslogExportDataColumn>
<SyslogExportDataColumn>Endpoint.Updated-At</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM Failed Authenications" fieldGroupName="Failed Authentications" enabled
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Common.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Service</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Roles</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Auth-Source</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Auth-Method</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.System-Posture-Token</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Enforcement-Profiles</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Host-MAC-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.NAS-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Error-Code</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Alerts</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Request-Timestamp</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM Guest Access" fieldGroupName="Guest Access" enabled="true" filterName=
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Common.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Auth-Method</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Host-MAC-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Roles</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.System-Posture-Token</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Enforcement-Profiles</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Request-Timestamp</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM Insight Radius Auth" fieldGroupName="RADIUS Authentications" enabled="
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Auth.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Host-MAC-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Protocol</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.NAS-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmNode.CPPM-Node</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Login-Status</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Service</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Source</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Roles</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Enforcement-Profiles</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM Insight Radius Auth Failed" fieldGroupName="RADIUS Failed Authenticati
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Auth.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Host-MAC-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.NAS-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmNode.CPPM-Node</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Service</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmErrorCode.Error-Code-Details</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmAlert.Alerts</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>

140 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
<SyslogExportData description="" name="McAfee ESM Logged in Users" fieldGroupName="Logged in users" enabled="true" filte
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Common.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Service</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Roles</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Host-MAC-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-Framed-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.NAS-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Request-Timestamp</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM Radius Accounting" fieldGroupName="RADIUS Accounting" enabled="true" f
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>RADIUS.Acct-Username</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-NAS-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-NAS-Port</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-NAS-Port-Type</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-Calling-Station-Id</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-Framed-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-Session-Id</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-Session-Time</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-Output-Pkts</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-Input-Pkts</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-Output-Octets</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-Input-Octets</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-Service-Name</SyslogExportDataColumn>
<SyslogExportDataColumn>RADIUS.Acct-Timestamp</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM System" fieldGroupName="" enabled="true" exportEventFormat="CEF" expor
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM TACACS Accounting" fieldGroupName="TACACS+ Accounting" enabled="true"
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Common.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Service</SyslogExportDataColumn>
<SyslogExportDataColumn>TACACS.Remote-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>TACACS.Acct-Flags</SyslogExportDataColumn>
<SyslogExportDataColumn>TACACS.Privilege-Level</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Request-Timestamp</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM TACACS Administration" fieldGroupName="TACACS+ Administration" enabled
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Common.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Service</SyslogExportDataColumn>
<SyslogExportDataColumn>TACACS.Remote-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>TACACS.Privilege-Level</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Request-Timestamp</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM TACACS Authenication" fieldGroupName="TACACS Authentication" enabled="
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Tacacs.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Tacacs.Remote-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Tacacs.Request-Type</SyslogExportDataColumn>
<SyslogExportDataColumn>Tacacs.NAS-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Tacacs.Service</SyslogExportDataColumn>
<SyslogExportDataColumn>Tacacs.Auth-Source</SyslogExportDataColumn>
<SyslogExportDataColumn>Tacacs.Roles</SyslogExportDataColumn>
<SyslogExportDataColumn>Tacacs.Enforcement-Profiles</SyslogExportDataColumn>
<SyslogExportDataColumn>Tacacs.Privilege-Level</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM TACACS Failed Auth" fieldGroupName="TACACS Failed Authentication" enab
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Tacacs.Username</SyslogExportDataColumn>

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 141
<SyslogExportDataColumn>Tacacs.Remote-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Tacacs.Request-Type</SyslogExportDataColumn>
<SyslogExportDataColumn>Tacacs.NAS-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Tacacs.Service</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmErrorCode.Error-Code-Details</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmAlert.Alerts</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM WebAuth" fieldGroupName="WEBAUTH" enabled="true" filterName="[WEBAUTH
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Auth.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Host-MAC-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Host-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Protocol</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.System-Posture-Token</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmNode.CPPM-Node</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Login-Status</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Service</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Source</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Roles</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Enforcement-Profiles</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM Web Authenication" fieldGroupName="Web Authentication" enabled="true"
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Common.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Host-MAC-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>WEBAUTH.Host-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Roles</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.System-Posture-Token</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Enforcement-Profiles</SyslogExportDataColumn>
<SyslogExportDataColumn>Common.Request-Timestamp</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
<SyslogExportData description="" name="McAfee ESM WebAuth Fail Auth" fieldGroupName="WEBAUTH Failed Authentications" ena
<SyslogServerNameList>
<string>change.me.receiver.ip</string>
</SyslogServerNameList>
<SyslogExportDataColumns>
<SyslogExportDataColumn>Auth.Username</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Host-MAC-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Host-IP-Address</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Protocol</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.System-Posture-Token</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmNode.CPPM-Node</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Login-Status</SyslogExportDataColumn>
<SyslogExportDataColumn>Auth.Service</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmErrorCode.Error-Code-Details</SyslogExportDataColumn>
<SyslogExportDataColumn>CppmAlert.Alerts</SyslogExportDataColumn>
</SyslogExportDataColumns>
</SyslogExportData>
</SyslogExportConfigurations>
</TipsContents>

Add Aruba ClearPass


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Aruba

Data Source Model ClearPass

Data Format Default

142 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 143
Option Definition
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Aruba ClearPass log format and field mapping

Log format
The expected format for this device is:
Session Log:
CEF.SignatureID CEF.EventName Severity duser dmac dpriv cs2 outcome rt dvc cat

Insight Log:
CEF.SignatureID CEF.EventName Severity dmac cs6 dst duser cs4 cs5 rt dvc cat

Audit Log:
CEF.SignatureID CEF.EventName Severity rt cat duser dvc act

System Log:
CEF.SignatureID CEF.EventName Severity dvc deviceProcessName outcome rt cat

Log sample
This is a sample log from an Aruba ClearPass device:
Session Log:
<143>Aug 10 2016 15:18:04 172.20.21.100 CEF:0|Aruba Networks|ClearPass|6.6.1.84176|2006|Guest Access|1|duser=bob dmac=78

Insight Log:
<143>Aug 11 2016 14:59:50 172.20.21.100 CEF:0|Aruba Networks|ClearPass|6.6.1.84176|1009|Endpoints|1|dmac=784b877a4155 cs6

Audit Log:
<143>Aug 01 2016 11:16:42 172.20.21.100 CEF:0|Aruba Networks|ClearPass|6.6.1.84176|3002|Syslog Export Data|2|rt=Aug 01 2

System Log:
<
143>Aug 23 2016 16:57:39 172.20.21.100 CEF:0|Aruba Networks|ClearPass|6.6.1.84176|4009|restart|1|dvc=172.20.21.100 device

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

deviceProcessName, destinationServiceName Application

144 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Cleint IP Address, dst, dvc Source IP

Rt, start First Time, Last Time

CEF.Severity Severity

Dmac Source Mac

Endpoint.MAC-Vendor Object_Type

ArubaClearpassGuestVistorCompany Domain

Dvchost Hostname

requestMethod Method

Duser Source User

ArubaClearpassGuestVisitorName Contact_Nickname

Outcome, reason Message_Text

Endpoint.Device-Name External_Device_Name

CEF.SignatureID External_EventID

Endpoint.Device-Family External_Device_Type

Cat Subcategory

Src Device_IP

Msg, CEF.EventName Message

CEF.SignarureID SID

Act, outcome Action

ArubaClearpassOnbardEnrollmentDeviceVersion Version

dpriv Privileges

Attivo Networks BOTsink


Configure Attivo Networks BOTsink

Task
1. In the BOTsink console, click the Gear icon, then select Administration → Syslog.
2. To configure a new syslog destination, click the + Server icon, then fill in the required BOTsink fields:
◦ Name – Type a name that helps you identify the McAfee Event Receiver.
◦ IP address – Type IP address of the McAfee Event Receiver.
◦ Port – Type 514 or a server-side port.
◦ Protocol – Select User Datagram Protocol (UDP) or Transmission Control Protocol (TCP).
◦ Enable – Select to turn on syslog forwarding from the BOTsink Manager.
3. Click Save.

Add Attivo Networks BOTsink


Log in to ESM and add the data source to a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 145
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Attivo Networks

Data Source Model BOTsink

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

146 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Attivo Networks BOTsink log format and field mapping

Log format
The expected format for this device is:
<9>BotSink: Severity:[] Attacker IP:[] Target IP:[] Target OS:[] Description:[] Details:[] Phase:[] Service:[]

Log samples
This is a sample log from a device:
<9> BotSink: Severity:[Medium] Attacker IP:[192.168.1.79] Target IP:[1.1.1.1] Target OS:[CentOS 7.0] Description:[Telnet

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Description Message

Severity Severity

Attacker IP Attacker_IP, Hostname

Target IP Victim_IP, Destination_Hostname

Target OS Operating_System

Details Message_Text

Phase Threat_Category

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 147
Log fields McAfee ESM fields

Service Service_Name

Details (Access Log timestamp) First Time, Last Time

Device External_Device_Type

VLANID vlan

Axway SecureTransport
Configure Axway SecureTransport
See the Axway Security Transport product documentation for instructions on sending syslog logs to a remote server. Use the
McAfee Event Receiver IP address for the address of the remote server.

Add Axway SecureTransport


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Axway

Data Source Model SecureTransport

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

148 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Axway SecureTransport log format and field mapping

Log format
The expected format for this device is:
Weekday Date Time Version IP Filesize FilePath/FileName TransferType(s) Username TransferProtocol

Log sample
This is a sample log from an Axway SecureTransport device:
Mon Jan 01 00:00:00 2001 514 192.0.2.0 100000000 /Folder/Folder/Folder/Folder/Folder/CompressedFile.part1.rar a n o r ot

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 149
Log fields McAfee ESM fields

Weekday Date Time First Time, Last Time

Version Version

IP Source IP

Filesize Message_Text

FilePath/FileName Object

Username Source Username

TransferProtocol Application

Barracuda Spam Firewall


Configure Barracuda Spam Firewall

Task
1. In the web interface, go to Advanced → Advanced Networking.
2. In the Syslog Configuration section, enter the IP address of the McAfee Event Receiver in the Mail Syslog field.
3. In the Port field, enter the number where the McAfee Event Receiver is listening (default is 514).
4. Select UDP for the Protocol, then click Add.

Add Barracuda Spam Firewall


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Barracuda Networks

Data Source Model Spam Firewall (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

150 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the McAfee Event Receiver to


communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 151
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Barracuda Spam Firewall log format and field mapping

Log format
The expected format for this device is:
<event action> <hostname> <IP address> <time><username> <destination username> <spam score> <event ID> <subject>

Log sample
This is a sample log from a Barracuda Networks Spam Firewall device:
<123>inbound/pass[1234]: example.com[192.0.2.1] 1234567890-a1b2c3d4e5f6-a7b8c9 978310861 978310861 SCAN - example@exampl

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Host Hostname

Spam Score Spam_Score

Client IP Source IP

Username Source Username

Destination Username Destination Username

Email Subject Subject

Action Event_Class

Event ID External_Event_ID

Queued as ID Queue_ID

Bytes Received Bytes_Received

Barracuda Web Application Firewall


Configure Barracuda Web Application Firewall

Task
1. Open a web browser and log on to your Web Application Firewall (WAF) device.
2. Click the ADVANCED tab and select Export Logs.
3. In the Syslog section, click Add Syslog Server, then fill in these fields:
◦ Name: A name for reference in the WAF.
◦ IP Address: The IP address of your McAfee Event Receiver.
◦ Port: The port number used for syslog on your McAfee Event Receiver (514 by default).
◦ Connection Type: Most commonly UDP, the default in the McAfee Event Receiver.
◦ Validate Server Certificate: Select No.
◦ Client Certificate: Not needed when Validate Server Certificate is set to No.
4. Click Add.

152 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Add Barracuda Web Application Firewall
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Barracuda Networks

Data Source Model Web Application Firewall (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 153
Option Definition
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Barracuda Web Application Firewall log format and field mapping

Log format
The expected format for this device depends on the log type:
System Logs:
Timestamp Module Name Log Level Event ID Message

Web Firewall Logs:


Timestamp Unit Name Log Type Severity Level Attack Description Client IP Client Port Application IP Application Port Rul

Access Logs:
Timestamp Unit Name Log Type Application IP Application Port Client IP Client Port Login ID Certificate User Method Proto

Audit Logs:
Timestamp Unit Name Log Type Admin Name Client Type Login IP Login Port Transaction Type Transaction ID Command Name Chan
Additional Data

Network Firewall Logs:


Unit Name Timestamp Log Type Severity Level Protocol Source IP Source Port Destination IP Destination Port Action ACL Na

Log sample
This is a sample log from a device:
System Log:
Feb 3 15:09:02 wsf STM: LB 5 00141 LookupServerCtx = 0xab0bb600

Web Firewall Log:


2016-02-03 01:49:09.077 -0800 wafbox1 WF ALER SQL_INJECTION_IN_PARAM 192.0.2.0 39661 198.51.100.0 80 webapp1:deny_ban_dir

154 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Access Log:
2016-02-02 21:16:59.914 -0800 wafbox1 TR 192.0.2.0 80 198.51.100.0 37754 "-" "-" POST HTTP 192.0.2.0 HTTP/1.1 200 812 640

Audit Logs:
2016-02-02 21:08:53.861 -0800 wafbox1 AUDIT User3 GUI 192.0.2.0 0 CONFIG 17 - SET web_firewall_policy default url_protect

Network Firewall Log:


afbox1 2016-05-21 03:28:23.494 -0700 NF INFO TCP 192.0.2.0 52236 192.0.2.0 8000 DENY testacl MGMT/LAN/WAN interface traff

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Timestamp First Time, Last Time

Attack Description Message

Client IP Source IP

Client Port Source Port

Application IP Destination IP

Application Port Destination Port

Rule ID Signature_Name

Rule Type Object

Attack Details Message_Text

Method Application, Method

URL URL

Protocol Protocol, App_Layer_Protocol

User Agent User_Agent

Referrer Referrer

User Source Username

Bytes Sent Bytes_Sent

Bytes Received Bytes_Received

Cmd Command

HTTP status Query_Response

Version Application_Protocol

Device Type Object

ACL Name Policy_Name

Interface Interface

Barracuda Web Filter

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 155
Configuring Barracuda Web Filter

Task
1. From the admin interface, go to Advanced → Syslog.
2. Enter the IP address of the McAfee Event Receiver.

Add Barracuda Web Filter


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Barracuda Networks

Data Source Model Barracuda Web Filter (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the McAfee Event Receiver to


communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

156 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Barracuda Web Filter log format and field mapping

Log format
The expected format for this device is:
<device IP> <service> <time date> <source IP> <destination IP> <web domain> <action> <service> <command> <application> <

Log sample
This is a sample log from a Barracuda Networks Web Filter device:
[192.0.2.1] <123>http_scan[12345]: 978310861 192.0.2.2 192.0.2.3 text/javascript http://example.com/ 123 ABC ALLOWED CLEA

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Hostname

Application Application

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 157
Log fields McAfee ESM fields

Source IP Source IP

Destination IP Destination IP

Command Command

Web Domain Domain

Service Object

User Source Username

Description Message_Text

Subject Subject

Bit9 Parity Suite


Configure Bit9 Parity Suite

Task
1. Navigate to the System Configuration page in the user interface.
2. On the Configuration Options list, select Server Status, click Edit, then select Syslog enabled.
3. In the Syslog address field, enter the IP address of your McAfee Event Receiver, then set the Syslog port to 514.
4. Set Syslog format.
◦ For standard syslog formatted logs, set to Basic (RFC 3164).
◦ For ArcSight CEF formatted logs, set to CEF (ArcSight).
5. Click Update to save changes and exit.

Add Bit9 Parity Suite


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Bit9

Data Source Model Bit9 Parity Suite (ASP) for Basic (RFC 3164) logs
Bit9 Parity Suite – CEF (ASP) for ArcSight CEF formatted logs

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may


not be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.

158 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing.

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 159
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Bit9 Parity Suite Basic (RFC 3164) log format and field mapping

Log format
The expected format for this device is:
<date time> <device name> <message>

Log sample
This is a sample log from a Bit-9 Parity Suite device:
<123>1 2001-01-01T01:01:01Z example.name.com Parity - - - Bit9 ParityServer event: text="Computer from '192.0.2.1' chang

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

hostname Hostname

event_type Application

ip_address Source IP

Destination IP Destination IP

Source MAC Source MAC

Destination MAC Destination MAC

CLI Command

hostname Domain

Name, hash Object

username Source_Username

Destination Username Destination_Username

process Target_Process_Name

file_name Destination_Filename

policy Policy_Name

Description Message_Text

Bit9 Parity Suite - CEF (ArcSight) log format and field mapping

Log format
The expected CEF format for this device is:
<priority> <date> <hostname> CEF:<version>|<device vendor>|<device product>|<device version>|<signature ID>|<name>|<sever

Log sample
This is a sample CEF log from a Bit9 Parity Suite device:

160 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
<123>Jan 01 01:01:01 hostname CEF:0|Bit9|Parity|x.x.x|1234|New file on network|4|externalId=123456 cat=value rt=Jan 01 0

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

dhost Hostname

installerFilename Application

src Source IP

dst Destination IP

spt Source Port

dpt Destination Port

smac Source MAC

dmac Destination MAC

proto Protocol

cnt Event Count

fname Filename

Policy Object_Type

spriv Object

suser Source_Username

duser Destination_Username

externalId End_Page

act Event Subtype

Blue Coat Director


Configure Blue Coat Director
See the Blue Coat Director product documentation for instructions on sending syslog logs to a remote server. Use the McAfee
Event Receiver IP address for the address of the remote server.

Add Blue Coat Director


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 161
Option Definition

Data Source Vendor Blue Coat

Data Source Model Director (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available
for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing.

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

162 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Blue Coat Director log format and field mapping

Log format
The expected format for this device is:
<date time> <severity> <hostname> <user> <IP address> <message>

Log sample
This is a sample log from a Blue Coat Director device:
Jan 01 01:01:01 <cli.notice_minor> hostname cli[1234]: [email protected]: Device exampleName: attempting connection using

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Device ID Hostname

Destination Hostname Destination_Hostname

IP Protocol Protocol

IP Address Source IP

Destination IP Destination IP

Port Source Port

Application Application

Command Command

Filename Filename

Invalid IP Object

User Source Username

Destination User Destination Username

URL List URL

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 163
Blue Coat ProxySG
Create a custom log format
McAfee ESM requires a custom format for the Blue Coat Access Logs.

Task
1. Select Configuration → Access Logging → Formats, then click New.
2. Select a format type.
◦ W3C Extended Log File Format (ELFF) string
◦ Custom format string to use log-specific formats
3. Give the format a name, then type the format:
◦ If you selected W3C Extended Log File Format (ELFF) string, type this custom format:
date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-sta

◦ If you selected Custom format string, enter the format for the supported custom string.
4. Click Test Format to make sure that there are no syntax errors.
5. Select Log all headers from the Multiple-valued header policy list, then click OK.

Associating the custom log format with a custom log

Task
1. Select Configuration → Access Logging → Logs → Logs, then click New.
2. Type a log name, select your custom log format from the drop-down list, then add a meaningful description.
3. Type the maximum size that the remote log file reaches before rolling over to a new file.
4. Enter a size for the Early Upload file, then click OK.

Associating the custom log to the Web Content Policy

Task
1. Select Configuration → Policy → Visual Policy Manager → Launch.
2. Once the Visual Policy Manager (VPM) has started, add a Web Content Layer or edit the existing one. This document describes
adding a Web Content Layer.
3. In the VPM, select Policy → Add Web Content Layer, then enter a name for this new Web Content Layer.
4. Right-click the Action column, select Set, then select New → Modify Access Logging.
5. Select Enable Logging to, then, from the drop-down list, select the custom log you created.
6. Click OK, then click Install Policy.

Enable Access Logging globally

Task
1. Select Configuration → Access Logging → General → Default Logging.
2. Select Enable Access Logging, then click Apply.

Configure Syslog

Task
1. Select Configuration → Access Logging → Logs → Upload Client.
2. In the Log drop-down list, select the custom log that you created.
3. From the Client Type drop-down list, select Custom Client, then click Settings.
4. Fill in these fields:
◦ Host – Enter the IP address of the McAfee Event Receiver.
◦ Port – Enter 514.
◦ Use Secure Connections (SSL) – Deselect.
5. Click OK.

164 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
6. Click Apply to return to the Upload Client tab.
7. For Save the log file as, select text file.
8. Leave the defaults for all other options.
9. Click the Upload Schedule tab.
10. Select Upload Type.
11. For Upload the access log, select continuously to stream the access logs to the McAfee Event Receiver.
12. Leave the default settings for all other options.
13. Click OK, then click Apply.

Add Blue Coat ProxySG (syslog)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Blue Coat Systems

Data Source Model ProxySG Access Log (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 165
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Add Blue Coat ProxySG (FTP)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Blue Coat Systems

166 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Source Model ProxySG Access Log (ASP)

Data Format Default

Data Retrieval FTP File Source

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Port 21 (default for FTP)

Number of Lines per record <Default>

Interval 5 Minutes

File Completion 60 Seconds

Delete processed files Select to have the Receiver delete the files from the FTP
Server after they are processed.

Path Enter “/” (without quotation marks)

Wildcard expression *.log.gz

Username The user name for the FTP client.

Password The password for the FTP client.

Encryption Leave deselected.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 167
Option Definition
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Blue Coat ProxySG log format and field mapping

Log format
The expected format for this device is:
Access log event v6 log example:
date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-status

Access log event v5.4.6.1 log example:


date time c-ip c-port r-ip r-port x-cifs-uid x-cifs-tid x-cifs-fid x-cifs-method x-cifs-server x-cifs-share x-cifs-path x

These log formats are supported custom formats:


nFMAIN log example:
nFMAIN Date=|$(date)|, Time=|$(time)|, Time-Taken=|$(time-taken)|, Source=|$(c-ip)|, Status=|$(sc-status)|, Action=|$(s-

nFIM log example:


nFIM Date=|$(date)|, Time=|$(time)|, Time-Taken=|$(time-taken)|, Source=|$(c-ip)|, Username=|$(cs-username)|, Protocol=|$

nFSSL log example:


nFSSL Date=|$(date)|, Time=|$(time)|, Time-Taken=|$(time-taken)|, Source=|$(c-ip)|, Action=|$(s-action)|, CertStatus=|$(

nFSTREAM log example:


nFSTREAM Date=|$(date)|, Time=|$(time)|, Scheme=|$(cs-uri-scheme)|, DestinationPort=|$(cs-uri-port)|, Status=|$(c-status

nFP2P log example:


nFP2P Date=|$(date)|, Time=|$(time)|, Source=|$(c-ip)|, Username=|$(cs-username)|, Protocol=|$(cs-protocol)|, ClientType

168 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Field mapping
Access Log
Fields with * indicate compatibility with version 9.2 and later only.

Log fields McAfee ESM fields

Date, Time Firsttime, lasttime

c-ip src_ip

cs-username src_username

sc-filter-result Query_Response.Query_Response*

cs-categories Subject.Subject

sc-status Action

s-action Message

cs-method commandname

rs-Content-Type application

cs-host domain

cs-uri-port dst_port

cs-uri-path URL.URL

Job_Name.Job_Name*

cs-User-Agent User_Agent.User_Agent*

s-ip dst_ip

Access Log v5.4.6.1


Fields with * indicate compatibility with version 9.2 and later only.

Log fields McAfee ESM fields

Date, Time Firsttime, lasttime

c-ip src_ip

s-action Message

cs-bytes Bytes_Sent.Bytes_Sent*

sc-bytes Bytes_Received.Bytes_Received*

cs-method Method.Method

cs-uri-scheme

cs-host domain

cs-uri-port src_port

cs-uri-path URL.URL

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 169
Log fields McAfee ESM fields

cs-username src_username

rs(Content-Type) application

cs(Referer) Referer.Referer*

cs-User-Agent User_Agent.User_Agent*

sc-filter-result Action

cs-categories Object_Type.Object_Type

x-virus-id Object_Type.Object_Type

s-ip dst_ip

nFMAIN
Fields with * indicate compatibility with version 9.2 and later only.

Log Fields McAfee ESM Fields

nfMAIN Application

Date, Time Firsttime, lasttime

Source src_ip

Status Response_Code.Response_Code*

Action Action

IncomingBytes Bytes_Received.Bytes_Received*

OutgoingBytes Bytes_Sent.Bytes_Sent*

Method Method.Method

Scheme Protocol

Username src_username

User-Agent User_Agent.User_Agent*

Result Query_Response.Query_Response*

Category Category.Category*

Virus Threat_Name.Threat_Name*

Device_IP Device_IP.Device_IP*

DevicePort src_port

URL URL. URL

DestinationIP dst_ip

DestinationPort dst_port

nFIM

170 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Fields with a * indicate compatibility with version 9.2 and later only.

Log fields McAfee ESM fields

nFIM Application

Date, Time Firsttime, lasttime

Source src_ip

Username src_username

Protocol Protocol

Method Method.Method

Client Client_Version.Client_Version*

Action Action

File Filename.Filename

DeviceIP DeviceIP.DeviceIP*

nFSSL
Fields with * indicate compatibility with version 9.2 and later only.

Log fields McAfee ESM fields

nFSSL Application

Date, Time Firsttime, lasttime

Source src_ip

Action Action

DestinationIP dst_ip

DestinationPort dst_port

Supplier URL.URL

Category Category.Category*

DeviceIP DeviceIP.DeviceIP*

IncomingBytes Bytes_Received.Bytes_Received*

OutgoingBytes Bytes_Sent.Bytes_Sent*

Protocol Protocol

nFSTREAM
Fields with * indicate compatibility with version 9.2 and later only.

Log fields McAfee ESM fields

nFSTREAM Application

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 171
Log fields McAfee ESM fields

Date, Time Firsttime, lasttime

DestinationPort dst_port

Status Response_Code.Response_Code*

Action Action

User-Agent User_Agent.User_Agent*

Hostexe Client_Version.Client_Version*

Protocol Protocol

Bytes1 Bytes_Received.Bytes_Received*

Bytes2 Bytes_Sent.Bytes_Sent*

Device Device_IP.Device_IP*

Source src_ip

URL URL.URL

Method Method.Method

nFP2P
Fields with * indicate compatibility with version 9.2 and later only.

Log fields McAfee ESM fields

nFP2P Application

Date, Time Firsttime, lasttime

Source src_ip

Username src_username

Protocol Protocol

ClientType Message

Bytes1 Bytes_Received.Bytes_Received*

Bytes2 Bytes_Sent.Bytes_Sent*

Action Action

DestinationIP dst_ip

DestinationPort dst_port

Device Device_IP.Device_IP*

Configure FileZilla FTP Server

Before you begin


If you are using FTP, set it up first.

172 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Task
1. Download the FileZilla FTP Server for Windows.
2. Install the FileZilla FTP server on your Windows Server and accept all default options.
3. Create a directory to store the BlueCoat ProxySG Access Logs, for example, D:\BlueCoatLogs.
A Filezilla server page opens.
4. Add users.
a. Select Edit → Users.
b. On the General page, click Add under Users, then type the FTP account name.
c. In the account settings section, make sure that Enable Account is selected.
d. Select Password, then type a password for the newly created proxysg user.
Note: For security purposes, make sure that this password is complex.
e. Click Shared Folders, then click Add.
f. Navigate to the directory created previously, click OK, then give the user all file and all directory rights to the directory.
Note: An H next to the directory indicates that this is the home directory for the user. If H doesn't appear, highlight the
directory and click Set as home dir.
g. Click OK to save the user.

Results
The Filezilla FTP server is up and running and the proxysg user is ready to go.

Configure FTP Upload

Task
1. To configure access logs to upload their data to the FTP server, select Configuration → Access Logging → Logs → Upload Client.
2. In the Log drop-down list, select the custom log that you created earlier.
3. From the Upload Client Type drop-down list, select FTP Client, then click Settings.
a. Fill in these fields.
◦ Host: Enter the IP address of the Filezilla FTP server.
◦ Port: 21 is the default FTP port.
◦ Path: Enter a slash (/).
◦ Username: Enter proxysg, the user you created earlier.
b. Click Change Primary Password, enter the password, then click OK.
c. In the Filename field, type a name that contains text or specifiers.
Note: The file name includes the log name, last octet of the proxy sg, month, day, hour, minute, and seconds.
d. Since the Filezilla server is not configured for FTPS or SFTP, deselect Use Secure Connections (SSL).
e. Select Local Time to upload the local time file instead of using UTC.
f. Click OK, then click Apply to return to the Upload Client Configuration page.
4. For Save the log file as, select gzip file to reduce the log file size.
The McAfee Event Receiver decompresses a gzipped log file and parses the logs that are in it.
5. Click the Upload Schedule tab, then, on the Log drop-down list, select the custom log you created.
6. Under Upload Type, select periodically.
7. Under Rotate the Log File, select Every, and enter 0 hours and 5 minutes.
The Blue Coat ProxySG uploads the access logs to the FTP server every 5 minutes.
8. Click Apply, then verify that the upload is successful.
a. On the Upload Client tab, click Test Upload, and go to the FTP server (Filezilla Server).
b. Verify that the user proxysg logged on and that a file named “main_upload_result” was uploaded to the FTP server.

Blue Coat ProxySG troubleshooting


Use these tips to troubleshoot your configuration if events do not appear in the ESM.
• Log on to the FTP server (FileZilla in this guide) and check the log, verifying the entries that state that the ProxySG has uploaded
the log files.
• Make sure that logs state that the McAfee Event Receiver connected and downloaded the log files.
• Verify that port 514 is open on the McAfee Event Receiver. Your output will be similar.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 173
netstat –an | grep 514

• Use tcpdump on the McAfee Event Receiver to verify receipt of syslog from the server. You can use a command like this to
verify the receipt of data:
tcpdump –i eth0 source <remote host IP>

Blue Coat Reporter


Configure Blue Coat Reporter

Task
1. Click the General Settings tab, then, in the navigation pane, expand Data Settings and select Cloud Download.
2. Select Enable Cloud Download, then specify the directory where the Cloud access logs are being saved.
3. Specify the Cloud API Username and Cloud API Password to grant access, then click Save.

Add Blue Coat Reporter


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Blue Coat

Data Source Model Reporter (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing.

174 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Blue Coat Reporter log format and field mapping

Log format
The expected format for this device is:
x-bluecoat-customer-id date time x-bluecoat-appliance-name time-taken c-ip cs-userdn cs-auth-groups x-exception-id sc-fi

Log sample
This is a sample log from a device:
5478 2016-01-05 05:03:05 "Device_Name" 30 203.0.113.0 DOMAIN\username "DOMAIN\Permitted, DOMAIN\Domain Users" - OBSERVED

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 175
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

date, time First Time, Last Time

x-bluecoat-appliance-name External_Device_Name

c-ip Device_IP

cs-userdn Domain, Source User

x-exception-id Reason

sc-filter-result Action

cs-categories URL_Category

cs(Referer) URL

sc-status Response_Code, Action

s-action Rule Message

cs-method Request_Type

cs-uri-scheme Protocol

cs-host Web_Domain

cs-uri-port Destination Port

cs(User-Agent) User_Agent

s-ip Source IP

sc-bytes Bytes_Sent

cs-bytes Bytes_Received

x-bluecoat-application-name Application

r-ip Destination IP

BlueCat DNS/DHCP Server


Configure BlueCat DNS/DHCP Server using Linux syslog

Task
1. Edit the /etc/syslog.conf file.
2. Add this line to the file:
*.*; @1.2.3.4:514

where 1.2.3.4 is the IP address of your McAfee Event Receiver and 514 is the default port for syslog.
3. Run the command:
service syslog restart

Configure BlueCat DNS/DHCP Server using the vendor documentation


See the documentation for BlueCat DNS/DHCP Server syslog setup provided by the manufacturer.

176 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Add BlueCat DNS/DHCP Server
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor BlueCat Networks

Data Source Model BlueCat DNS/DHCP Server

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing.

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 177
Option Definition
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Blue Ridge Networks BorderGuard


Configure Blue Ridge Networks BorderGuard
See the BorderGuard documentation for instructions about sending syslog events to your McAfee Event Receiver.

Add Blue Ridge Networks BorderGuard


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Blue Ridge Networks

Data Source Model BorderGuard (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.

178 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing.

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 179
Option Definition
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Blue Ridge Network BorderGuard field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Domain Domain

IPaddr Source IP

External IP Destination IP

Port Source Port

External Port Destination Port

MACaddr Source MAC

CN Source Username

Brocade IronView Network Manager


Configure Brocade IronView Network Manager
Configure Brocade IronView Network Manager wired devices.

Task
1. Click the Wired tab on the Configuration Wizard panel, then click New on the toolbar.
2. Select the syslog receivers, then click Next.
3. On the Select Action page, click the action that you want to perform.
◦ Add a syslog receiver to the target devices.
◦ Delete the specified syslog receivers from the target devices.
◦ Replace All syslog receiver entries on the target devices with the entries in this payload configuration.
◦ Clear All syslog receiver entries from the target devices.
4. Click Next, then click New to add the syslog receivers.
5. Enter the IP address of the McAfee Event Receiver (syslog server), set the UDP port to 514, then click Add to add it to the list of
syslog receivers.
Note: Each device can have up to six syslog receivers. All syslog receivers defined for a device receive the same data.
6. To change a syslog receiver, select it and click Edit, then make the changes and click Update.
7. To open the Deployment section of the wizard, click Next.

Add Brocade IronView Network Manager


Log in to ESM and add the data source to a receiver.

180 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Brocade

Data Source Model IronView Network Manager (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing.

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 181
Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Brocade IronView Network Manager log format and field mapping

Log format
The expected format for this device is:
DATE:SEVERITY:EVENTSOURCE: MESSAGE

Log sample
This is a sample log:
Jan 20 03:33:52:I:Security: running-config was changed from console

Field mapping
This table shows the mapping between the data source and ESM fields.

Log fields ESM fields

Object Object

Source IP Source IP

MAC Address Source MAC

Destination IP Destination IP

Source Port Source Port

Destination Port Destination Port

Host Host

User Source User

182 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields ESM fields

Application Application

Brocade VDX Switch


Configure Brocade VDX Switch
The syslog configuration is done at the command line. See the Brocade VDX Switch product documentation for instructions
about how to access and use the command line.

Task
1. Log on to the command line interface for the switch and enter this command:
> syslogdIpAdd “192.0.2.1”

Replace “192.0.2.1” with the IP address of the McAfee ESM.


2. To verify that the logging setting was added, enter this command:
> syslogdIpShow

Results
This lists all configured remote syslog server IP addresses for the switch.

Add Brocade VDX Switch


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Brocade

Data Source Model VDX Switch (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 183
Option Definition

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing.

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Brocade VDX Switch log format and field mapping

Log format
The expected format for this device is:
<date time> <device name> <log type> <time> <message ID> <severity> <class> <user> <role> <IP> <interface> <application>

184 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log sample
This is a sample log from a Brocade VDX Switch device:
<123>Jan 1 01:01:01 device name: [log@1234 value="AUDIT"][timestamp@1234 value="2001-01-01T01:01:01.123456"][tz@1234 valu

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log felds McAfee ESMMcAfee ESM fields

Swname Host

Application Application

IP Source IP

log type Object

user Source User

interface Interface

Check Point
Enable the LEA service on the Check Point management server

Task
1. Use SSH to connect to the Check Point management server, then enter expert mode.
2. Open $FWDIR/conf/fwopsec.conf and edit the file according to the type of authentication you want to use.
◦ For authenticated and encrypted connection (recommended), specify:
lea_server auth_port 18184

lea_server auth_type sslca (or other supported method)

◦ For authenticated connection only, specify:


lea_server auth_port 18184

◦ For no authentication or encryption, specify:


lea_server port 18184

3. Run cprestart.

Create an OPSEC Application

Task
1. Log on to the Check Point user interface, then expand the OPSEC Applications tree node.
2. Right-click the OPSEC Application category, select New OPSEC Application, then enter a name for the OPSEC Application.
Note: This name is used when creating the data source in the ESM.
3. In the Host field, select a host, then select the network object that represents the McAfee Event Receiver.
Note: If the object does not exist, create one by clicking New and entering the IP address of the McAfee Event Receiver.
4. In the Client Entries section, select LEA, then click Communication near the bottom of the dialog box.
5. Enter and confirm your one-time password, then click Initialize.
The certificate is initialized and displays the message Initialized but trust not established.
6. Close the Communication dialog box.
7. On the OPSEC Application Process dialog box, click OK.
8. Perform an Install DB on the Check Point server.

Check Point best practices


Create your Check Point Data sources in a parent-child relationship.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 185
Create your Primary CMA as the parent data source, then add your CLMs, Secondary CMAs, and Firewalls as children to the
Primary CMA data source.

Add Check Point parent data source


Log in to ESM and add the data source to a receiver.

Before you begin


Port 18210 must be open on the CheckPoint appliance.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Check Point

Data Source Model Check Point (ASP)

Data Format Default

Data Retrieval Default

Name User-defined name of the CMA

IP Address/Hostname The IP address of the CMA

Event Collection Type Select Audit and Log events.

Port 18184 (Default)

These settings are needed only if authentication or encryption is being used.

Option Definition

Use Authentication Type of authentication selected when creating the LEA


connection.

Application Name Name of the OPSEC Application created during Check Point
setup.

Activation Key One-time password created while creating the OPSEC


application during Check Point setup.

Use Encryption Select if using encryption.

Options (authentication only) Advanced settings leave default unless having connection
issues.

Connect (authentication only) Tests the connection to the OPSEC LEA service and pulls the
certificate.

5. (Optional) Click Advanced and configure the settings.

186 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Add Check Point child data sources


After the parent is successfully added, create the child data sources CLMs, Firewalls, and Secondary CMAs.

Task
1. Select the parent data source from the Receiver Properties Data Sources screen.
2. Select Add Child Data Source.
3. If you are sending firewall logs to a CLM instead of the CMA, find the distinguished name for the CLM.
a. Use SSH to connect to the CMA, then enter expert mode.
b. At the command prompt, enter:
grep sic_name $FWDIR/conf/objects_5_0.C

The CMA lists all distinguished names.


4. Enter the configuration information.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 187
Child Data Source Screen Settings Log server / CLM and Secondary SMS / CMA

Option Definition

Name User-defined name of the CLM

IP Address/Hostname IP address of the CLM

Device Type Log Server / CLM or Secondary SMS / CMA

Event Collection Type Select Audit and Log events.

Parent Report Console User-defined name of the CMA that manages the CLM
(preselected if creating a child data source).

Distinguished Name (If sending to CLM.)

Child Data Source Screen Settings Security Device (Firewall)

Option Definition

Name User-defined name of the Security Device

IP Address IP address of the Security Device

Device Type Security Device

Parent Report Console User-defined name of the CMA that manages the CLM
(preselected if creating a child data source).

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

188 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Add a Check Point CLM or Secondary CMA


Typically, the DN is required only to add the Check Point CLM as a data source. This task is needed when firewall logs are sent to
a CLM instead of the CMA.

Task
1. Use SSH to connect to the CMA, then enter expert mode.
2. To show all DNs, run this command:
grep sic_name $FWDIR/conf/objects_5_0.C

3. Find the correct DN for the CLM.

Check Point events to McAfee fields

Log format
The expected format for this device is:
computer date time IP protocol source destination original client IP source network destination network action status ru

Log sample
This is a sample log from a Check Point device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal Establish 0x0 - HTT

Mappings
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

Check Point troubleshooting


• If connection test fails, verify CMA IP address.
• If connection test fails, verify that the application name and one-time password are correct.
• If using encryption and connection test fails, click Options to change encryption until connection succeeds.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 189
• If connection test fails, reinitialize trust in the Check Point user interface

Cisco Firepower
Configure Cisco Firepower Management Console

Task
1. Log on to the Firepower Management console (Defense Center).
2. Browse to System > Local > Registration.
3. Click Create Client.
4. Enter the IP address or host name of the McAfee Event Receiver and, as needed, a password to secure the certificate.
5. Save the new client settings.
6. Download the new client’s certificate, which is used when creating the data source on McAfee ESM.
7. By default, the McAfee Event Receiver pulls Discovery (RNA) and Intrusion Events. To allow it to collect both event types, select
these options:
◦ Discovery Events
◦ Intrusion Events
◦ Intrusion Event Packet Data
◦ Intrusion Event Extra Data
8. Click Save.

Configure Cisco Firepower Defense Center

Task
1. Log on to the Defense Center console.
2. Browse to Operations → Configuration → eStreamer.
3. Click Create Client.
4. Enter the IP address or host name of the McAfee Event Receiver and, as needed, a password to secure the Certificate.
5. Save the new Client settings.
6. Download the Certificate by clicking the link.
7. By default, the McAfee Event Receiver pulls RNA and Intrusion Events. To allow it to collect both event types, select these
options:
◦ RNA Events
◦ Intrusion Events
◦ Intrusion Event Packet Data
◦ Intrusion Event Extra Data

Add Cisco Firepower Management Console - eStreamer


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model Firepower Management Console - eStreamer

Data Format Default

190 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Port Default

Collect Flows Checked

Upload This allows the user to upload and validate the certificate
that was downloaded in the previous section.

Connect Test the connection to the data source after the Certificate is
downloaded.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 191
Option Definition
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Cisco Firepower Management Console - eStreamer log format and field mapping

Log format
The expected format of this device is the JavaScript Object Notation (JSON) format. The logs are similar to this sample:
{"Record Type": 104,"Record": "Intrusion Event 4.9 - 4.10.x","Server Timestamp": 1403652492,"Detection Engine": {"ID": 5

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Detection Engine, Detection Engine.Name, Sensor_Name Sensor_Name

Detection Engine.Type, Sensor_Type Sensor_Type

Detection Engine.UUID, Sensor_UUID Sensor_UUID

Event Second, First/Last Seen, First/Last Used First Time, Last Time

is_xforward, is_srcipv6, Source IPv4 Address, SourceIPv6 Source IP

is_destipv6, Destination IPv4 Address, DestinationIPAddress, Destination IP


DestinationIPv6

Is_src_port, Source Port/ICMP Type, SourcePort Source Port

Is_dest_port, Destination Port/ICMP Code, DestinationPort Destination Port

Is_src_mac, SourceMAC Source Mac

Is_dest_mac, DestinationMAC Destination Mac

Priority ID, Severity Severity

Network Protocol, Host Type, ID, Attribute ID, Source Type, Application
Protocol, Custom Product, Application

Action, Blocked Event Subtype

Bytes Sent Bytes_Sent

Bytes Received Bytes_Received

Drop User Product, Drop Command

192 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Protocol Protocol

VLAN ID, Source VLAN ID VLAN

EventCount Event Count

Classification ID, Host Type, Source Type Object

Domain, Version, Custom Version, Service Version Domain

NetBIOS Name, CVE ID, Custom Vendor, Service Vendor Host


name, Hostname

Source ID.Name, Username Source User

Generator ID External_EventID

Rule ID External_SubEventID

Intrusion Policy ID Policy_ID

UUID UUID

Cisco Firepower Management Console - eStreamer supported events


This is a list of all supported events from Defense Center.
• Record Type 7 - Intrusion Event
• Record Type 10 - New Host
• Record Type 11 - New TCP Service
• Record Type 12 - New UDP Service
• Record Type 13 - New Network Protocol
• Record Type 14 - New Transport Protocol
• Record Type 15 - New Client Application
• Record Type 16 - TCP Service Information Update
• Record Type 17 - UDP Service Information Update
• Record Type 18 - Operating System Update Message
• Record Type 19 - Host Timeout
• Record Type 20 - Host IP Address Reused
• Record Type 21 - Host Deleted: Host Limit Reached
• Record Type 22 - Hops Change
• Record Type 23 - TCP Port Closed
• Record Type 24 - UDP Port Closed
• Record Type 25 - TCP Port Timeout
• Record Type 26 - UDP Port Timeout
• Record Type 27 - MAC Information Change
• Record Type 28 - Additional MAC Detected for Host
• Record Type 29 - Host IP Address Changed
• Record Type 30 - Host Last Seen
• Record Type 31 - Host Identified as Router/Bridge
• Record Type 34 - VLAN Tag Information Update
• Record Type 35 - Client Application Timeout
• Record Type 37 - User Set Valid Vulnerabilities 4.0
• Record Type 38 - User Set Invalid Vulnerabilities 4.0
• Record Type 42 - NetBIOS Name Change
• Record Type 44 - Host Dropped: Host Limit Reached
• Record Type 45 - Update Banner Message
• Record Type 46 - Host Attribute Add
• Record Type 47 - Host Attribute Update

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 193
• Record Type 48 - Host Attribute Delete
• Record Type 51 - TCP Service Confidence Update
• Record Type 52 - UDP Service Confidence Update
• Record Type 71 - Flow/Connection Statistic
• Record Type 74 - User Set Operating System
• Record Type 78 - User Delete Address
• Record Type 80 - User Set Valid Vulnerabilities
• Record Type 81 - User Set Invalid Vulnerabilities
• Record Type 82 - User Host Criticality
• Record Type 83 - Host Attribute Set Value
• Record Type 84 - Host Attribute Delete Value
• Record Type 85 - User Add Hosts
• Record Type 86 - User Add Service
• Record Type 88 - User Add Protocol
• Record Type 89 - Host Service Data for RNA 4.9.0.x
• Record Type 92 - User Identity Dropped: User Limit Reached
• Record Type 93 - User Removed Change Event
• Record Type 94 - New User Identity
• Record Type 95 - User Login
• Record Type 101 - New OS Event
• Record Type 102 - Identity Conflict System Message
• Record Type 103 - Identity Timeout
• Record Type 104 - Intrusion Event
• Record Type 105 - Intrusion Event
• Record Type 107 - Client Application Messages
• Record Type 112 - Correlation Event
• Record Type 150 - Intrusion Policy
• Record Type 207 - Intrusion Event
• Record Type 208 - Intrusion Event

Cisco IOS
Configure Cisco IOS

Task
1. Open a secure connection to the console of your Cisco IOS device, then go into enable mode.
Router> enable

Note: Depending on your configuration, you might need to enter a password.


2. Once in enable mode, go into global configuration mode.
Router# configure terminal

Router(config)#

3. Enable the syslog message.


Note: System messages are enabled by default. If logging is disabled, use this command to enable it or to ensure that it is on.
Router(config)# logging on

By default, this only logs to the console. Use this command to enable logging to send to a specific host, such as the McAfee
Event Receiver. The host argument is the name or IP address of the host.
Router(config)# logging <host>

4. Enable time stamps for logs.


Router(config)# service timestamps log datetime localtime
Router(config)# service timestamps debug datetime localtime

5. Adjust the security level with this command.


Router(config)# logging trap <level>

194 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
0Emergency System
unusable
messages

1Alert Immediate
action
required
messages

2Critical Critical
condition
messages

3Error Error
condition
messages

4Warning Warning
condition
messages

5Notification Normal
but
significant
messages

6Information Information
messages

6. Save changes and exit:


a. Close out of config mode.
Router(config)# exit

b. Save changes.
Router# copy running-config startup-config

OR
Router# copy run start

c. Exit from enable mode.


Router# disable
Router>

Add Cisco IOS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model IOS (ASP)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 195
Option Definition

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

196 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Cisco IOS log format and field mapping

Log format
The expected format for this device is:
Date Time: %Facility-Severity-mnemonic: Description SourceIP -> DestIP

Log sample
This is a sample log from a Cisco IOS device:
Jan 01 01:23:45.678: %SEC-6-IPACCESSLOGNP: list 99 denied 0 192.0.2.2 -> 192.0.2.3, 1 packet

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Date Time First Time, Last Time

Facility Application

SourceIP Source IP

DestIP Destination IP

Protocol Protocol

SourcePort Source Port

DestPort Dest Port

Interface Interface

Source MAC Source MAC

Error Code Response Code

Bundle, Group Group Name

category Category

Configure Cisco IOS IPS


No special steps are required on the Cisco IPS device.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 197
Add Cisco IOS IPS
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model IOS IPS (SDEE protocol)

Data Format Default

Data Retrieval API (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Port 443

Use SSL/TLS Selected

URI cgi-bin/sdee-server

Username User name for logging on to the IPS

Password Password for logging on to IPS

Interval Choose the frequency you want to pull from the IPS

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).

198 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Cisco IOS IPS field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log field McAfee ESM fields

sd:hostId Hostname

cid:initialAlert | sd:evIdsAlert/@eventId External SessionID

sdIdsAlert/@severity Severity

sd:time First Time | Last Time

sd:signature/@description Message Text

sd:attacker/sd:addr | sd:attacker/sd:ipv6Address Source IP

sd:target/sd:addr | sd:target/sd:ipv6Address Dest. IP

cid:interface Interface

cid:protocol Protocol

cid:summary Event Count

@cid:version Version

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 199
Log field McAfee ESM fields

CVE Vulnerability Reference

cid:appName Application

cid:alertDetails Message Text

cid:riskRatingValue Reputation

sd:signature/@cid:type Threat Category

sd:signature/@id Incident_ID

cid:os/@type Object

marsCategory Threat_Name

sd:attacker/sd:addr/@cid:locality Source Zone

sd:target/sd:addr/@cid:locality Destination Zone

Cisco Meraki
Configure Cisco Meraki

Task
1. From the dashboard, navigate to Network-wide → Configure → General, then click Add a syslog server.
2. In the Server IP field, enter the IP address of the McAfee Event Receiver, and in the Port field, enter 514 (the default port for
syslog).
3. Add the roles to the Roles field to enable logging for them.

Add Cisco Meraki


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model Meraki

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

200 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 201
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Cisco Meraki field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

src Source IP

dst Destination IP

mac Source Mac

request Method

url URL

protocol Protocol

direction Direction

DNS server DNS_Server_IP

router Device_IP

signature Signature_Name

port changes Old_Value, New_Value

time First Time, Last Time

group Group_Name

client Host

SSID Wireless_SSID

radio number External_Device_ID

reason Reason

priority Priority

Cisco NX-OS
Configure Cisco NX-OS
The syslog configuration is done at the command line. See your product documentation for instructions about how to access and
use the CLI.

Task
1. Enter enable mode, then enter configuration mode:
> enable

# configure terminal

2. Configure a host where you want to send syslogs:

202 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
# logging server 192.0.2.1 6

where 192.0.2.1 is the IP address of your McAfee Event Receiver, and 6 is the severity level of the logs you want to send (6 is
all events, 2 is only critical and emergency events).
3. To confirm these settings, show remote syslog server configuration.
# show logging server

4. Save the configuration:


# copy running-config startup-config

Add Cisco NX-OS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model NX-OS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 203
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Cisco NS-OX log format and field mapping

Log format
The expected format for this device is:
<timestamp> <hostname>: %<application>-<severity>-<message type>: <message>

Log sample
This is a sample log from a Cisco NX-OS device:
2001 Jan 01 01:01:01 EET: %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user example_username from 192.0.2.2

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

204 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Host Hostname

protocol Protocol

IP address / sender Source IP

IP address / target Destination IP

Source Port / Port Source Port

Destination / Port Destination Port

MAC address / sender Source MAC

MAC address / target Destination MAC

Application Application

file Filename

domain Domain

user Source User

remote user Destination User

Interface, Port Interface

Destination Interface Interface_Dest

Timestamp First Time, Last Time

Cisco PIX ASA


Configure Cisco PIX ASA

Task
1. Go to the ASDM Home window, then select Configuration → Features → Properties → Logging → Logging Setup.
2. To enable syslog, select Enable logging.
3. In the navigation tree under Logging, select Syslog Servers, then click Add to add syslog server.
4. In the Add Syslog Server dialog box, enter the syslog server details, then click OK.

Add Cisco PIX ASA


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 205
Option Definition

Data Source Model PIX/ASA/FWSM (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

206 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Cisco PIX ASA field mapping

Field mapping
This table shows the mapping between the data source and ESM fields.

Log fields ESM fields

Action Application

Bytes_Sent Command

Count Destination_Hostname

Device_IP Direction

Domain Destination IP

Destination Mac Destination Port

Destination User Filename

Group_Name Host

Interface_Dest Interface

Rule Message NAT_Details

Object Object_Type

Policy_Name Protocol

Reason Session

Severity Source IP

Source MAC Source Port

Source User Subject

URL Username

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 207
Cisco Unified Computing System
Configure Cisco Unified Computing System

1. Log on to the Cisco Unified Computing System (UCS) Manager.


2. In the navigation pane, select the Admin tab, expand Faults, Events and Audit Log, then select Syslog.
3. In the right pane, enable Remote Destination Server, enter the IP address of the syslog server, then select the appropriate level and
facility.
4. Click Save Changes.

Add Cisco Unified Computing System


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model Unified Computing System (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled: Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

208 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Cisco Unified Computing System log format and field mapping

Log format
The expected format for this device is:
<date> <time>: %<facility>-<severity>-<mnumonic>: <description>

Log sample
This is a sample log from a Cisco Unified Computing System device:
<13>: 2012 Oct 10 21:37:25 EDT: %UCSM-5-DEVICE_SHARED_STORAGE_ERROR: [F0863][warning][device-shared-storage-error][sys/mg

Field mapping
This table shows the mapping between the data source and ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 209
Log fields ESMfields

facility Application

severity Severity

server Host

Cisco Wireless LAN Controller


Configure Cisco Wireless LAN Controller

Task
1. In the controller UI, select Management → Logs → Config, enter the IP address of the server where you want to send the syslog
messages, then click Add.
2. In the Syslog Level field, select the severity level.
Note: The only messages sent to the syslog server are messages with severity equal to or less than the level you set.
3. In the Syslog Facility field, set the facility for outgoing syslog messages to the syslog servers.
4. By default, messages logs include information about the source file. To not include this information, deselect File Info.
5. To commit and save the changes, click Apply, then click Save Configuration.

Add Cisco Wireless LAN Controller


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model Wireless LAN Controller (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

210 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 211
Cisco Wireless LAN Controller log format and field mapping

Log format
The expected format for this device is:
Host Time_Stamp: FACILITY-SEVERITY-MNEMONIC: Message-text

Log sample
This is a sample log from a Cisco Wireless LAN Controller device:
<180>ABCDE12345: *CDP Main: Nov 09 16:02:36.289: #LWAPP-4-AP_DUPLEX_MISMATCH: spam_api.c:7755 Duplex mismatch discovered

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer, host Host, Destination Host

Facility Code Application

Severity Level Severity

CMD Command

Domain Domain

SSID Wireless_SSID

Interface Interface, Interface_Dest

MAC, Client, MAC-ID Source Mac, Destination Mac, Old_Value

Remote IP Device IP

Remote Port Device Port

Username Source User

SNMP Trap SNMP_Item

Citrix NetScaler
Configure Citrix NetScaler

Task
1. In the Configuration utility, expand System → Auditing, then click syslog.
2. Click the Servers tab, then click Add.
a. In the Name field, enter the name of the syslog server (for example, McAfee Event Receiver), then select syslog from the
Auditing Type list.
b. In the IP Address field, enter the IP address of the McAfee Event Receiver.
c. In the Port field, enter the port number used for syslog by the McAfee Event Receiver (default is 514).
d. In the Log Levels group, select ALL to send all logs to the McAfee Event Receiver.
Note: Individual levels can be selected as needed.
e. Click Create, then click Close.
3. Click the Policies tab to add audit policies, then click Add.
a. In the Name field, enter a name for the policy (for example, McAfee ESM).
b. Select SYSLOG in the Auditing Type list, then select the McAfee Event Receiver server name in the Server list.
c. Click Create, then click Close.
4. Click Global Bindings, click Insert Policy, and select the policy name that you created.

212 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5. Click OK.

Add Citrix NetScaler


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Citrix

Data Source Model NetScaler (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 213
Option Definition
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Citrix NetScaler log format and field mapping

Log format
The expected format for this device is:
<date time zone> <device> <application> <message> <key-value pairs…>

Log sample
This is a sample log from a Citrix NetScaler device:
<12> 01/10/2001:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context [email protected] - SessionId: 1234

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log Fields McAfee ESM Fields

Host Host

Protocol Protocol

Source Source IP

Destination Destination IP

Vserver IP Device_IP

214 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log Fields McAfee ESM Fields

Source Source Port

Destination Destination Port

Vserver Port Device Port

VPN Session Session ID

Application Application

Command Command

Domain Domain

Filename Filename

User Source User

URL URL, Web_Domain

Nat_ip NAT_Details

Citrix Secure Gateway


Configure Citrix Secure Gateway

Task
1. In the Access Gateway Management Console, click Management → System Administration, then click Logging.
2. Click Remote Server Settings → Access Gateway Logging, then enter the IP address of the McAfee Event Receiver in the Server field.
3. In the Port field, enter the port used to receive syslog by the McAfee Event Receiver (default is 514).
4. Under Log Type, select one or more types of logs to be sent to the McAfee Event Receiver.
5. (Optional) To change the frequency with which logs are sent or to send them manually, click Management → System Administration →
Logging → Access Gateway Logging → Log Settings.

Add Citrix Secure Gateway


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Citrix

Data Source Model Secure Gateway (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 215
Option Definition
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Port 514 (default)

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.

216 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Citrix Secure Gateway log format and field mapping

Log format
The expected format for this device is:
<data time> <severity> <message>

Log sample
This is a sample log from a Citrix Secure Gateway device:
[Mon Jan 01 01:01:01 2001] [error] SSL Library Error 47 on 1.2.3.4:123 with peer 4.5.6.7:456 An unclassified SSL network

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log Fields McAfee ESM Fields

Username Username

Protocol Protocol

Source IP Source IP

Destination IP Destination IP

Source Port Source Port

Destination Port Destination Port

Time First Time, Last Time

Cluster Labs Pacemaker


Configure Cluster Labs Pacemaker

Task
1. Open the /etc/corosync/corosync.conf configuration file using a text editor.
2. Edit the following lines, below the Logging section:
To_syslog: yes

Syslog_facility: daemon

3. Save your changes, close the file, then copy the file to all nodes.

Add Cluster Labs Pacemaker


Log in to ESM and add the data source to a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 217
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cluster Labs

Data Source Model Pacemaker (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

218 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Cluster Labs Pacemaker log format and field mapping

Log format
The expected format for this device is:
<priority><hostname>[<ID>]: [<service>/<name>] <Log ID> <message>…

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields ESM fields

Hostname Host

PID, UUID Object

Message Message

Application, Node Application

Node Command

Username Source User

Target Username Destination user

Severity Severity

Code Green Data Loss Prevention

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 219
Configure Code Green Data Loss Prevention
See the Code Green Data Loss Prevention product documentation for setup instructions about sending syslog data to a remote
server. Use the IP address of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.

Add Code Green Data Loss Prevention


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Code Green

Data Source Model Data Loss Prevention (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

220 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Code Green Data Loss Prevention log format and field mapping

Log format
The expected format for this device is:
“<Date> <Time>”,<Device Type>,<Hostname>,,,<IP address>,<Session ID>,<Severity>,<Message>

Log sample
This is a sample log from a Code Green Data Loss Prevention device:
"Jan 1, 2001 4:01:01 PM",Appliance,hostname,0,,,123456,Notice,Login Events,admin,192.0.2.1,,Login completed by admin fro

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Host

email domain Domain

IP Address Source IP

Destination IP Destination IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 221
Log fields McAfee ESM fields

“changed port number to” Source Port

“destination port” Destination Port

Date, Time First Time, Last Time

Session ID Session ID

Severity Severity

Username Source User

Device Type Object

Cofense Intelligence
Configure Cofense Intelligence

Task
1. Make sure that you have a recent version of Python installed, and the python-requests library.
2. Acquire the Cofense Python scripts and configure the config.ini file with the Cofense API credentials.
3. To execute the script, use the command:
python cofense_to_mcafee.py”

◦ If you need a proxy to connect to Cofense, change the [proxy]:use value to True and fill out your proxy information in the
following two fields.
◦ Verify that any absolute paths are correct for your operating system.
◦ To send Indicators of Compromise (IOCs) to McAfee ESM via CEF, set [output-cef]:use to True and provide a host name/IP
address and port where you want to send CEF events.
◦ For Cyber Threat Feeds, set up the McAfee ESM integration to output STIX files to a directory: set [output-stix]:use to True
and provide the directory where you want to write the files.

Add Cofense Intelligence


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cofense

Data Source Model Intelligence

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

222 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 223
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Cofense Intelligence log format and field mapping

Log format
The expected format for this device is:
CEF:0|Cofense|Intelligence|1.0|deviceEventClassId|name|Severity|URL/Domain externalID category Malware Family First Publ

Log sample
This is a sample log from a device:
CEF:0|Cofense|Intelligence|1.0|watchlist_url|Watchlist URL|10|cs4Label=Malicious URL cs4=https://www.example.com/s/5rnzw

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

CEF.Event Name Rule Message

CEF.Severity Severity

externalId External_EventID

Cat Subcategory

dst Destination IP

fname File_Path

fileHash File_Hash

Malware Family Threat_Name

T3 Report URL / Active Threat Report Device_URL

Malicious URL URL

Malicious Email From

First Published First Time, Last Time

Watchlist Domain Object

Cofense Triage
Configure Cofense Triage

Task
1. Make sure you have a recent version of Python installed, and the python-requests library.
2. Acquire the Cofense Python scripts and configure the config.ini file with the Cofense API credentials.
3. To execute the script, use this command:
python Cofense_to_mcafee.py”

◦ If a proxy is needed to connect to Cofense, change the [proxy]:use value to True and fill out your proxy information in the
following two fields.
◦ Verify that any absolute paths are correct for your operating system.

224 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
◦ To send Indicators of Compromise (IOCs) into McAfee ESM via CEF, set [output-cef]:use to True and provide a host
name/IP address and port where you want to send CEF events.
◦ For Cyber Threat Feeds, set up McAfee ESM integration to output STIX files to a directory; set [output-stix]:use to True ,
and provide the directory where you want to write the files.

Add Cofense Triage


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cofense

Data Source Model Triage

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 225
Option Definition
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Cofense Triage log format and field mapping

Log format
The expected format for this device is:
CEF:0|Cofense|Triage|2.0|Rule ID|Event|Severity|start rt Time Message Reported duser suser cat Recipe Name Highest Prior

Log sample
This is a sample log from a device:
<13>Jan 1 01:01:01 cofense-triage Triage: I, [2016-01-01T20:10:51.914471 #62969] INFO -- : CEF:0|Cofense|Triage|2.0|1|Rec

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

start First Time, Last Time

duser Destination User

suser Source User

cat Threat_Category

Recipe Name Policy_Name

226 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Report URL Device_URL

Subject Subject

Highest Priority Rule Matched – Rule Name Rule_Name

Highest Priority Rule Matched – Priority Level Priority

Rule ID, Event Rule Message

Severity Severity

Cooper Power Systems Cybectec RTU


Configure Cooper Power Systems Cybectec RTU
See the Cooper Power Systems Cybectec RTU product documentation for instructions about sending syslog logs to a remote
server. Use the McAfee Event Receiver IP address for the address of the remote server.

Add Cooper Power Systems Cybectec RTU


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cooper Power Systems

Data Source Model Cybectec RTU (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay <Enable>

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 227
Option Definition

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Cooper Power Systems Cybectec RTU log format and field mapping

Log format
The expected format for this device is:
<timestamp> <device name> <log type> [<location>] <service>; <message type> <message>

228 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log sample
This is a sample log from a Cooper Power Systems Cybectec RTU device:
Jan 1 01:01:01 deviceName Security: [Example - Location] Security Service; MAINTENANCE: "Admin" - Authenticated (EXAMPLE

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Source Hostname

PROTO Protocol

SRC Source IP

DST Destination IP

SRC Source Port

DST Destination Port

Command Command

Domain Domain

Event Object

Username Source User

Service Service Name

Message Type Application

Point Interface

Device External_Device_Name

Value New_Value

Cooper Power Systems Yukon IED Manager Suite


Configure Cooper Power Systems Yukon IED Manager Suite
See the Cooper Power Systems Yukon IED Manager Suite product documentation for instructions about sending syslog logs to a
remote server. Use the McAfee Event Receiver IP address for the address of the remote server.

Add Cooper Power Systems Yukon IED Manager Suite


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cooper Power Systems

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 229
Option Definition

Data Source Model Yukon IED Manager Suite (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay <Enable>

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

230 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Cooper Power Systems Yukon IED Manager Suite log format and field mapping

Log format
The expected format for this device is:
<Priority> <date> <time> <hostname> <server> <message>

Log sample
This is a sample log from a Cooper Power Systems Yukon IED Manager Suite device:
<123>Jan 01 01:01:01 HOSTNAME ApplicationServer: (Connection) Connection established with DeviceName [HOSTNAME:Applicati

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Originating Host Host

Protocol Protocol

IP Address Source IP

Port Source Port

Date, Time First Time, Last Time

Priority Severity

Connection status Event Subtype

Server Application

Domain Domain

Destination Device Object

User Source User

To User Destination User

Corero IPS
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 231
Configure Corero IPS
See the Corero IPS or Top Layer - Attack Mitigator IPS documentation for instructions about how to send syslog data to the
McAfee Event Receiver.

Add Corero IPS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Corero

Data Source Model Corero IPS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay <Enable>

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

232 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Corero IPS log format and field mapping

Log format
The expected format for this device is:
<date> <time> <device IP> <severity> <device name> <id> <pt> <prot> <cip> <cprt> <sip> <sprt> <atck> <disp> <ckt> <src>

Log sample
This is a sample log from a Corero IPS device:
01-01-2001 01:01:01 192.0.2.1 auth.warn IPS5500: id=123456 pt=ABC-DE prot=TCP cip=192.0.2.2 cprt=12345 s

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

prot Protocol

cip Source IP

sip Destination IP

cprt Source Port

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 233
Log fields McAfee ESM fields

sprt Destination Port

atck Signature ID

msg Message

CyberArk Enterprise Password Vault


Configure CyberArk Enterprise Password Vault
Syslog messages can be sent to multiple syslog servers in two different ways.
• One message can be sent to multiple servers by configuring an XSLT file.
• Multiple messages can be sent to different servers and formatted differently for each server by configuring multiple XSLT files,
formats, and code-message lists. The code-message lists must be matched. They must contain the same number of items in
the same order.

Task
1. In \PrivateArk\Server\DBParm.sample.ini, copy the SYSLOG section.
Note: The .ini file contains these configuration values.
◦ SyslogServerIP—The IP addresses of the Syslog servers where messages are sent. Specify multiple values with commas.
◦ SyslogServerProtocol—Specifies the Syslog protocol that is used to send audit logs. Specify TCP or UDP. The default value
is UDP.
◦ SyslogServerPort—The port used to connect to the Syslog server. The default value is 514.
◦ SyslogMessageCodeFilter—Defines which message codes are sent from the Vault to McAfee ESM through the Syslog
protocol. You can specify message numbers or ranges of numbers, separated by commas. Specify multiple values with
pipelines. By default, all message codes are sent for user and safe activities.
◦ SyslogTranslatorFile—Specifies the XSL file used to parse CyberArk audit records data into Syslog protocol. Specify
multiple values with commas.
◦ DebugLevel—Determines the level of debug messages. Specify SYSLOG(2) to include Syslog xml messages in the trace file.
◦ UseLegacySyslogFormat—Controls the format of the syslog message, and defines whether it is sent in a newer syslog
format (RFC 5424) or in a legacy format. The default value is No, which enables working with the newer syslog format.
Specify multiple values with commas.
2. In DBParm.ini, paste the SYSLOG section at the bottom of the file, then rename the file to McAfee.xsl.
3. Copy the relevant XSL translator file from the syslog subfolder of the server installation folder to the location specified in the
SyslogTranslatorFile parameter in DBParm.ini.
Note: During vault installation or upgrade, sample XSL files are copied to the PrivateArk\Server\syslog folder.
4. Make any needed changes to the XSL translator file relevant to ESM implementation.
5. Stop and Start the vault for the changes to take effect.

Add CyberArk Enterprise Password Vault


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor CyberArk

Data Source Model Enterprise Password Vault (ASP)

234 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 235
Option Definition

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

CyberArk Enterprise Password Vault log format and field mapping

Log sample
Here is a sample log from a CyberArk Enterprise Password device:
Nov 05 15:08:51 VLT2PI "Cyber-Ark Vault 5.50.0074" 295 295 "NULL" 6 LOCALHOST\\SYSTEM Retrieve password <username>=Passwo

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

username src_username (ASP)

action Msg (ASP)

fname Filename.Filename (cef)

duser dst_username (cef)

src src_ip (cef)

cs1_Affected_User_Name src_username (cef)

cs2_Safe_Name Objectname (cef)

CyberArk Privileged Identity Management Suite (DEF)


Configure CyberArk Privileged Identity Management Suite (CEF)
Syslog messages can be sent to multiple syslog servers in two different ways:
• One message can be sent to multiple servers by configuring an XSLT file.
• Multiple messages can be sent to multiple syslog servers and formatted differently for each server by configuring multiple XSLT
files, formats, and code-message lists. The code-message lists must be matched, meaning they must contain the same number
of items in the same order.

Task
1. In \PrivateArk\Server\DBParm.sample.ini, copy the SYSLOG section.
Note: The .ini file contains these configuration values.
◦ SyslogServerIP – The IP addresses of the syslog servers where messages are sent. Specify multiple values with commas.
◦ SyslogServerProtocol – Specifies the syslog protocol that is used to send audit logs. Specify TCP or UDP. The default value
is UDP.

236 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
◦ SyslogServerPort – The port used to connect to the syslog server. The default value is 514.
◦ SyslogMessageCodeFilter – Defines which message codes are sent from the vault to McAfee ESM through the syslog
protocol. You can specify message numbers or ranges of numbers, separated by commas. Specify multiple values with
pipelines. By default, all message codes are sent for user and safe activities.
◦ SyslogTranslatorFile – Specifies the XSL file used to parse CyberArk audit records data into syslog protocol. Specify multiple
values with commas.
◦ DebugLevel – Determines the level of debug messages. Specify SYSLOG(2) to include syslog xml messages in the trace file.
◦ UseLegacySyslogFormat – Controls the format of the syslog message, and defines whether it is sent in a newer syslog
format (RFC 5424) or in a legacy format. The default value is No, which enables working with the newer syslog format.
Specify multiple values with commas.
2. In DBParm.ini, paste SYSLOG section at the bottom, then rename the file to McAfee.xsl.
3. Copy the relevant XSL translator file from the syslog subfolder of the server installation folder to the location specified in the
SyslogTranslatorFile parameter in DBParm.ini.
Note: During vault installation or upgrade, sample XSL files are copied to the PrivateArk\Server\syslog folder.
4. Make any needed changes to XSL translator file relevant to ESM implementation.
5. Stop and Start the vault for changes to take effect.

Add CyberArk Privileged Identity Management Suite (CEF)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor CyberArk

Data Source Model Privileged Identity Management Suite - CEF

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 237
Option Definition

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

CyberArk Privileged Identity Management Suite CEF log format and field mapping

Log sample
Here is a sample log from a CyberArk Privileged Identity Management Suite – CEF device:
Dec 14 09:49:33 PRODVAULT CEF:0|Cyber-Ark|Vault|6.0.0430|38|Failure: CPM Verify Password Failed|7|act=CPM Verify Password

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

238 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Fname Filename.Filename

cs4_Database Database_Name.Database_Name

Dhost Destination_Hostname.Destination_Hostname

Spriv Priviledged_User.Priviledged_User

externalId Instance_GUID.Instance_GUID

cs1_Affected_User_Name Destination_UserID.Destination_UserID

App protocol

App application

duser dst_username

suser src_username

cs2_Safe_Name objectname

Dvc src_ip

shost src_ip

Src src_ip

CyberArk Privileged Threat Analytics


Configure CyberArk Privileged Threat Analytics

Task
1. On the Privileged Threat Analytics (PTA) system, open the /opt/tomcat/diamond-resources/default/systemparm.properties configuration file
using a text editor.
2. Copy the line that contains the syslog_outbound property, then close the file.
3. Open the /opt/tomcat/diamond-resources/local/systemparm.properties configuration file.
4. Paste the line you copied, then uncomment the syslog_outbound property and edit the parameters.
Note: Use this example as a guide.
syslog_outbound=[{"host": "<SIEM_IP>", "port": 514, "format": "<FORMAT>", "protocol": "UDP"}]

where <SIEM_IP> is the IP address of the McAfee Event Receiver and <FORMAT> is the CEF.
5. Save and close the file, then restart CyberArk PTA.

Add CyberArk Privileged Threat Analytics


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 239
Option Definition

Data Source Vendor CyberArk

Data Source Model Privileged Threat Analytics - CEF (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.

240 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

CyberArk Privileged Threat Analytics log format and field mapping

Log sample
This is a sample log from a device:
CEF:0|CyberArk|PTA|3.1|21|Suspected credentials theft|9|duser=jessica dst=fileserver4.orgdomain.com cs2Label=eventID cs2

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

CustomDate1 Firsttime, Lasttime

Src, sip Source IP

Dst, dip Destination IP

severity severity

Vaultuser Source Username

url link

eventID External Session ID

duser Destination Username

Src_host Hostname

eventname Message

Dst_host Destination Hostname

CEF.SignatureID Sid, External Event ID

Damballa Failsafe

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 241
Configure Damballa Failsafe

Task
1. Log on to the Damballa Failsafe Management Console, then navigate to Setup → Integration Settings.
2. Click the Syslog tab, then select Enable Publishing to Syslog.
3. In the Syslog Hostname field, enter the IP address of the McAfee Event Receiver, then select Enable Syslog Header.
4. In the Syslog Facility and Syslog Severity drop-down lists, select the facility and severity of events to send to the McAfee Event
Receiver.
5. Leave the Syslog Port field blank for the default port of 514, then click Save.

Add Damballa Failsafe


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Damballa

Data Source Model Failsafe (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

242 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Damballa Failsafe log format and field mapping

Log format
The expected format for this device is:
CEF:<version>|<device vendor>|<device product>|<device version>|<signature ID>|<name>|<severity>|<key=value> <key=value>

Log sample
This is a sample log from a Damballa Failsafe device:
CEF:0|Damballa|Failsafe|5.0.3|Convicted Host|Evidence|10|app=DNS cat=DNS Query cfp1=123 cfp1Label=Asset Risk Factor cfp2=

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 243
Log fields McAfee ESM fields

shost Host

proto Protocol

src Source IP

dst Destination IP

spt Source Port

dpt Destination Port

smac Source MAC

dmac Destination MAC

start, end, rt, tstamp, collection First Time, Last Time

cs4 Event Subtype

cn1, cn2, Severity (CEF header) Severity

cnt Event Count

externalid Session ID

app Application

cat Object_Type

cs1, fname, spriv Object

destinationDnsDomain, sntdom Domain

suser Source User

duser Destination User

request URL

Signature ID (CEF Header) +Name (CEF Header) Message

msg Message_Text

cs2 Threat_Name

Dell Aventail
Configure Dell Aventail

Task
1. Log on to the Aventail Management Console, then click Monitoring → Logging.
2. Click the Configure Logging tab, then set the logging levels in the Aventail service level section.
3. In the Syslog configuration section, enter these settings:
◦ Server n: The IP address of the McAfee Event Receiver
◦ Port: 514
◦ Protocol: UDP

244 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4. Click Save, then click Pending Changes to apply the new settings.

Add Dell Aventail


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Dell

Data Source Model Aventail

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 245
Option Definition
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Dell Aventail field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Before 9.2.0:

Log fields McAfee ESM fields

Date Time First Time, Last Time

Hostname Host

Severity Severity

Src Source IP, Source Port

User *Source User, Domain

Dest Destination IP, Destination Port

Command, rule Command

Duration Elapsed_Time

246 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Session ID Session ID

status Event Subtype

Variable, cleanup, attribute, file, assigned to, Client OS, Client Object
OS Version, policy

access to Object, Destination IP, Destination Port

* Data from log is reconstructed in a more human readable format


9.2.0 and later:

Log fields McAfee ESM fields

Date Time First Time, Last Time

Hostname Host

Severity Severity

Src Source IP, Source Port

User *Source User, Domain

Dest Destination IP, Destination Port

Command, rule Command

SrcBytes Bytes_Sent

DstBytes Bytes_Received

Duration Elapsed_Time

Session ID Session ID

status Event Subtype

Variable, cleanup, attribute Object

access to Destination_Hostname, Destination IP, Destination Port

file Filename

assigned to Destination_Zone

Client OS, Client OS Version Operating_System

policy Policy_Name

* Data from log is reconstructed in a more human readable format

Dell PowerConnect Switches


Configure Dell PowerConnect Switches

Task
1. Using a web browser, log on to the Dell PowerConnect Switch.
2. Navigate to System → Logs → Remote Log Server, then click Add to add a server.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 247
3. In the Log Server field, enter the IP address of the McAfee Event Receiver.
4. In the UDP Port field, enter the port used on the McAfee Event Receiver to receive syslog (default is 514).
5. In the Severity section, select the severity of logs to be sent to the McAfee Event Receiver, then click Apply Changes.

Add Dell PowerConnect Switches


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Dell

Data Source Model PowerConnect Switches (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay <Enable>

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event
data for this data source (maximum of 512 characters). You
can access this URL by clicking the Launch Device URL icon
at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where
the ESM Common Event Format (CEF) forwards events.

248 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day).
When using client data sources, clients using this setting
inherit the date order of the parent data source.
◦ Month before day — The month goes before the day
(04/23/2018).
◦ Day before month — The day goes before the month
(23/04/2018).

Zone To assign this data source to a zone, select the zone from
the list.

External data source link Automatically selected when you import events from
another receiver. You can clear the checkbox which would
remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2.
The External data source link is applied to the logs being sent so
that when logs are imported, the ESM can differentiate the
forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source
data.

Data is NitroFile format Use this option when you are exporting raw data source
data.
Note: When you export data sources to a remote file, they
are exported in NitroFile format. If you import those files to
another Receiver automatically, Data is NitroFile is selected for
each of the data sources you are importing. This indicates
that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing manually is in NitroFile format,
select this option if the data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is
selected for any data source that has a checksum file. If you
import them manually, you must select it. The only
exception is when you are importing a data source file that
doesn't have a checksum file, but you want to view it
anyway.

Dell PowerConnect Switches log format and field mapping

Log format
The expected format for this device is:
<date time> <device IP> <application> <message number> <message>

Log sample
This is a sample log from a Dell PowerConnect Switches device:
JAN 01 01:01:01 192.0.2.1-1 TRAPMGR[123456789]: service(123) 1234 %% An invalid user tried to login through Web from 192.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 249
Log fields McAfee ESM fields

Application Application

IP Protocol Protocol

IP Address Source IP

Destination IP Address Destination IP

Login Method Object

User Username

Date Time First Time, Last Time

Severity Severity

Dell SonicOS
Configure Dell SonicOS

Task
1. Log on to the web interface, then select Log → Automation from the navigation menu.
2. In the Syslog Servers section, click Add, then, in the Name or IP Address field, enter the IP address of your McAfee Event Receiver.
3. In the Port field, enter 514 (the default port for syslog), then click OK.
4. In the Syslog Format list, select Default, then click Apply.

Add Dell SonicOS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Dell

Data Source Model SonicOS

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

250 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 251
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Dell SonicOS log format and field mapping

Log format
The expected format for this device is:
<pri>id=id sn=serial_number time=“date time” fw=IP_Address pri=priority c=Message_Category m=Message_ID msg=“IPS_Message

Log sample
This is a sample log from a SonicWall device:
Standard Event:
<129>id=firewall sn=0012ABCD3456 time="2014-01-10 12:11:10 UTC" fw=123.45.56.1 pri=1 c=32 m=608 msg="IPS Detection Alert:

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Management Event:

Log fields McAfee ESM fields

id Application

mgmtip Source IP

m Signature ID

time First Time, Last Time

Standard Event:

Log fields McAfee ESM fields

pri Severity

m Siganture ID

msg Message, *Signature_Name

c **Event_Class

Category Category

bytesRx Bytes_Received

bytesTx Bytes_Sent

usr Source User

src Source IP, Source Port

dst Destination IP, Destination Port

proto Protocol, Application

“from machine”, Host Host

FQDN Domain

252 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

time First Time, Last Time

* Only available in ESM 9.2.0 and later ** Values are converted to their text equivalent

DG Technology - InfoSec MEAS


Configure DG Technology - InfoSec MEAS
See the DG Technology – InfoSec Mainframe Event Acquisitions System (MEAS) product documentation for setup instructions
about sending syslog data to a remote server. Use the IP address of the McAfee Event Receiver as the destination IP address and
port 514 as the destination port.

Add DG Technology - InfoSec MEAS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor DG Technology - InfoSec

Data Source Model Mainframe Event Acquisitions System (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 253
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

DG Technology - InfoSec MEAS log format and field mapping

Log format
The logs follow the CEF logging format. In addition to the regular CEF formatted key-value pairs, additional keys can be found in
the msg=”” key-value pair. Here is the CEF logging format:
CEF:Version|INFOSEC-DGTECH|MEAS|MeasServer Version|Signature ID|Name|Severity|extensions

Log sample
This is a sample log from a MEAS device:
Jan 1 00:00:00 HOST1 CEF:0|INFOSEC-DGTECH|MEAS|#.##.##|###|SIGNATURE NAME|1|act=log shost=HOST1 suid=USER1 src=192.0.2.1

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

254 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

act Event Subtype

Attempts Rejects Failures Session_Status

CAT Catalong_Name

Cmd FTP_Command

cnt Event Count

DEPT Organizational_Unit

dmac Destination MAC

dproc Application

dprot Access_Resource

dpt Destination Port

dst Destination IP

duid, Duid Destination_UserID

FileType File_Type

fname Destination_Filename

fname Filename

host Host

jobname, sproc Mainframe_Job_Name

Jobtype Job_Type

LPort Source Port

LUName Logical_Unit_Name

MEASType (XXX-YYY) External_EventID(XXX)/External_SubEventID(YYY)

MEASType (XXX-YYY) Signature ID (396-XXX99YYY)

name Rule_Name

Number.of.Bytes *Bytes_Sent

pgname Application

Plan DB2_Plan_Name

proto protocol

Reason Reason

Return Code Response_Code

RPort Destination Port

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 255
Log fields McAfee ESM fields

severity severity

shost LPAR_DB2_Subsystem

smac Source MAC

src Source IP

sntdom Domain

SQLSTMT SQL_Statement

start, end ,rt, tstamp, collection First Time, Last Time

Step/Stepname Step_Name

StepCount Step_Count

suid Source_UserID

suser Source User

Test, Text Message_Text

TYPE Command

VOLS Volume_ID

Econet Sentinel IPS


Configure Econet Sentinel IPS
See your Econet Sentinel IPS documentation for information about sending syslog events to a remote server or McAfee ESM. Use
the IP address of the McAfee Event Receiver for the IP address of the remote server.
Caution: Some versions of Sentinel IPS have different setup methods for remote syslog than other versions of the same product.
See the corresponding documentation for your version of Sentinel IPS.

Add Econet Sentinel IPS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Econet

Data Source Model Sentinel IPS

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.

256 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 257
Option Definition
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Econet Sentinel IPS log format and field mapping

Log format
The expected format for this device is:
Timestamp | Src | Src Port | Dst | Dst Port | Severity | Attack Description

Log samples
This is a sample log from a Econet Sentinel IPS device:
2013-10-30 16:27:17.772624|192.168.2.2|8080|192.168.2.1|80|1|VNC Aggressive SCAN attempt

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Timestamp First Time, Last Time

Src Port Source Port

Source Source IP

Dst Destination IP

Dst Port Destination Port

Severity Severity

Attack Description Message

EdgeWave iPrism Web Security


Configure EdgeWave iPrism Web Security

Task
1. Log on to the iPrism Web Security configuration web console, then click System Settings → Event Logging.
2. Select Enable event logging using Syslog, then, in the Syslog Host field, enter the IP address of the McAfee Event Receiver.
3. In the Syslog Port field, enter 514, then click Save and Activate Changes.

Add EdgeWave iPrism Web Security


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.

258 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4. Click Add.

Option Definition

Data Source Vendor EdgeWave

Data Source Model iPrism Web Security (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 259
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

EdgeWave iPrism Web Security log format and field mapping

Log format
The expected format for this device is:
<priority> <date> <time> <device> <type> <protocol> <time> <action> <IP> <profile> <user> <bandwidth> <URL> <rating> <du

Log sample
This is a sample log from an EdgeWave iPrism Web Security device:
<123>Jan 01 01:01:01 iprism: WEB http 978310861 P 192.0.2.1 Block-User domain\username 123 http://example.com/sub web se

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Rating Message

Action Event Subtype

IP Source IP

Protocol Application

Web Domain Domain

Mime Object

User Source User

Enforcive Cross-Platform Audit


Configure Enforcive Cross-Platform Audit
See the Enforcive Cross-Platform Audit product documentation for instructions on sending syslog logs to a remote server. Use
the McAfee Event Receiver IP address for the address of the remote server.

260 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Add Enforcive Cross-Platform Audit
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Enforcive

Data Source Model Cross-Platform Audit

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 261
Option Definition
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Enforcive Cross-Platform Audit log format and field mapping

Log format
The expected format for this device is:
<pri> CEF:0|Enforcive|ES CPA|version|eventID|EventDesc|Severity|app=appname cat=category act=action cs1=cs1string cs1Lab

Log sample
This is a sample log from an Enforcive Cross-Platform Audit device:
<110> CEF:0|Enforcive|ES CPA|8.2|SIN00F0000|FTP_SERVER-FTP LOGON|3|app=System i - Application Audit cat=FTP_SERVER act=FT

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

EventID Signature ID

EventDesc Rule Message

Severity Severity

cat Category

Act Event Subtype

Dhost Destination_Hostname

262 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

end, start, rt First Time, Last Time

duser Destination User

src Source IP

dst Destination IP

Application Application

Event Status Status

Dproc Target_Process_Name

Message Message_Text

Entrust IdentityGuard
Configure Entrust IdentityGuard

Task
1. In the Entrust Identity Guard Properties Editor, click System Logging Appenders from the Table of Contents.
2. In the SYSTEM_SYSLOG Host Name field, enter the IP address of the McAfee Event Receiver.
3. To specify a port other than the standard syslog UDP port, add a colon and the port number at the end of the IP address (for
example, 192.0.2.1:514).
4. Click Validate → Save.

Add Entrust IdentityGuard


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Entrust

Data Source Model IdentityGuard (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 263
Option Definition

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

264 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Entrust IdentityGuard log format and field mapping

Log format
The expected format for this device is:
<Priority> <Date> <Time> <IP> <Log Type> <Severity> <Log ID> <Domain> <User> <Message>

Log samples
This is a sample log from an Entrust Identity Guard device:
<123>Jan 1 01:01:01 196.0.2.1 Audit Writer] [INFO ] [IG.AUDIT] [AUD3003] [DOMAIN/user] One time password with index 4 cr

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Date, Time First Time, Last Time

Description Message

IP Source IP

Description Action

Application Name Application

Domain Domain

User Source User

Extreme Networks ExtremeWare XOS


Configure Extreme Networks ExtremeWare XOS
The syslog configuration is done at the command line. See the Extreme Networks ExtremeWare XOS product documentation
about how to access and use the command line.
Replace <ip_address> with the McAfee Event Receiver IP address. Replace <vr_name> with the virtual router name. Replace
<local0 ... local7> with the local level you want to send to the McAfee Event Receiver.
configure syslog add <ip_address>:514 vr <vr_name> <local0 ... local7>
enable log target syslog <ip_address>:514 vr <vr_name> <local0 ... local7>

configure log target syslog <ip_address>:514 vr <vr_name> <local0 ... local7> DefaultFilter severity Debug-Data

configure log target syslog <ip_address>:514 vr <vr_name> <local0 ... local7> match Any

configure log target syslog <ip_address>:514 vr <vr_name> <local0 ... local7> format timestamp seconds date Mmm-dd event-

Add Extreme Networks ExtremeWare XOS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 265
Option Definition

Data Source Vendor Extreme Networks

Data Source Model ExtremeWare XOS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.

266 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Extreme Networks ExtremeWare XOS log format and field mapping

Log formats
The expected format for this device is:
<PRI> DATE TIME APPLICATION: MESSAGE

Log samples
These are sample logs from an device:
<123> Jan 01 01:01:01 AAA: MSM-A: Login failed for user Bob through ssh (192.0.2.0/24) <123> Jan 01 01:01:02 AAA: MSM-A:

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Severity Severity

Action Action

Application Application

Source MAC Source MAC

Username Source User

Source IP Source IP

Source Port Source Port

Destination IP Destination IP

Destination Port Destination Port

Message Rule Message

Object Object

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 267
F5 Networks FirePass SSL VPN
Configure F5 Networks FirePass SSL VPN

Task
1. Log on to the F5 Networks FirePass Admin Console, then navigate to Device Management → Maintenance → Logs.
2. In the System Logs menu, select Enable Remote Log Server, and verify that Enable Extended System Logs is deselected.
3. In the Remote Host field, type the IP address of the McAfee Event Receiver.
4. In the Log Level drop-down list, select Information.
5. In the Kernel Log Level drop-down list, select Information, then click Apply System Changes to save.

Add F5 Networks Firepass SSL VPN


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor F5 Networks

Data Source Model Firepass SSL VPN (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

268 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

F5 Networks Firepass SSL VPN log format and field mapping

Log formats
The expected format for this device is:
<priority> <log type>[<log id>]: [<user>@<domain>] <message> <key> = <value>…

Log sample
This is a sample log from an F5 Networks FirePass SSL VPN device:
<123>security[12345]: [support@exampleDomain] User exampleUser logged on from 192.0.2.1 Sid =1a2b3c

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 269
Log fields McAfee ESM fields

hostname Host

domain Domain

Source IP, from Source IP

Destination IP, to Destination IP

Source Port, from Source Port

Destination Port, to Destination Port

session Session ID

Access menu Message

group Command

Sid Object

User Source User

account Destination User

Email To

Backup filename Destination_Filename

Email Subject Subject

F5 Networks Local Traffic Manager


Configure F5 Networks Local Traffic Manager
Syslog settings are configured through the command line. See the F5 Networks Local Traffic Manager product documentation for
steps to access the command line interface.

Task
1. Log on to the command line of the F5 Local Traffic Manager.
2. At the tmsh prompt, add a syslog server using this command format:
modify /sys syslog remote-servers add {<server name> {host <server IP address> remote-port <port number>}}
Example:
modify /sys syslog remote-servers add {server{host 10.1.1.1 remote-port 514}}
3. Save the configuration:
save /sys config

Add F5 Networks Local Traffic Manager


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

270 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Source Vendor F5 Networks

Data Source Model Local Traffic Manager – LTM (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 271
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Fidelis XPS
Configure Fidelis XPS
See the Fidelis XPS/CommandPost product documentation for setup instructions about sending syslog data to a remote server.
Use the IP address of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.

Add Fidelis XPS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Fidelis

Data Source Model Fidelis XPS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

272 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 273
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Fidelis XPS log format and field mapping

Log format
The expected format for this device is:
<action> <alert UUID> <compression> <destination address> <destination port> <filename> <from> <group> <policy> <protoco

Log sample
This is a sample log from a Fidelis XPS device:
alert aabbccdd-eeff-1122-3344-5566778899aa 0 192.0.2.1 123 <n/a> <n/a> default POLICY TLS Expired SSL Certificate 127.0.0

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

rule Message

proto Protocol

srcaddr Source IP

dstaddr Destination IP

srcport Source Port

dstpor Destination Port

severity Severity

time First Time, Last Time

filename Filename

from From

to To

subject Subject

user Source User

"Fidelis XPS" Application

FireEye Malware Protection System


Configure FireEye Malware Protection System
Configure the syslog using the command line. See your product documentation about how to access and use the command line
interface.

Task
1. To enter configuration mode, enter the following commands :
enable
configure terminal

2. Activate rsyslog notifications:

274 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
fenotify rsyslog enable

3. Add a new remote SIEM server:


fenotify rsyslog trap-sink <SIEM-name>

Replace <SIEM-name> with a short name without spaces to identify the server.
4. Specify the IP address for the new remote server:
fenotify rsyslog trap-sink <SIEM-name> address <IP-address>

Replace <SIEM-name> with the name created in step 3.


Replace <IP-address> with the IP address of the McAfee Event Receiver.
5. Set the event format:
fenotify rsyslog trap-sink <SIEM-name> prefer message format cef

Replace <SIEM-name> with the name you created.


6. Save the configuration:
write memory

Add FireEye Malware Protection System


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor FireEye

Data Source Model FireEye Malware Protection System – CEF (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 275
5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

FireEye Malware Protection System log format and field mapping

Log format
The expected format for this device is:
CEF:<version>|<device vendor>|<device product>|<device version>|<signature ID>|<name>|<severity>|<key=value> <key=value>

Log sample
This is a sample log from a FireEye Malware Protection System device:
CEF:0|FireEye|MPS|6|AB|infection-match|1|rt=Jan 01 2001 01:01:01 src=192.0.2.1 cn2Label=sid cn2=123 shost=example.com pro

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

276 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

shost, dvchost Host

cn2 Protocol

src Source IP

dst Destination IP

spt Source Port

dpt Destination Port

smac Source MAC

dmac Destination MAC

cn1 VLAN

rt First Time, Last Time

cnt Event Count

severity (CEF header) Severity

cs1 Message

msg Application

cs2 Command

cat Object

cs4 URL

cs3 Operating_System

filepath File_Path

filehash File_Hash

act Event Subtype

Fluke Networks AirMagnet Enterprise


Configure Fluke Networks AirMagnet Enterprise

Task
1. From the AirMagnet Policy Notification List, select Syslog to open the Syslog Notification dialog box.
2. In the Notification Name field, enter a unique notification name.
3. In the Generation drop-down list, select an interval to generate notifications.
4. In the Syslog server name field, enter the fully qualified domain name (FQDN) or IP address of the McAfee Event Receiver.
5. In the Facility code drop-down list, select the type of messages you want to send.
6. In the Protocol area, select UDP, then enter the port used on the McAfee Event Receiver for receiving syslog (default is 514).
7. Click OK to save and close.

Add Fluke Networks AirMagnet Enterprise


Log in to ESM and add the data source to a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 277
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Fluke Networks

Data Source Model AirMagnet Enterprise (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

278 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Fluke Networks AirMagnet Enterprise log format and field mapping

Log format
The expected format for this device is:
<date time> <device name> <message> <sensor> <location> <description> <source MAC> <SSID>

Log sample
This is a sample log from a Fluke Networks AirMagnet Enterprise device:
<123>Jan 01 01:01:01 deviceName deviceName Alert: Rogue AP by MAC address (ACL) from sensor SensorName, Location: locatio

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

SSID Host

Sensor Object

Source MAC Source MAC

Destination MAC Destination MAC

Force10 Networks FTOS


Configure Force10 Networks FTOS
Configure the syslog at the command line. See your product documentation for instructions about how to access and use the
command line.

Task
1. Log on to the command line and enter these commands:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 279
logging 192.0.2.1

Replace 192.0.2.1 with the IP address of the McAfee Event Receiver.


2. To confirm that the logging settings updated successfully, check the running configuration:
show running-config logging

3. Save changes:
copy running-config startup-config

Add Force10 Networks FTOS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Force10 Networks

Data Source Model FTOS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

280 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Force10 Networks FTOS log format and field mapping

Log format
The expected format for this device is:
<date> <time> %<hostname> %<service>-<severity>-<log type>: <message>

Log sample
This is a sample log from a Force10 Networks FTOS device:
Jan 01 01:01:01: %HOSTNAME %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0 ( 192.0.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log Fields McAfee ESM Fields

User Source User

Service Application

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 281
Log Fields McAfee ESM Fields

IP Address Source IP

Severity Severity

Forcepoint Websense
Configure Forcepoint Websense
After you install or enable Websense Multiplexer, activate and configure McAfee ESM integration on TRITON - Web Security. Follow
this procedure for each Policy Server instance in your deployment.

Task
1. Navigate to Settings → General → SIEM Integration and select Enable SIEM integration for this Policy Server.
2. Provide the IP address or host name of the system hosting McAfee ESM, then provide the communication port to use for
sending McAfee ESM data.
3. Specify the transport protocol (UDP or TCP) to use when sending data to McAfee ESM, then select the McAfee ESM format to
determine the syntax of the string used to pass log data to the integration.
4. From the available options, select the CEF format, then click OK to cache your changes.
5. To implement the changes, click Save and Deploy.

Results
When the changes are saved, Websense Multiplexer connects to Filtering Service and distributes the log data to both Log Server
and the selected McAfee ESM integration.

Add Forcepoint Websense


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Forcepoint

Data Source Model Websense - CEF, Key Value Pair (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

282 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 283
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Forcepoint Websense log format and field mapping

Log format
The expected format for this device is Common Event Format (CEF).

Log sample
This is a sample log from a Websense device:
<13>Mar 06 12:55:48 192.0.2.1 CEF:0|Forcepoint|Security|7.7.0|9|Transaction permitted|1| act=permitted app=http dvc=192.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log Fields McAfee ESM fields

act Action

severity Severity

cat Category

suser, suid Source User

src Source IP

dst Dest. IP

dpt Dest. Port

spt Source IP

destinationTranslatedPort Nat_Details

requestMethod Method

request URL

in Bytes_Received

out Bytes_Sent

cn2_ScanDuration Elapsed_Time

fname Filename

cat Category

msg Rule Message | Description

sourceServiceName Service_Name

request URL

dhost Web_Domain

app Protocol

284 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log Fields McAfee ESM fields

dst Dest. IP

dpt Dest. Port

src Source IP

spt Source Port

suser Source User

Cn1_DispositionCode Signature ID

Timestamp First Time | Last Time

EventID External_EventID

ForeScout CounterACT
Configure ForeScout CounterACT
To configure CounterACT to send syslog events to the McAfee Event Receiver, you must install a plug-in for CounterACT.

Task
1. From the ForeScout website, download the ForeScout plug-in for integration with the McAfee ESM.
2. In the CounterACT software, click Options from the toolbar, then click Plugins.
3. Click Install and navigate to the plug-in file that you downloaded, then click Install.
The plug-in appears in the Plugins list.
4. Select the McAfee ESM plug-in, then click Configure.
5. Select the devices that need to be configured to send events to the McAfee Event Receiver, then click OK to open the
Configuration window.
6. In the Server Address field, enter the IP address of the McAfee Event Receiver.
7. In the Syslog Port field, enter 514, then click OK to save and exit.

Add ForeScout CounterACT


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor ForeScout

Data Source Model CounterACT (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 285
Option Definition
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

286 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

ForeScout CounterACT log format and field mapping

Log format
The expected format for this device is:
<Priority> <device name>[<event ID>]: <log type> <source IP> <rule> <policy> <match> <category> <details> <reason> <adde

Log sample
This is a sample log from a ForeScout CounterACT device:
<123>CounterACT[12345]: NAC Policy Log: Source: 192.0.2.1, Rule: Policy "AntiVirus Compliance" , Match: "AV Not Running:

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Event ID Session ID

to, User Source User

from, Source Source IP

Destination Destination IP

Destination Destination Port

Policy Application

command Command

CPU usage, Uptime (in seconds) Object

Configure ForeScout CounterACT for CEF


ForeScout CounterACT does not generate events in CEF format. Use the ArcSight SmartConnector to send CEF formatted logs to
the McAfee Event Receiver.
See the ArcSight product documentation for setup instructions about sending syslog data to a remote server. Use the IP address
of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.

Add ForeScout CounterACT for CEF


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 287
Option Definition

Data Source Vendor ForeScout

Data Source Model CounterACT CEF (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.

288 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

ForeScout CounterACT for CEF log format and field mapping

Log Format
The expected format for this device is:
<priority> <device name> <event ID> CEF:<version>|<device vendor>|<device product>|<device version>|<signature ID>|<name>

Log Sample
This is a sample log from a ForeScout CounterACT device:
<123>CounterACT[1234]: CEF:0|ForeScout Technologies|CounterAct|6|NONCOMPLIANCE|host is not compliant|5|cs1Label=Complianc

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

shost, dvchost Host

Dpt Protocol

src, dvc Source IP

Dst Destination IP

Spt Source Port

Dpt Destination Port

smac Source MAC

dmac Destination MAC

rt, start, end, tstamp, collection First Time, Last Time

Cnt Event Count

Name (CEF Header) Message

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 289
Log fields McAfee ESM fields

Severity (CEF Header) Severity

dproc Application

sntdom Domain

fname, spriv Object

suser Source User

duser Destination User

request URL

Compliance Status, cs1 Message_Text

filePath Subject

Fortinet FortiGate
Configure Fortinet FortiGate using the command line interface
Note: The preferred format is space-delimited logs, but you can also use comma-separated logs.

Task
Enter these commands:
config log syslogd setting
set csv disable
set facility <Facility Name>
set port 514
set reliable disable
set server <IP Address of Receiver>
set status enable
end

Note: If you already have a syslog server configured in the FortiGate UTM, you can still add up to a total of three syslog servers in
the configuration by changing the first line to config log syslogd2 setting or config log syslogd3 setting.
For more information, see FortiOS™ Handbook Logging and Reporting for FortiOS 5.0 under the section, Advanced Logging.

Configure Fortinet FortiGate UTM through the Management Console


Note: The preferred format is space-delimited logs, but you can also use comma-separated logs.

Task
1. Go to Log&Report → Log Config → Log Setting, then select Syslog.
2. Expand the Options section to set any custom logging options, then enter this information in the corresponding fields:
◦ Name/IP—Enter the host name or IP address of the McAfee Event Receiver.
◦ Port—Set the port to 514.
◦ Level—Set the level of logging.
◦ Facility—Leave the default value.
◦ Enable CSV—Leave this box deselected.
3. Click Apply.

Add Fortinet FortiGate UTM


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.

290 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Fortinet

Data Source Model FortiGate UTM – Space Delimited – (ASP)

Data Format Default

Data Retrieval Default

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Syslog Relay None

Mask Default

Require Syslog TLS Leave unchecked

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 291
Option Definition
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Fortinet FortiGate UTM log format and field mapping

Log format
The expected format for this device is:
computer date time IP protocol source destination original client IP source network destination network action status ru

Log sample
This is a sample log from a Fortinet FortiGate UTM device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal Establish 0x0 - HTT

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

Fortinet FortiMail
Configure Fortinet FortiMail

Task
1. Go to Log and Report → Log Settings → Remote Log Settings.
The Remote Log Settings tab is displayed.

Option definitions

Option Definition

Enabled Select to enable remote storage on the server.

ID Displays the remote host ID.

Server Displays the IP address of the syslog server.

Port Displays the port on the syslog server.

292 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Level Displays the minimum severity level for logging.

Facility Displays the facility identifier that the FortiMail unit uses to
identify itself.

2. Select Enabled to allow logging to a remote host, then, in Profile name, enter a profile name.
3. In IP, enter the IP address of the syslog server where FortiMail stores the logs.
4. In Port, enter 514 for syslog (default is UDP).
5. In Level, select the severity level that a log message must equal or exceed to be recorded to this location.
6. In Facility, select the facility identifier that the FortiMail unit uses to identify itself when sending log messages.
7. To easily identify log messages from the FortiMail unit, enter a unique facility identifier, then verify that no other network
devices use the same facility identifier.
8. Enable CSV format to send log messages in comma-separated value (CSV) format.
9. In Logging Policy Configuration, enable the types of logs that you want to record to this storage location, then click Create.

Add Fortinet FortiMail


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Fortinet

Data Source Model Fortimail

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 293
Option Definition

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Fortinet FortiMail log format and field mapping

Log sample
Here are sample logs from a device.
Statistics:
date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=Admin pri=Critical user=adm

Config:

294 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=config pri=information use

System:
date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=System pri=Warning user=adm

Update:
date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=Update pri=Warning user=ad

SMTP:
date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=SMTP pri=Warning user=admin

Admin:
date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=Admin pri=Critical user=adm

HA:
date=2015-08-09 time=10:30:31 device_id=FE100C3909600504 log_id=0004001036 type=event subtype=ha pri=notice user=ha ui=h

Webmail:
date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=Webmail pri=Warning user=a

Antivirus:
date=2015-07-24 time=17:07:42 device_id=FE100C3909600504 log_id=0100000924 type=virus subtype=infected pri=information fr

Antispam:
date=2015-07-20 time=14:33:26 device_id=FE100C3909600504 log_id=0300000924 type=spam pri=information session_id="q6KIXPZ

Encryption:
date=2015-08-09 time=10:45:27 device_id=FE100C3909600504 log_id=0400005355 type=encrypt pri=information session_id="q79Ei

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Date/Time First Time, Last Time

dst_ip Destination IP

Src Source IP

Pri Severity

client_name Domain, Source IP

session_id Message_ID

user Source User, Destination User

To To

from From

direction Direction

domain Domain

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 295
Log fields McAfee ESM fields

virus Threat_Name

subject Subject

log_id External_EventID

device_id External_SessionID

mailer Application

Dictionary Category

hash File_Hash

File Filename

clientname, host Host

interface Interface

group Group_Name

message Message_Text, Rule Message

Pid PID

daemon Process_Name

proto Protocol

reason Reason

System White List Reputation_Server_IP

Score Spam_Score

URL URL

alias User_Nickname

Fortinet FortiManager
Configure Fortinet FortiManager

Task
1. Go to System Settings → Advanced → Syslog Server.
2. Select Create New to open the New Syslog Server window.
3. Fill in the Name, for example, McAfee ESM.
4. Fill in the IP address or FQDM of the McAfee Event Receiver.
5. Enter the Port number. The default is 514.

Add Fortinet FortiManager


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.

296 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4. Click Add.

Option Definition

Data Source Vendor Fortinet

Data Source Model FortiManager (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 297
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Fortinet FortiManager log format and field mapping

Log format
The expected format for this device is:
date=<date> time=<time> devicename=<devicename> deviceID=<deviceID> logID=<logID> type=<type> subtype=<subtype> priority

Log sample
This is a sample log from a Fortinet FortiManager device:
<123>date=2001-01-01time=12:01:01,devname=device,device_id=ABC123, log_id=0123456789,type=example,subtype=example,pri=ex

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

timestamp First Time, Last Time

user Source User

pri, level Severity

devname Host

log_id Object

subtype Application

Fortscale User and Entity Behavior Analytics (UEBA)


Configure Fortscale User and Entity Behavior Analytics (UEBA)

Task
1. From the main Fortscale interface, navigate to System Configuration → System → Alert Forwarding via Syslog.
2. Toggle Enable Forwarding to Yes.
3. For Forwarding Type, select Alerts.

298 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4. In the IP field, enter the IP address for the McAfee Event Receiver.
5. In the Port field, type the port where the McAfee Event Receiver is listening. Default is 514.
6. Under Selective Forwarding: Alert Severity, check which alert severities to forward.
7. Under Selective Forwarding: User Tags, check which tags to filter for forwarded events.
8. Click Apply.

Add Fortscale User and Entity Behavior Analytics (UEBA)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Fortscale

Data Source Model Fortscale UEBA

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 299
Option Definition

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Fortscale User and Entity Behavior Analytics (UEBA) log format and field mapping

Log format
The expected format for this device is:
<PRI>DATE TIME HOSTNAME -: KEY: VALUE KEY: VALUE KEY: VALUE…

Log sample
This is a sample log from a device:
<123>Jan 01 01:01:01 demo.fortscale.com -: Alert URL: https://demo.fortscale.dom Alert Name: data_exfiltration_normalized

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Alert URL URL

Alert Name Message

300 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Start Time First Time, Last Time

Entity Name Source User, External_Device_Name

Entity Type Object_Type

Severity Severity

Alert Status Status

Comment Message_Text

FreeRADIUS
Configure FreeRADIUS

Task
1. In the /etc/freeradius/radius.conf file, make these changes:
logdir = syslog
Log_destination = syslog
log {
destination = syslog
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}

2. Make this addition to /etc/syslog.conf:


# .=notice will log only authentication messages (L_AUTH)
example1.=notice @10.10.3.21
# .=err will log only module errors for radius
example1.=err @10.10.3.21

where 10.10.3.21 is the IP address or host name of the McAfee Event Receiver, and “example1” is the facility to be used with
FreeRADIUS in the next step.
3. Set up FreeRadius to run with these options:
-l syslog
–g example1

where “example1” is the facility name that you have chosen to use.

Add FreeRADIUS
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor FreeRADIUS

Data Source Model FreeRADIUS (ASP)

Data Format Default

Data Retrieval Default

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 301
Option Definition

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Syslog Relay None

Mask 32

Require Syslog TLS Unchecked

Support Generic Syslogs Default

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.

302 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

FreeRADIUS log format and field mapping

Log format
The expected format for this device is:
computer date time IP protocol source destination original client IP source network destination network action status ru

Log sample
This is a sample log from a FreeRADIUS device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal Establish 0x0 - HTT

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

Gigamon GigaVUE
Configure Gigamon GigaVUE
The syslog configuration is done at the command line. See your product documentation for instructions about how to access and
use the command line.

Task
From the command line, enter:
config syslog_server host 192.0.2.1

where 192.0.2.1 is the IP address of the McAfee Event Receiver.

Add Gigamon GigaVUE


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 303
Option Definition

Data Source Vendor Gigamon

Data Source Model GigaVUE (ASP)

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.

304 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Gigamon GigaVUE log format and field mapping

Log format
<priority>Original Address=<IP address> <date time> <hostname> <application> <message>

Log samples
This is a sample log from a Gigamon GigaVUE device:
<123>Original Address=192.0.2.1 Jan 1 01:01:01 hostname application: Packet Drop port 12 drop 123 packets

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Host

Application Application

Original Address Source IP

Interface Port Number Object

Date Time First Time, Last Time

Globalscape Enhanced File Transfer


Configure Globalscape Enhanced File Transfer

Before you begin


See the Globalscape Enhanced File Transfer (EFT) documentation for configuration instructions. Specific details can be located in
the EFT Logging and Visibility → Log Format, Type, and Location section. Ensure that the default logging settings are used for proper parsing.
The McAfee Collector is used to send the Globalscape logs to McAfee ESM. See the McAfee Collector documentation for
configuration help.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 305
Task
1. In the administration interface, connect to EFT, then click the Server tab.
2. Click the Server node, set the log level to Diagnostic, then select Generic log tail for the client.
3. In the right pane, click the Logs tab.
4. In Log File Settings folder in which to save log files box, type the path to the directory in which to save this server's log files. To
browse for a path, click the folder icon.
5. In the Log file format list, click W3C Extended, Microsoft IIS, NCSA Common, or No Logging.
Note: The McAfee Collector is used to send the Globalscape logs to McAfee ESM. See the McAfee Collector documentation.
6. Under the McAfee Collector, set the log level to Diagnostic.
7. Select Generic log tail for the client.
Note: If a Host ID is used, you must use this same Host ID when creating the data source on the McAfee Event Receiver.
8. Verify that the client is enabled, then apply the changes.

Add Globalscape Enhanced File Transfer


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Globalscape

Data Source Model Enhanced File Transfer (EFT)

Data Format Default

Data Retrieval McAfee Event Format (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Host ID Name of the host ID in the McAfee Collector, if a Host ID was


entered.

Use encryption Checked if encryption was selected in the McAfee Collector.

5. (Optional) Click Advanced and configure the settings.

306 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Globalscape Enhanced File Transfer log format and field mapping

Log format
The expected format for this device is:
computer timestamp IP protocol source destination original client IP source network destination network action status ru

Log samples
This is a sample log from a <Product Name> device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal Establish 0x0 - HTT

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 307
Log fields McAfee ESM fields

timestamp First Time, Last Time

c-ip Source IP

c-port Source Port

cs-username Source User

cs-method Command

cs-uri-stem Message_Text

sc-bytes Bytes_from_Server

cs-bytes Bytes_from_Client

s-name Destination_Hostname

s-port Destination Port

Gurucul Risk Analytics Data Forwarder


Configure Gurucul Risk Analytics Data Forwarder (CEF logs)

Task
1. From the Gurucul interface, navigate to Configure → Data → Data Export → Data Forwarder Workflow → Configuration (Top right corner) → +Add
(Top right corner).
2. Configure the data source.

Option Definition

Name A logical name for the configuration

Destination type SyslogForwarder

Query String SELECT


trendingriskvalues.id AS id,
globalusers.userrisk AS userrisk,
concat(trendingriskvalues.risk_update_time,' ',(select
DATE_FORMAT(end_date,'%H:%i:%s') from job_details where
job_name like '%Risk Scoring%' and status_flag='SUCCESS'
limit 1)) AS reporttime,
concat(globalusers.firstname, ' ' , globalusers.lastname) as
fullname,
globalusers.firstname As firstname,
globalusers.lastname As lastname,
globalusers.employeeid AS employeeid,
'First Name' AS firtsnamelabel,
'Last Name' AS lastnamelabel,
'Risk Score' AS riskscorelabel,
round(globalusers.userrisk/(10*2)) AS severity
FROM
trendingriskvalues,
globalusers

308 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
WHERE
trendingriskvalues.userid_id = globalusers.id

Header -

Template CEF:0|Gurucul|GRA|6.1|1|Activities|#severity#| id=203950


cfp1=#userrisk# rt=#reporttime# duser=#fullname#
cs1=#firstname# cs2=#lastname# duid=#employeeid#
cs1Label=#firtsnamelabel# cs2Label=#lastnamelabel#
cfp1Label=#riskscorelabel#

Footer -

Log Format CEF

Batch Size 0 (zero)

Key Column trendingriskvalues.id

3. Save the configuration.


The configuration is now available in the drop-down list on the Data Forwarder Job page.

Configure Gurucul Risk Analytics Data Forwarder (JSON logs)

Task
1. From the Gurucul interface, navigate to Configure → Data → Data Export → Data Forwarder Workflow → Configuration (Top right corner) → +Add
(Top right corner).
2. Configure the data source.

Option Definition

Name A logical name for the configuration

Destination type SyslogForwarder

Query String SELECT


trendingriskvalues.id AS id,
globalusers.userrisk AS userrisk,
concat(trendingriskvalues.risk_update_time,' ',(select
DATE_FORMAT(end_date,'%H:%i:%s') from job_details where
job_name like '%Risk Scoring%' and status_flag='SUCCESS'
limit 1)) AS reporttime,
concat(globalusers.firstname, ' ' , globalusers.lastname) as
fullname,
globalusers.firstname As firstname,
globalusers.lastname As lastname,
globalusers.employeeid AS employeeid,
'First Name' AS firtsnamelabel,
'Last Name' AS lastnamelabel,
'Risk Score' AS riskscorelabel,
round(globalusers.userrisk/(10*2)) AS severity
FROM
trendingriskvalues,
globalusers
WHERE

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 309
Option Definition
trendingriskvalues.userid_id = globalusers.id

Header -

Template {id:203950,EmployeeId:#employeeid#,Full
Name:#fullname#,First Name:#firstname#,Last
Name:#lastname#,Userrisk:#userrisk#,Reporttime:#reporttime#,Severity

Footer -

Log Format JSON

Batch Size 0 (zero)

Key Column trendingriskvalues.id

3. Save the configuration.


The configuration is now available in the drop-down list on the Data Forwarder Job page.

Add Gurucul Risk Analytics Data Forwarder

Task
1. From the ESM dashboard, select a receiver.

2. Click the Add Data Source icon.

Option Definition

Data Source Vendor Gurucul

Data Source Model Risk Analytics

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of the data source

IP Address/Hostname The IP address and host name associated with the data
source device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone where the data is generated

310 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
3. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Gurucul Risk Analytics log format and field mapping

CEF log format


<log date time> <device IP> CEF: <CEF version>|Gurucul|GRA|<Gurucul version>|<Signature ID>|<name>|<severity>| <external

CEF log sample


Jun 2 18:19:40 192.168.142.84 CEF: 0|Gurucul|GRA|6.1|1|Activities|10.0| id=5 cfp1=95.0 rt=2017-04-20 12:38:00 duser=arpa

JSON log format


<log date time> <device IP> {<Signature ID> <destination user ID> <destination username> <reputation score> <event time>

JSON log sample


Jun 2 18:02:19 192.168.142.84 {id:1,EmployeeId:arpan,Full Name:arpan bhojwani,First Name:arpan,Last Name:arpan,Userrisk:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 311
Field mapping

Log fields ESM fields

Severity Sigdesc, severity

External event ID External_eventID

Reputation score Reputation_score

Event time Firsttime, lasttime

Destination username dst_username

Destination User ID Destination_userID

HBGary Active Defense


Configure HBGary Active Defense

Task
1. Log on to the Active Defense Management Console.
2. Navigate to Settings → Alerts.
3. In the Alerts window, click Add Route to open the Router Editor.
4. Enter a name to identify the McAfee Event Receiver into Route Name.
5. In the Settings area, enter the IP address of the McAfee Event Receiver into the Host field.
6. In the Port field, enter 514 (the default port for syslog).
7. In the Events area, select the events to be sent to the McAfee Event Receiver.
8. Click OK to save and exit.

Add HBGary Active Defense


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor HBGary

Data Source Model ActiveDefense (ASP)

Data Format Default

Data Retrieval SYSLOG (Dafault)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

312 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 313
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

HBGary Active Defense log format and field mapping

Log format
The expected format for this device is:
<priority> <date> <time> <hostname> <process>[ID]:LEEF:<version>|<vender>|<product>|<version>|<event ID>| <key>=<value>

Log samples
This is a sample log from a HBGary Active Defense device:
<123> 2001-01-01T01:01:01Z hostname process[1234]:LEEF:1|HBGary|Active Defense|1.2.3|Login|sev=0 user=admin dstHost=hostn

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

srcHost Host

Event ID Application

src Source IP

dst Destination IP

message Message

result Event Subtype

sev Severity

Hewlett-Packard 3Com Switches


Configure Hewlett-Packard 3Com Switches
See the product documentation for information about how to send syslog events to a remote syslog server or McAfee ESM.

Add Hewlett-Packard 3Com Switches


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Hewlett-Packard

Data Source Model 3Com Switches (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

314 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 315
Option Definition
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Hewlett-Packard 3Com Switches log format and field mapping

Log format
The expected format for this device is:
<device IP> <date time> <application> <message> <username> <source IP> <object>

Log samples
This is a sample log from a Hewlett-Packard 3Com Switch device:
[192.0.2.1] <123>Jan 1 01:01:01 1234 1234G %%10VTY/5/VTY_LOG(l):- 1 - TELNET user username in group failed to login fro

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Application Application

Command Command

Source IP Address Source IP

MAC Address Source MAC

User Source User

Task Object

Hewlett-Packard LaserJet Printers


Add Hewlett Packard LaserJet Printers
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Hewlett-Packard

Data Source Model LaserJet Printers (ASP)

316 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 317
Option Definition
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Configure Hewlett-Packard LaserJet Printers


Send printer events to McAfee ESM.
These instructions are for FutureSmart printers. For instructions on configuring other Hewlett-Packard printers, see the product
documentation.

Task
1. Using the Web interface, access the supported HP printer through any Web browser. For example: http://<IP address of the
printer>.
2. Click the Networking tab and the Advanced sub-tab.
3. Enter the IP address of the SmartConnector server in the Syslog Server field.
4. Select Enable CCC Logging to activate the logging of advanced security events.

Hewlett Packard LaserJet Printers log format and field mapping

Log format
The expected format for this device is:
<severity> <hostname> <message>

Log sample
This is a sample log from a Hewlett-Packard LaserJet Printers device:
<13> printer: paper out

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Host

Hewlett-Packard ProCurve
Configure Hewlett-Packard ProCurve
The syslog configuration is performed at the command line. See the ProCurve documentation provided by Hewlett-Packard for
more information about how to access and use the command line interface.

Task
Enter this command to add a syslog server:
logging <ip_address>

Replace <ip_address> with the IP address of the McAfee Event Receiver.

318 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Add Hewlett-Packard ProCurve
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Hewlett-Packard

Data Source Model ProCurve (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 319
Option Definition
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Hewlett-Packard ProCurve log format and field mapping

Log format
The expected format for this device is:
<date time> <device name> <message>

Log sample
This is a sample log from a Hewlett-Packard ProCurve device:
Jan 01 01:01:01 procurve.com/ procurve.com ABC_1234, Interface ethernet 1/01, state up

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Application Application

IP Protocol Protocol

Source IP Source IP

Destination IP Destination IP

Source IP Source Port

Destination Port Destination Port

320 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Action / State Event Subtype

HyTrust Appliance
Configure HyTrust Appliance

Task
1. Open the HyTrust Appliance application.
2. Navigate to Configuration → Logging.
3. Select Capture from the Logging Level drop-down list.
4. In the HTA Logging Aggregation field, select External.
5. Select Proprietary in the Logging Aggregation Template Type field.
6. In the HTA Syslog Servers field, type the IP address or host name and port number of the McAfee Event Receiver, using this
format:
IPaddress:port

-or-
hostname:port

7. Ensure Encrypt Syslog is empty.


8. Click Apply.

Add HyTrust Appliance


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor HyTrust

Data Source Model Appliance (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 321
Option Definition

Mask leave default (32)

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

322 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
HyTrust Appliance log format and field mapping

Log format
The expected format for this device is:
<PRI> Date HTA-FQDN Facility:Error_Type : HTA-log-message-code Source: src_ip Msg

Log sample
This is a sample log from a HyTrust Appliance device:
<174>Feb 15 19:17:44 hta3a.testdrive.hytrust.com local5:INFO : ARC0005I Job scheduled to run Feb 15, 2012 7:17:44 PM on 1

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

HTA-log-message-code Message_ID.Message_ID

IBM
Configure IBM Guardium

Task
1. From the Guardium CLI command line, enter this command:
store remote log add daemon.* 192.168.2.1 tcp

where 192.168.2.1 is the IP address of the McAfee Event Receiver.


2. Log on to the Guardium UI with admin permissions.
3. Select the Administration Console tab.
4. Navigate to Configuration and select Global Profile.
5. In the Message Template text area, enter one of these options.
◦ Standard syslog format:
<pri>Date Time Username Application[pid]: Alert based on rule ID
ruleDescription|Category:
category|Classification:
classification|Severity
severity|Rule #
ruleID [ruleDescription ]|Request Info: [Session start:
sessionStart]|Server Type:
serverType|Client IP
clientIP|ServerIP:serverIP|Client PORT:
clientPort|Server Port:
serverPort|Net Protocol:netProtocol|DB Protocol:
DBProtocol|DB Protocol Version:
DBProtocolVersion|DBUser:
DBUser|Application User Name
AppUserName|Source Program:
SourceProgram|Authorization Code:
AuthorizationCode|Request Type:
requestType|Last Error:
lastError|SQL:
SQLString|To add to baseline:
addBaselineConstruct

◦ CEF format:
CEF:0|IBM|Guardium|7.0|%%ruleID|%%ruleDescription|5|rt=%%receiptTimeMills cs1=%%severity cs1Label=Severity cs2=%%ser

Add IBM Guardium


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 323
4. Click Add.

Option Definition

Data Source Vendor IBM

Data Source Model Guardium

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.

324 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Configure IBM Websphere Application Server


By default, basic logging is enabled in IBM WebSphere Application Server. However, you can also change the log level settings to
produce higher and lower volumes of logs based on the log severity level (for example, fatal, severe, warning, detail, and all).
All logging levels are supported. For more information about how to change the log level settings, see the product
documentation provided by IBM for your version of WebSphere Application Server.

Add IBM Websphere Application Server


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor IBM

Data Source Model WebSphere Application Server

Data Format Default

Data Retrieval SCP

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 325
Option Definition

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Port 22

Number of lines per record 1

File copy timeout 30

Login timeout 30

Interval 5

File Completion 15 seconds

Delete processed files Select to delete processed logs.

Path The path to the log files.


In Linux, UNIX, AIX, and Solaris, the default path is:
“/opt/IBM/WebSphere/AppServer/profiles/name_of_profile/logs/server1”
In Windows, the default path is:
“C:\IBM\WebSphere\AppServer\profiles\name_of_profile\logs\server1” where
“name_of_profile” is the profile name of the IBM InfoSphere Information Server
instance, and “server1” is the instance name of the application server.

Wildcard expression System*.log

Username The logon for the computer that runs the server (a user name with sufficient
permissions on the server running IBM WebSphere Application Server).

Password The password for the specified user name.

Time Zone Time zone of data being sent.

Support Generic Syslogs Do nothing

5. Test the connection. If the test returns “test connection successful”, the device is configured correctly.
6. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

326 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

IBM Websphere Application Server log format and field mapping

Log format
Here is the basic logging format listed in the IBM documentation. The advanced logging format and tracing logs are not currently
supported. The expected format for this device is:
<timestamp><threadId><shortName><eventType>[className][methodName]<message>

Log sample
This is a sample log from an IBM Websphere Application Server device:
[5/25/15 23:24:25:123 EDT] 00000001 BatchSensorCo I CWLRB5903I: BatchSensorComponent initialized successfully.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

timestamp First Time, Last Time

threadId External_SessionID

shortname Message (modified by data source rules)

shortname (hashed) Signature ID

eventType Severity

classname External_Application

methodName Method

Set by DSR Event Subtype

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 327
IBM Websphere Application Server supported facilities
These facilities are currently supported, and provide more descriptive information when parsed by the McAfee ESM.
ACIN, ACWA, ADFS, ADMC, ADMN, ADMR, ASYN, CHFW, CNTR, CSCP, CWLDD, CWLRB, CWLRS, CWNEN, CWOAU, CWPKI, CWPMI, CWRCB, CWRL

IBM Guardium log format and field mapping

Log format
The expected syslog format for this device is:
<pri>Date Time Username Application[pid]: Alert based on rule ID ruleDescription|Category: category|Classification: clas

The expected CEF format for this device is:


CEF:0|IBM|Guardium|8.0|%%ruleID|%%ruleDescription|5|rt=%%receiptTimeMills cs1=%%severity cs1Label=Severity cs2=%%serverTy

Log sample
This is a sample syslog log from an IBM Guardium device:
<13>Jan 01 01:01:01 usr123456 guard_sender[0001]: Alert based on rule ID log full sql - US DBAs Oracle#012Category: Cl

This is a sample CEF log from an IBM Guardium device:


<13>Jan 1 01:01:01 usr123456 guard_sender[0001]: CEF:0|IBM|Guardium|8.0|20322|log full sql - US DBAs MSSQL|5|rt=14200740

Field mapping
This table shows the mapping between the data source and McAfee ESM.

Log fields McAfee ESM

Application Application

Severity Severity

ClientIP Source IP

ClientPort Source Port

ServerIP Destination IP

ServerPort Destination Port

DB user Source User

Application User Destination User

Net Protocol Protocol

Category Category

Server Destination_Hostname

ExternalID External_EventID

Partition File_Path

Time, Start, Session Start First Time, Last Time

Host Host

msg Message_Text, Rule Name, SQL_Statement

ObjectID Object

PID PID

328 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM

Rule # Policy_ID

Rule Name Policy_Name

sproc Process_Name

Act, Request Type Request_Type

SID Signature ID

SQL SQL_Statement

Indegy
Configure Indegy
Set up Indegy to send events to McAfee ESM.

Task
1. From the Policies menu, select the Servers tab, then select the Syslog Servers tab.
2. Click +Add Syslog Server.
3. In the Server Name field, enter the name of the Syslog Server.
4. In the Hostname\IP field, enter a host name or an IP address of the Syslog server.
5. In the Port field, enter the port number on the Syslog server.
6. In the Transport field, enter the transport protocol.
7. Click Send Test Message and verify that the message arrived.
8. Configure Indegy policies to log events to McAfee ESM. See Indegy documentation for detailed instructions.

Results
Indegy begins sending data to McAfee ESM.

Add Indegy
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Indegy

Data Source Model Indegy Security Platform

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 329
Option Definition
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 0

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Port 514

Support Generic Syslogs Do nothing.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.

330 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Indegy log format and field mapping

Log format
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Example log
2019-01-01T12:00:00.012Z,192.168.2.1,192.168.2.2 CEF:0|Indegy|Indegy Security Platform|1.2.3|30|Baseline Deviation|2|dvc

Field mapping

Log fields McAfee ESM fields

severity CEF.Severity

msg CEF.EventName

firsttime start

lasttime start

firsttime rt

lasttime rt

src_ip src

src_port spt

src_mac smac

dst_ip dst

dst_port dpt

dst_mac dmac

External_Hostname dvchost

UserIDSrc suser

UserIDDst duser

Application_Protocol proto

Status outcome

Old_Value value_change

norm_sigid signature_id

Bytes_Received bytesIn

Infoblox NIOS

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 331
Configure Infoblox NIOS

Task
1. Do one of the following:
◦ From the Grid perspective, click grid → Edit → Grid Properties
◦ From the Device perspective, click hostname → Edit → Device Properties
2. In the Grid or Device editor, click Monitoring, then define these options.
◦ Enable external syslog server: Select this to enable the Infoblox device to send messages to the specified syslog server.
◦ Syslog Server Group: To define one or more syslog servers click Add, enter the following, then click OK:
◦ Server Address: Enter the IP address of the syslog server.
◦ Connection Type: Specify whether the device uses TCP or UDP to connect to the external syslog server.
◦ Port: Specify the destination port number (standard port is 514).
◦ Out Interface: Specify the interface where the device sends syslog messages to the syslog server.
◦ Severity Filter: Select a filter from the drop-down list.
◦ Message Source: Specify which syslog messages the device sends to the external syslog server:
◦ Internal: Device sends the syslog messages that it generates.
◦ External: Device sends the syslog messages that it receives from other devices, such as syslog servers and routers.
◦ Any: Device sends both internal and external syslog messages.
◦ Copy audit log messages to syslog: Select the Infoblox device to include audit log messages with the messages it sends to the
syslog server. This function can be helpful to monitor administrative activity on multiple devices from a central location.
◦ Audit Log Facility: Select the facility where you want the syslog server to sort the audit log messages.
3. Click the Save icon to save your settings.

Add Infoblox NIOS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Infoblox

Data Source Model NIOS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

332 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 333
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Configure Syslog for a grid member

Task
1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties.
2. In the Grid Member editor, click Monitoring, then define these options.
◦ Override grid syslog settings: Select to override grid-level syslog settings and apply member-level settings.
◦ Enable external syslog server: Select to enable the Infoblox device to send messages to a specified syslog server.
◦ Syslog Server Group: To define one or more syslog servers, click Add, enter the following, and then click OK:
◦ Server Address: Type the IP address of a syslog server.
◦ Connection Type: Specify whether the device uses TCP or UDP to connect to the external syslog-server.
◦ Port: Specify the destination port number.
◦ Out Interface: Specify the interface where the device sends syslog messages to the syslog server.
◦ Severity Filter: Choose a filter from the drop-down list.
◦ Message Source: Specify which syslog messages the device sends to the external syslog server:
◦ Internal: The device sends the syslog messages that it generates.
◦ External: The device sends the syslog messages that it receives from other devices.
◦ Any: The device sends both internal and external syslog messages.
◦ Enable syslog proxy: Select to enable the device to receive syslog messages from other devices, such as syslog servers and
routers, then forward these messages to an external syslog server.
◦ Enable listening on TCP: Select if the device uses TCP to receive messages from other devices.
◦ Port: Enter the port number where the device receives syslog messages from other devices.
◦ Proxy Client Access Control: Click Add, enter the following in the Access Control Item dialog box, then click OK:
◦ IP Address option: Select IP Address to add the IP address of a device, or select Network to add the network address of a group of
devices.
◦ Address: Enter the IP address of the device or network.
◦ Subnet Mask: If you entered a network IP address, you must also enter its subnet mask.
3. Click the Save icon to save your settings.

InterSect Alliance Snare for Windows


Configure InterSect Alliance Snare for Windows

Task
1. In the Windows Start menu, navigate to the Intersect Alliance folder in the programs listing, then open Snare for Windows. The open-
source version of the software includes Open Source in the title. This opens your default browser and takes you to a web
interface running on the local host.
2. In the upper left, click Network Configuration.
3. In the Destination Snare Server address field, enter the IP address of your McAfee Event Receiver.
4. In the Destination Port field, enter the port number used for sending syslog to your McAfee Event Receiver (default is 514).
5. Select Enable SYSLOG Header? to have syslog headers included with events.
6. (Optional) If using the Enterprise version of Snare, you can use the Coordinated UTC feature. This changes the time stamps in
the logs to UTC. If you enable this feature, you must set the time zone for this data source in McAfee ESM to Greenwich Mean
Time.
7. Click Change Configuration when done.

Add InterSect Alliance Snare for Windows


Log in to ESM and add the data source to a receiver.

334 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor InterSect Alliance

Data Source Model Snare for Windows (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent (Greenwich Mean Time if using the
Coordinated Universal Time feature in Snare).

Note: The Open Source version of Snare does not support coordinated UTC. Events delivered by Snare, contain time stamps
based on the time zone of the localhost from which they were sent. For coordinated UTC support, use the Enterprise version
of Snare for Windows.
5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 335
Option Definition
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

InterSect Alliance Snare for Windows log format and field mapping

Log format
Hostname Event Log Type Criticality SourceName Snare Event Counter DateTime EventID SourceName UserName SIDType EventLog

Log samples
This is a sample log from Snare for Windows:
Test_Host MSWinEventLog 0 Security 3027 Fri May 24 09:30:43 2013 593
Security Administrator User Success Audit EXAMPLE Detailed
Tracking A process has exited:Process ID: 656 User Name:
Administrator Domain: EXAMPLE Logon ID: (0x0,0x6C52)

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname, Caller Machine Name, Caller Workstation, Client Host


Name, from Workstation, Source Workstation, Target Server
Name, User Workstations, Workstation Name

Criticality Severity

Source, Client Address, Source Network Address, Network Source IP


Address

336 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Source Port Source Port

Destination Dest. IP

SourceName Application

Logon Type Logon_Type

Domain, Caller Domain, Domain Name, Member ID, New Domain


Domain, Primary Domain, Supplied Realm Name, Target
Domain, User Domain, Account Domain

Authentication Package Name, Authentication Package, Application


Logon Process Name, Process Name, Service Name

Object Name, Group Name, Target Account Name, Program Object

UserName, User Name, Caller User Name, Client User Name, Source User
Logon Account, Account Name, UserID

New Account Name, Member Name, Target Account Name, Destination User
Account Name

Failure Code Command

NtLogon Session_Status

Logon Type Logon_Type

EventID and SourceName Signature ID

EventLogType Event Subtype

Interset
Configure Interset
With a fully configured and working Interset and McAfee ESM solution, this information is required.
• Familiarity with configuring Flume using Ambari. See the Configure Data Ingest documentation.
• The tenant ID in Interset that contains the data to send to the McAfee Event Receiver ESM (for example, 0).
• The name (FQDN or IP address) and port of the McAfee Event Receiver.

Task
1. In Apache Ambari, create the Flume Export Configuration Group.
2. Configure the system so that events are sent as Syslog to the McAfee Event Receiver.
a. Copy the esmSyslog.conf file from the /opt/interest/export/conf-templates folder to a local system, and make these
substitutions:
◦ On each line, change the tenant ID <TID> to the appropriate tenant ID (for example, 0).
◦ Change the ESM McAfee Event Receiver location <ESM Syslog Receiver Port> with the port number of the McAfee Event
Receiver.
◦ Replace any other system variables, such as <ZOOKEEPER_HOST>, with appropriate values.
b. Upload and save the new esmSyslog.conf file to Ambari for processing.
3. Repeat step 2 with esmStorySyslog.conf, located in the same template folder, to also send high risk stories to the McAfee
Event Receiver. By default, only stories with a risk score greater than 75 are sent. To change this behavior, change the value in
the following line as needed:
interset_auth_events_<TID>_esm.sources.kafkaSource.interceptors.scoreChecker.toCompare = riskScore:greaterThan:75

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 337
Add Interset
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Interset

Data Source Model Interset

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.

338 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Integrate Interset
An integration feature enables additional details involving Interset events displayed in the McAfee ESM.
This integration feature only works with events that contain the URL custom type. Ensure that the data source has been
configured and that the data source has been added to the McAfee Event Receiver before completing these steps.

Task
1. In the McAfee ESM console, select an ESM on the left side, then click the Properties icon.
2. From the System Properties menu, select Custom Settings.
3. Near the bottom of Custom Settings, click Device Links.
4. In the Custom Device Links window, select the Interset device that you previously added, then select Edit.
5. In the Edit URL window, click the arrow directly to the right of the blank URL field. Select Custom Types | URL.
Once selected, a value is automatically entered in the previously blank URL section.
6. The Custom Device Links window now displays the CustomType value. Select OK.
7. Select an event that contains the URL custom type, then select the Launch Device URL icon (an image of the Earth).
Once the Launch Device URL is selected, a browser window displays a logon prompt for your Interset device. Once logged on,
additional details about the selected Interset event in the ESM are displayed.

Interset log format and field mapping

Log sample
This is a sample log from an Interset device:
On Jan 21, 2016 8:00:00 AM, user543 told a Story with a Risk Score of 88. See 'https://analytics.example.com/investigato

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 339
Log fields McAfee ESM fields

/timestamp, /clienteventtime, /_time, Time First Time, Last Time

Username, /sourceuseridname, /user, /src_user Source User

Message Details Message_Text

Risk Score Reputation, Severity

URL URL

/appidname Application

/eventuuid UUID

/sourcemachineidname, /src Host

/sourceip, /src, /ip Source IP

/eventtype, /signature_id Job_Type, SID

/fileidpath Destination_Filename

/sourcepath Filename

/contactip, /dest Destination IP, Destination_Hostname

/action Action, Rule Message

/dvc External_Device_ID

/src_port Source Port

/vendor External_Device_Type

/project Category

/size File_Size

Juniper Networks JUNOS Structured-Data Format


Configure Juniper Networks JUNOS Structured-Data Format
JUNOS supports logging in standard Junos format and structured-data format. We recommend the structured-data format.
Structured-data format includes more information without significantly increasing log size. It also makes it easier for automated
applications to extract information from a message. This format complies with Internet draft-ietf-syslog-protocol-23 (https://
tools.ietf.org/html/draft-ietf-syslog-protocol-23).
These instructions apply to any JUNOS device running 10.3 or later. Some examples are EX, M, MX, PTX, QFX, QFabric, and T
series systems.
Here is a basic setup example of sending logs to a remote syslog host:
[edit system]
syslog {
host <HOSTNAME/IP ADDRESS of McAfee Event Receiver> {
facility SEVERITY;
structured-data {
brief;
}
}
}

Here is a basic setup example of sending logs to a log file:

340 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
[edit system]
syslog {
file <Path/Filename> {
facility SEVERITY;
structured-data {
brief;
}
}
}

More options can be specified for log outputs. See the JUNOS System Log Messages Reference document to learn more.

Task
1. To configure the system to log system messages, add a syslog statement at the [edit system] hierarchy level.
2. To log in structured-data format, include a structured-data statement for each logging output.

Add Juniper Networks JUNOS Structured-Data Format


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Juniper Networks

Data Source Model JUNOS – Structured-Data Format (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 341
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Juniper Networks JUNOS Structured-Data Format log format and field mapping

Log format
The expected format for this device is:
<priority> version timestamp hostname process processID TAG [[email protected] variable-value-pair1=”value” message-te

Log samples
This is a sample log from a JUNOS structured-data format device:
<165>1 2007-02-15T09:17:15.719Z router1 mgd 3046 UI_DBASE_LOGOUT_EVENT [[email protected] username="regress"]

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

342 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Hostname Hostname

Service-name Application

Source-address Source IP

Destination-address Destination IP

Nat-destination-address Nat Details Nat Address

Source-port Source Port

Destination-port Destination Port

Nat-source-address Nat Details Nat Address

Nat-source-port Nat Details Nat Port

Packet-incoming-interface Interface

Source-zone-name Source Zone

Destination-zone-name Destination Zone

Bytes-from-client Bytes from client

Bytes-from-server Bytes from server

Policy-name Policy name

Elapsed-time Elapsed time

Attack-name Threat name

Protocol-id Protocol

Session-id Session

Reason Object name

Username Source Username

Juniper Networks NetScreen


Configure Juniper Networks NetScreen using the command-line interface

Task
To configure Juniper Networks NetScreen using the command line, type the following commands:
Set syslog config <ip_address> <security_facility> <local_faciltiy>
Set syslog config <ip_address> port 514
Set syslog config <ip_address> log all
Set syslog enable

Add Juniper Networks NetScreen


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 343
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Juniper Networks

Data Source Model NetScreen/IDP (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

344 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Juniper Networks NetScreen log format and field mapping

Log format
The expected format for this device is:
<PRI>HOSTNAME: NetScreen device_id=HOSTNAME []EVENT_DESCRIPTION: MESSAGE (DATE TIME)

Log sample
This is a sample log from a device:
<123>JNHOST: NetScreen device_id=JNHOST [Root]system-warning-00515: Admin user BobJ has logged on via SSH from 192.0.2.1

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

src, ip address Source IP

src_port, port, icmp_type Source Port

dst Dest. IP

dst_port, icmp_code Dest. Port

proto Protocol

src_zone Source Username, Source_Zone

dst_zone Dest Username, Destination_Zone

device_id Host

Service Application

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 345
Log fields McAfee ESM fields

Sent Bytes_sent

Rcvd Bytes_received

reason Reason

domain domain

start_time First Time

start_time Last Time

Severity Severity

Session id Session ID

policy id Command

src-xlated ip NAT Address

src-xlated ip (port) NAT Port

policy id Policy Name

deviceId External_Device_ID

application Application

Juniper Networks Network and Security Manager


Configure Juniper Networks Network and Security Manager

Task
1. From the Network and Security Manager application, go to Action Manager → Action Parameters.
2. Fill in Syslog Server IP with the IP address of the McAfee Event Receiver.
3. Select the Syslog Facility you want to send the events as.
4. Click OK to save.

Add Juniper Networks Network and Security Manager


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Juniper Networks

Data Source Model Network and Security Manager – NSM (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

346 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event
data for this data source (maximum of 512 characters). You
can access this URL by clicking the Launch Device URL icon
at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where
the ESM Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day).
When using client data sources, clients using this setting
inherit the date order of the parent data source.
◦ Month before day — The month goes before the day
(04/23/2018).
◦ Day before month — The day goes before the month
(23/04/2018).

Zone To assign this data source to a zone, select the zone from
the list.

External data source link Automatically selected when you import events from
another receiver. You can clear the checkbox which would
remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2.
The External data source link is applied to the logs being sent so
that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 347
Export in NitoFile format Use this option when you are exporting raw data source
data.

Data is NitroFile format Use this option when you are exporting raw data source
data.
Note: When you export data sources to a remote file, they
are exported in NitroFile format. If you import those files to
another Receiver automatically, Data is NitroFile is selected for
each of the data sources you are importing. This indicates
that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing manually is in NitroFile format,
select this option if the data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is
selected for any data source that has a checksum file. If you
import them manually, you must select it. The only
exception is when you are importing a data source file that
doesn't have a checksum file, but you want to view it
anyway.

Juniper Networks Network and Security Manager log format and field mapping

Log format
The expected format for this device is:
<Priority> <Date Time> <hostname> <message>

Log sample
This is a sample log from a Juniper Networks Network and Security Manager device:
<123>Jan 1 01:01:01 192.0.2.1 20010101, 1234, 2001/01/01 01:01:01, 2001/01/01 01:01:01, domain.Name, 0, deviceName, 192.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Device Name Host

Protocol Protocol

Src Addr Source IP

Dst Addr Destination IP

Src Port Source Port

Dst Port Destination Port

Action Action

Time Received First Time, Last Time

Severity Severity

Subcategory Application

Bytes Out Bytes_Sent

348 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Bytes In Bytes_Received

Details Command

Device Domain Domain

User User

Nat Src Addr, Nat Src Port NAT_Details

Policy Policy_Name

Kaspersky Administration Kit


Configure Kaspersky Administration Kit
See your product documentation for instructions about sending log events to a remote server. Use the McAfee Event Receiver IP
address for the IP address of the remote server.

Add Kaspersky Administration


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Kaspersky

Data Source Model Administration Kit – SQL Pull (ASP)

Data Format Default

Data Retrieval SQL (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

User ID User name of the Kaspersky database

Password Password of the Kaspersky database

Port 1433

Database Name Database name

Poll frequency How often you want to pull logs.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 349
Option Definition

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Kapersky Administration Kit log format and field mapping

Log sample
This is a sample log from a Kaspersky Administration Kit device:
event_id="4164828" nIpAddress="167772161" domain_name="DOMAIN" hostname="HOSTNAME" group_name="GROUPNAME" rise_time="201

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

350 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

rise_time First Time, Last Time

severity Severity

product_name Application

domain_name Domain

hostname Hostname

product_version Version

event_type Event_Class

nIpAddress src_ip

File_Path* File_Path

Threat_Name* Threat_Name

task_display_name Job_Name

objectname* objectname

URL* URL

Message_Text* Message_Text

Process_Name* Process_Name

Category* Category

PID* PID

*Keys are found in string_ or in the description field

Lastline Enterprise
Configure Lastline Enterprise
See Lastline Enterprise product documentation for instructions on how to send syslog logs to a remote server.

Before you begin


Configuring this data source requires:
• McAfee ESM version 9.5.0 or later
• Administrative level access to configure syslog service to send logs
• McAfee Event Receiver IP address for the address of the remote server

1. From the Lastline portal, click Admin.


2. Click Syslog.
3. Click the Integration tab.
4. Create a syslog destination by selecting the sensors to log, time zone, IP address/port for the McAfee Event Receiver, host
name, and log format message (CEF).
5. Enable the notification option.
6. Set the default configuration to log all categories with no delay between logs and no maximum limit per day.
7. Optionally, limit the volume of messages by category, minimum severity level, rate, and maximum daily volume.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 351
Add Lastline Enterprise
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Lastline

Data Source Model Enterprise

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address IP address associated with the data source device

Hostname Host name associated with the data source device

Syslog Relay None

Mask 32

Require Syslog TLS Require McAfee Event Receiver to communicate over TLS

Support generic syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).

352 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Lastline Enterprise log format and field mapping

Log format
The expected format for this device is as follows:
<Date-Time> <CEF Version> <Device Vendor> <Device Product> <Device Version> <Signature ID> <Name> <Severity> <Key-Value

Log sample
This is a sample log from a Lastline Enterprise device:
May 20 13:20:56 mcafeecef CEF:0|Lastline|Enterprise|7.3|signature-match|IDS Signature Match|4|act=LOG cat=drive-by/Fiesta

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

name - category Rule Name

severity Severity

EventUrl URL

EventDetailLink Device_URL

IncidentId Incident_ID

act Action

cat Threat_Category, Category, Subcategory

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 353
Log fields McAfee ESM fields

cnt Count

detectionId File_ID

dhost Destination_Hostname

dpt Destination Port

dst Destination IP

start, rt, end First Time, Last Time

externalId External_EventID

fileHash File_Hash

fileSHA1 SHA1

fname Filename

fileType Object

proto Protocol

src Source IP

spt Source Port

deviceType Sensor_Type

deviceExternalId External_Device_Type

dvchost Host

smac Source Mac

msg Message_Text

Locum RealTime Monitor


Configure Locum RealTime Monitor
See documentation for information about how to send syslog events to a remote server or McAfee ESM. Use the IP address of
the McAfee Event Receiver for the IP address of the remote server.

Add Locum RealTime Monitor


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Locum

354 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Source Model RealTime Monitor (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 355
Option Definition

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Locum RealTime Monitor log format and field mapping

Log format
The expected format for this device is:
<date time> <device IP> <device> <time> <status> <message>

Log sample
This is a sample log from a Locum RealTime Monitor device:
<123>Jan 01 01:01:01 192.0.2.1 RealTime_Monitor 01:01 VALIDATION: 1234 Usercode example validated for example (by FTP/SE

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Host

Protocol Protocol

Device IP Source IP

UC Destination IP

Application Application

Object Object Type

Object Object

Task Command

User Source User

Usercode Destination User

Database Name Database_Name

Description Message_Text

LOGbinder
356 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Configure LOGbinder

Task
1. Open the LOGbinder Configurator.
2. Select the Output section, then select your preferred logging method. McAfee ESM currently supports the CEF format and the
Syslog-Generic format for all types.
3. Double-click the selected logging method and fill in the required syslog information.

Add LOGbinder
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor LOGbinder

Data Source Model LOGbinder

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 357
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

LOGbinder log format and field mapping

Log format (Sharepoint)


The expected formats for this device is:
Syslog
syslogTimestamp syslogHost signatureID LOGbinder SP|deviceVersion|type|eventTimestamp|message|name=“key1” label=“Key 1”

CEF
CEF:version|LOGbinder|SP|deviceVersion|signatureID|message key1=value1 key2=value2…

Log format (Exchange)


The expected format for this device is:
Syslog
syslogTimestamp syslogHost signatureID LOGbinder EX|deviceVersion|type|eventTimestamp|message|name=“key1” label=“Key 1” v

358 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
CEF
CEF:version|LOGbinder|EX|deviceVersion|signatureID|message key1=value1 key2=value2…

Log format (SQL)


The expected format for this device is:
Syslog
syslogTimestamp syslogHost signatureID LOGbinder SQL|deviceVersion|type|eventTimestamp|message|name=“key1” label=“Key 1”

CEF
CEF:version|LOGbinder|SQL|deviceVersion|signatureID|message key1=value1 key2=value2…

Log sample (Exchange)


This is a sample log from a LOGbinder EX device:
Syslog
Jan 01 01:01:01 192.0.2.1 25190 LOGbinder EX|2.0|success|2015-01-01T01:01:01.0000001-00:00|New-AdminAuditLogSearch Excha

CEF
Jan 01 01:01:01 192.0.2.1 CEF:0|LOGbinder|EX|3.0|25190|New-AdminAuditLogSearch Exchange cmdlet issuedrt=1/1/2015 1:01:01

Log sample (SharePoint)


This is a sample log from a LOGbinder SP device:
Syslog
Jan 01 01:01:01 192.0.2.1 65 LOGbinder SP|5.1|success|2015-01-01T01:01:01.0000001-00:00|Item declared as a record|name="o

CEF
Jan 01 01:01:01 192.0.2.1 CEF:0|LOGbinder|SP|5.1|65|Item declared as a recordrt=2015-01-01T01:01:01.0000001-00:00 reques

Log sample (SQL)


This is a sample log from a LOGBinder SQL device:
SQL
Jan 01 01:01:01 192.0.2.1 24000 LOGbinder SQL|2.0|failure|2015-01-01T01:01:01.0000001-00:00|SQL audit event|name="occurr

CEF
Sep 23 15:46:10 host CEF:0|LOGbinder|SQL|2.0|24000|SQL audit eventrt=1/1/2015 1:01:01.0000000 AM cfp1=RWA cfp1Label=Acti

Field mapping (Exchange)


This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Signature ID Signature ID

rt | occurred First Time | Last Time

src | ClientIPAddress Source IP

cmdlet Command

oldFileId | folderid Filename

deviceHostName | dvchost | originatingserver Host

fname | objectmodified Object

suser | performedby Source User

suid Security_ID

sproc | clientprocess Process_Name

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 359
Log fields McAfee ESM fields

performedlogonType Logon Type

mailboxguid Instance GUID

itemsubject Subject

Field mapping (Sharepoint)


This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Signature ID Signature ID

rt | occurred First Time | Last Time

fname | fileName | objecttitle Filename

site | request Object

user | duser | requestedby | membername | Destination User


administratorname

suser | user Source User

objecturl | filepath URL

source | filepath File_Path

newauditpolicy Policy_Name

Field mapping (SQL)


This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Signature ID Signature ID

rt | occurred First Time | Last Time

cfp1 | action_id Device_Action

FileId | succeeded Action

duser | sessionserverprincipalname Destination User

dpid | sessionid Session ID

schemaname Database_Name

memberdomainname Domain

targetobjectname Object

suser | member | targetobjectname Source User

deviceExternalId | server External_Device_ID

360 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Lumension Bouncer
Configure Lumension Bouncer
See documentation for information about how to send syslog events to a syslog server or McAfee ESM.

Add Lumension Bouncer


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Lumension

Data Source Model Bouncer (ASP) or Bouncer – CEF (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 361
Option Definition

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Lumension Bouncer (CEF) log format and field mapping

Log format
The expected format for this device is:
BouncerMgr CEF:0|Lumension|BOUNCER|<version>|<event type>|<event name>|<severity>| <key>=<value> <key>=<value> <key>=val

Log sample
This is a sample log from a Lumension Bouncer device:
BouncerMgr CEF:0|Lumension|BOUNCER|6.2|1234|Execute of file denied|1|EndpointName=exampleName EventClass=Endpoint EventID

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

EndpointName Host

IPAddress Source IP

362 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Timestamp First Time, Last Time

Event wName Action

Severity Severity

TargetApp, AppName Application

TargetPath Filename

TargetFileName Object

TargetUser Destination User

AskReason Message_Text

CauseID Subject

EventClass Event Class

Event Type External_Event_ID

Lumension Bouncer (syslog) log format and field mapping

Log format
The expected format for this device is:
BouncerMgr CEF:0|Lumension|BOUNCER|<version>|<event type>|<event name>|<severity>| <key>=<value> <key>=<value> <key>=val

Log sample
This is a sample log from a Lumension Bouncer device:
Jan 01 01:01:01 hostname Manager:John Client:192.168.1.1 EventID: 123456 Level: 1 Count:78 EventCause: 90 AppName: appNa

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

IpProto Protocol

SrcAddr Source IP

DstAddr Destination IP

SrcPort Source Port

DstPort Destination Port

AppName Application

Manager Source User

Client Destination User

Lumension LEMSS
Configure Lumension LEMSS
See the Lumension LEMSS product documentation for setup instructions about sending syslog data to a remote server. Use the
IP address of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 363
Add Lumension LEMSS
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Lumension

Data Source Model Lumension LEMSS

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source
device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.

364 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Lumension LEMSS log format and field mapping

Log format
The expected format for this device is:
<date time> <severity> <deviceIP> <date time> <HostName> <ApplicationName> <ProcessName> <Message ID> <User> <UserName>

Log sample
This is a sample log from a Lumension LEMSS device:
01-01-2001 01:01:01 System.Info 192.0.2.1 1 2001-01-01T01:01:01Z app MEDIUM-INSERTED [EventLog@12345 User="S-1-2-34-1234

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

HostName Hostname

ApplicationName Application

DeviceIP Source IP

ProcessName Command

UserName Domain, Source User

VolumeLabel

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 365
Log fields McAfee ESM fields

Version Version

DeviceName External_Device_Name

DeviceType External_Device_Type

Filename Directory

Reason Reason

Malwarebytes Breach Remediation


Configure Malwarebytes Breach Remediation
See your product documentation for instructions about sending syslog logs to a remote server. Use the McAfee Event Receiver IP
address for the IP address of the remote server.

Add Malwarebytes Breach Remediation


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Malwarebytes

Data Source Model Breach Remediation

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

366 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Malwarebytes Breach Remediation log format and field mapping

Log format
The expected format for this device is:
CEF:0|PRODUCT VENDOR|PRODUCT NAME|PRODUCT VERSION|SIGNATURE ID|NAME|SEVERITY|KEY=VALUE KEY=VALUE…

Log sample
This is a sample log from a device:
CEF:0|Malwarebytes|Malwarebytes Malware Remediation|1.0|1000|ScanStarted|1|act=Action cat=MalwareCategory cs1=MalwareNam

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 367
Log fields McAfee ESM fields

CEF.EventName + CEF:Signature.ID Msg

CEF:Severity Severity

Act Action

Cat Threat_Category

MalwareName Threat_Name

MalwareHash Hash

SessionId Session

MalwareClass Event_Class

CommandLine Command

deviceMacAddress Source MAC

Dvchost Host

filePath File_Path

Msg Message_Text

Suser Source User

Malwarebytes Management Console


Configure Malwarebytes Management Console
Syslog settings can be accessed from the Admin Module.

Task
1. Open the Admin Module.
2. Switch to the Syslog Settings tab.
3. By default, logging to an external Syslog server is disabled. Click Change to open the settings dialog box.
4. Select Enable Syslog and fill in the appropriate configuration fields.
◦ Address: <IP address of the McAfee Event Receiver>
◦ Port: 514
◦ Protocol: UDP
◦ Specify Facility number (ranges from 0–23).
◦ Specify Severity number (ranges from 0–7).
◦ Payload Format: CEF

Add Malwarebytes Management Console


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

368 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Source Vendor Malwarebytes

Data Source Model Management Console

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 369
Option Definition

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Malwarebytes Management Console log format and field mapping

Log format
The expected format for this device is:
CEF:0|VENDOR|PRODUCT|VERSION|CATEGORY|MESSAGE|SEVERITY|deviceExternalId=externalid dvchost=hostname deviceDnsDomain=doma

Log sample
This is a sample log from a Malwarebytes Management Console device:
CEF:0|Malwarebytes|MBMC|1.7.0.3208 MBAM:1.80.2.1012 DB:913030101 MBAE:1.08.2.1189|DETECTION|Exploit ROP attack quarantin

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Message Message

suser Source Username

dst Destination IP

src Source IP

act Device_Action

Action Action / Subtype

deviceMacAddress Source Mac

rt First Time, Last Time

PayloadProc Application

ObjectScanned Object

dvchost Hostname

Severity Severity

fname Filename

370 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

filePath File Path

deviceExternalId Source GUID

ObjectTypeScanned Object Type

dvc Device IP, Source IP (Fallback)

sourceServiceNam Service Name

PayloadUrl URL

Microsoft Azure Event Hubs


Configure Microsoft Azure Event Hubs
Set up Event Hubs to send data to ESM.

Task
1. Set up Event Hubs according to Microsoft instructions.
2. Note the connection string and Event Hubs name. You will need them when you create the data source.
3. If you want to send data from the Event Hubs to multiple data sources, set up partitions. For example, if you have 32
partitions in the cluster, you can set up a data source to collect from partitions 0–15 and another data source to collect from
partitions 16–32. The number of partitions is set when you create the Event Hubs and can't be changed. The maximum
number of partitions is 32.

Add Microsoft Azure Event Hubs


Log in to ESM and add the data source to a receiver.

Before you begin


Make sure port 5671 is open.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Azure Event Hubs

Data Format Default

Data Retrieval API

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 371
Option Definition

IP Address Automatically populated when you enter the Hostname and click Look up.

Hostname The host name is part of the Event Hubs connection string. Paste it from
the Azure portal.

Event Hub Connection String The connection string provided on the Azure portal when you set up the
Event Hubs.

Eventhub name Created when you set up Event Hubs. Paste it from the Azure portal.

Consumer Group Use $Default. If you want to collect the same data multiple times, add more
groups (comma delimited).

Partition Start/End Use partitions to set up multiple data sources for a single Event Hubs
cluster. For example, if you have 32 partitions in the cluster, you can set up
a data source to collect from partitions 0–15 and another data source to
collect from partitions 16–31. The number of partitions is set when you
create the Event Hubs and can't be changed. The maximum number of
partitions is 32.

Client Key Not used

Client Secret Key Not used

Use proxy Proxy, if required by installation

Support Generic Syslogs Do nothing

Time Zone Time zone of the data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can deselect the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

372 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft DNS
Configure Microsoft DNS

Task
1. Open the Domain Name System Microsoft Management Console (DNS MMC) snap-in.
2. Click Start → Programs → Administrative Tools, then select DNS.
3. From the DNS Server, right-click the server and select the Properties submenu.
4. Click the Debug Logging tab, then select Log packets debugging.
5. Ensure that the Incoming, UDP, Queries/Transfer, and Request checkboxes are selected.
File location is: systemroot\System32\Dns\Dns.log
6. Configure McAfee Collector to tail the log and send to the McAfee Event Receiver.

Add Microsoft DNS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model DNS

Data Format Default

Data Retrieval MEF

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 373
Option Definition
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Host ID Host ID associated with the McAfee Collector log tail configuration if
applicable

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

374 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft Windows DNS log sample

Log sample
9/3/2010 2:06:38 PM 1720 PACKET 02306B10 UDP Rcv 127.0.0.1 be06 Q [0001 D NOERROR] A (3)www(9)sonystyle
9/3/2010 2:06:38 PM 1720 PACKET 06569C90 UDP Snd 10.0.0.30 6068 Q [0001 D NOERROR] A (3)www(9)sonystyle(3)com(0)

Microsoft Forefront Endpoint Protection 2010


Configure Microsoft Forefront Endpoint Protection 2010
No configuration is needed on the FEP application to allow data collection from McAfee ESM, which collects data by connecting
directly to the data warehouse database.

Add Microsoft Forefront Endpoint Protection 2010


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Forefront Endpoint Protection 2010 (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

User ID The database user ID.

Password The password associated with the User ID.

Port The TCP port that the database is listening on. The default port is 1433.

Database Name The name of the database that contains the


vwFEP_AM_NormalizedDetectionHistory view, typically prefaced with
FEPDW_*.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 375
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft Forefront Endpoint Protection 2010 log format and field mapping

Log format
The expected format for this device is:
computer date time IP protocol source destination original client IP source network destination network action status ru

Log sample
This is a sample log from a Microsoft Forefront Endpoint Protection 2010 device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal Establish 0x0 - HTTP

Field mapping
This table shows the mapping between the data source and McAfee ESM fields .

376 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

Microsoft Internet Authentication Service (IAS)


Configure Microsoft Internet Authentication Service (IAS)
This file supports multiple modes of data delivery. This data source supports all file delivery methods (SCP, HTTP, FTP, SFTP, NFS,
and CIFS/Windows File Share). Additional setup steps might be required on the IAS server to allow data to be sent to the McAfee
Event Receiver using these methods.
The recommended method for data delivery is to use the McAfee Collector to send the logs over syslog. These agents can send
only the logs that haven’t yet been sent, eliminating duplicates.
See the documentation for the method you choose to use.

Configure Microsoft IAS (Formatted ASP)

Task
1. Open Internet Authentication Service.
2. Click Remote Access Logging in the console tree.
3. Right-click Local File in the details pane, then click Properties.
4. Enable the logging you want, then click Apply.
5. Click the Log File tab.
6. In the Directory field, enter the path for log file storage. If you are not using the McAfee Collector, make sure that the path is
accessible to the McAfee Event Receiver.
The default path is systemroot/System32/LogFiles.
7. Under Format, select IAS.
8. To create a log file at specific intervals, select the interval that you want to use.
9. Click Apply, then click OK.

Add Microsoft IAS (Formatted ASP)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Internet Authentication Service – Formatted (ASP)

Data Format Default

Data Retrieval The chosen method of data delivery ( SCP, HTTP, FTP, SFTP,
NFS, or CIFS/Windows File Share)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 377
Option Definition

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,

378 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft IAS (formatted ASP) log format and field mapping

Log format
The expected format for this device is:
NAS-IP-Address, User-Name, Record-Date, Record-Time, Service-Name, Computer-Name, AttributeNumber1, ValueForAttributeNum

Log sample
This is a sample log from a Microsoft IAS device:
192.0.2.1,client,01/01/2012,00:00:00,UAS,CLIENTCOMP,44,2666,25,311 1 172.1.1.1 01/00/2012 00:00:00 2665,8153,0,8111,0,413

Field mapping
This table shows the mapping between the data source and McAfee ESM fields .

Log fields McAfee ESM fields

Client Domain

User-Name Username

Date and Time Firsttime/Lasttime

Service-Name Application

Computer-Name (Radius/AD Server IP) Destination IP

NP-Policy-Name Object name

Packet-type Action

Framed-IP-Address Source IP

NAS-ID External Device Name

NAS-IP-Address Device IP

Called-Station-ID Destination MAC

Calling-Station-ID Source MAC

Application Application

Reason-Code Reason

Connection-Info Message_Text

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 379
Configure Microsoft IAS (database compatible)

Task
1. Open Internet Authentication Service.
2. Click Remote Access Logging in the console tree.
3. In the details pane, right-click Local File, then click Properties.
4. Enable the type of logging you want, then click Apply.
5. Click the Log File tab.
6. Enter the path for log file storage in the Directory field. If you are not using the McAfee Collector, make sure that the path is
network accessible to the McAfee Event Receiver.
The default path is systemroot/System32/LogFiles.
7. Click Database-compatible for the Format parameter.
8. To create a log file at specific intervals, select the interval that you want to use.
9. Click Apply, then click OK.

Add Microsoft IAS (Database Compatible)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Internet Authentication Service – Database Compatible

Data Format Default

Data Retrieval The chosen method of data delivery ( SCP, HTTP, FTP, SFTP, NFS, or CIFS/
Windows File Share)

Enabled Select options for processing events. Some options may not be available
for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

380 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft IAS (database compatible) log format and field mapping

Log format
The expected format for this device is:
"ComputerName"," ServiceName", Record-Date, Record-Time, Packet-Type," User-Name"," Fully-Qualified-Distinguished-Name",

Log sample
This is a sample log from a Microsoft IAS device:
"TestHost","IAS",01/01/2016,00:00:00,4,"EXAMPLE\Test.User",,"192.0.2.1","192.0.2.2",,"192.0.2.2","TestIdentifier","192.0
"TestHost","IAS",01/01/2016,00:00:001,"EXAMPLE\Test.User","EXAMPLE\Test.User","0F-0F-0F-0F-0F-0F:EXAMPLE-Host","0A-0A-0A

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 381
Log fields McAfee ESM fields

Client Domain

username Source User

Record-Date+Record-Time First Time, Last Time

IAS Application

Hostname Host

Policy-Name Policy_Name

Packet-type Event Subtype

Tunnel-client-endpoint address Source IP

Reason-Code Reason

Packet-Type+99+Reason-Code Signature ID

ComputerName Destination Host

ServiceName Service_Name

Event-Timestamp First Time, Last Time

Domain, FQ-Domain, MS-CHAP-DOMAIN Domain

User-Name, FQ-Distinguished-Name Source User

Called-Station-ID Destination MAC

Class (IP Address) Destination IP

NAS-Identifier External_Device_ID

NAS-IP-Address, Client-IP-Address Device_IP

Calling-Station-ID Source MAC

Framed-IP-Address Source IP

Calling-Station-ID (IP Address) Source IP

Connect-Info Message_Text

Acct-Session-Id Session

Microsoft Internet Information Services (IIS)


Configure Microsoft IIS

Task
1. Open the Internet Information Services (IIS) Manager (found in Administrative Tools in the Control Panel).
2. Select the Logging option.
3. Select a log format. W3C format is the default, but IIS and NCSA are also supported. If using the W3C format, you must select
all fields.
4. Make a note of where the logs are being saved, or change the location as needed.

382 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5. Finish the logging setup by configuring the McAfee Collector to tail the IIS logs and send to the McAfee Event Receiver.

Add Microsoft IIS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Internet Information Services (ASP)

Data Format Default

Data Retrieval MEF

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 383
Option Definition

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft IIS log format and field mapping

Log format
The expected formats for this device are:
WC3
date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-A

NCSA
Remote_host_address Remote_log_name User_name [Date/time Greenwich mean time (GMT) offset] "Request and protocol version

IIS
Client_IP_address, User_name, Date, Time, Service_and_instance, Server_name, Server_IP, Time_taken, Client_bytes_sent, Se

Advanced Logging
date time cs-uri-stem cs-uri-query s-contentpath sc-status s-computername cs(Referer) sc-win32-status sc-bytes cs-bytes

Log sample
The following are samples of possible logs from the Microsoft IIS device:
WC3
2011-04-14 14:58:36 MS_ISS_1 name 127.0.0.1 GET /exampletest - 80 - 127.0.0.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+8.0;

NCSA
172.21.13.45 - Microsoft\fred [08/Apr/2001:17:39:04 -0800] "GET /scripts/iisadmin/ism.dll?http/serv HTTP/1.0" 200 3401

IIS
172.16.255.255, anonymous, 03/20/01, 23:58:11, MSFTPSVC, SALES1, 172.16.255.255, 60, 275, 0, 0, 0, PASS, /Intro.htm, -,

Advanced Logging
2014-11-16 22:56:55.379 /index.html - "C:\inetpub\wwwroot\index.html" 200 "WIN2008R2-1" - 0 339 39 - - - 15:56:55.379 4

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

384 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
WC3 Log fields McAfee ESM fields

Date Time (two fields) FirstTime,LastTime

s-ip Destination IP

cs-method Command

cs-uri-stem Object

s-port Destination Port

cs-username (domain section) Domain

cs-username Source User

c-ip Source IP

cs(User-Agent) Application

cs-host Hostname

sc-status sid

sc-status(first number) Action

IIS log fields McAfee ESM fields

Client IP Source IP

User name Source User

Date Time (two fields) FirstTime, LastTime

Server Name Hostname

Server IP Destination IP

Clients bytes sent Bytes_from_Client

Server bytes sent Bytes_from_Server

Service Status Code sid

Service Status Code (first number) action

Request Type Command

Target of Operation Object

NCSA Log fields McAfee ESM fields

Remote Host Address Source IP

User name Source User

Date Time (two fields) FirstTime, LastTime

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 385
NCSA Log fields McAfee ESM fields

Request and protocol version (first part) Command

Request and protocol version (second part) Object

Request and protocol version (third part) Protocol

Service Status Code sid

Service Status Code (first number) action

Bytes Sent Bytes_Sent

Advanced logging McAfee ESM fields

Date Time (two fields) FirstTime,LastTime

s-ip Destination IP

cs-method Command

cs-uri-stem Object

s-port Destination Port

cs-username (domain section) Domain

cs-username Source User

c-ip Source IP

cs(User-Agent) User_Agent

cs-host Hostname

sc-status sid

sc-status(first number) Action

sc-bytes Bytes_from_Server

cs-bytes Bytes_from_Client

protocol Application_Protocol

Install Microsoft IIS Advanced Logging

Task
1. Download the Advanced Logging extension for IIS. At the time of this documentation, it was available at:
http://www.iis.net/downloads/microsoft/advanced-logging
2. Run AdvancedLogging.exe to start the Web Platform Installer.
Once loaded, the installer displays a window to install Advanced Logging.
3. Select Install.
4. When the installer displays the licensing information, select I Accept.
The remaining phases complete the installation automatically.
5. Click Finish to exit the Advanced Logging installation.
6. Click Exit to exit the Web Platform Installer.
Advanced Logging is now installed.

386 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Configure Microsoft IIS Advanced Logging

Task
1. Open the Internet Information Services (IIS) Manager.
2. Under Connections, select the server.
3. Click the Advanced Logging icon.
4. When the installer displays the licensing information, select I Accept.
The remaining phases complete the installation automatically.
5. From the Advanced Logging menu, click Enable Advanced Logging on the right.
6. In the Name column, click the name of the server hosting the site to change the menu options on the right.
7. Select Edit Log Definition.
8. From the Log Definition menu, scroll down to Selected Fields, then click Select Fields.
9. In Select Logging Fields, select every field in the ID column. Scroll down to select all fields, then press OK.
10. From the Internet Information Services (IIS) Manager window, click Apply.
11. Done.

Microsoft Network Policy Server (NPS)


Configure Microsoft Network Policy Server (NPS)
Multiple modes of data delivery are supported for this file. All file delivery methods (SCP, HTTP, FTP, SFTP, NFS, and CIFS/Windows
File Share) are supported with this data source. Additional setup might be required on the NPS server to allow data to be sent to
the McAfee Event Receiver using these methods.
The recommended method for data delivery is to use the McAfee Collector to send the logs over Syslog. These agents have the
added benefit of being able to send only the logs that haven’t yet been sent, eliminating duplicates.
See the respective delivery method documentation for the method you chose to use.

Configure Microsoft NPS (Database Compatible)

Task
1. Open the Network Policy Server or the NPS Microsoft Management Console (MMC) snap-in.
2. In the console tree, click Accounting.
3. In the details pane under Log File Properties, click Change Log File Properties.
For Server 2008, click Configure Local file Logging under Local File Logging in the details pane.
4. In Log File Properties, enable the type of logging you want, then click Apply.
5. Click the Log File tab.
6. Enter the path for log file storage in the Directory field. If you are not using the McAfee Collector, make sure that the path is
accessible to the McAfee Event Receiver.
The default path is systemroot/System32/LogFiles.
7. From the Format menu, select ODBC (Legacy).
For platforms earlier than Server 2008 R2, select IAS in the Format field.
8. To create a log file at specific intervals, select the interval that you want to use.
9. Click Apply, then OK.

Add Microsoft NPS (Database Compatible)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 387
Option Definition

Data Source Vendor Microsoft

Data Source Model Internet Authentication Service – Database Compatible

Data Format Default

Data Retrieval The method used to retrieve data.

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

388 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft NPS (database compatible) log format and field mapping

Log format
The expected format for this device is:
"ComputerName"," ServiceName", Record-Date, Record-Time, Packet-Type," User-Name"," Fully-Qualified-Distinguished-Name",

Log sample
These are log samples from a Microsoft IAS device:
"TestHost","IAS",01/01/2016,00:00:00,4,"EXAMPLE\Test.User",,"192.0.2.1","192.0.2.2",,"192.0.2.2","TestIdentifier","192.0

"TestHost","IAS",01/01/2016,00:00:001,"EXAMPLE\Test.User","EXAMPLE\Test.User","0F-0F-0F-0F-0F-0F:EXAMPLE-Host","0A-0A-0A

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Client Domain

username Source User

Record-Date+Record-Time First Time, Last Time

IAS Application

Hostname Host

Policy-Name Policy_Name

Packet-type Event Subtype

Tunnel-client-endpoint address Source IP

Reason-Code Reason

Packet-Type+99+Reason-Code Signature ID

ComputerName Destination Host

ServiceName Service_Name

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 389
Log fields McAfee ESM fields

Event-Timestamp First Time, Last Time

Domain, FQ-Domain, MS-CHAP-DOMAIN Domain

User-Name, FQ-Distinguished-Name Source User

Called-Station-ID Destination MAC

Class (IP Address) Destination IP

NAS-Identifier External_Device_ID

NAS-IP-Address, Client-IP-Address Device_IP

Calling-Station-ID Source MAC

Framed-IP-Address Source IP

Calling-Station-ID (IP Address) Source IP

Connect-Info Message_Text

Acct-Session-Id Session

Configure Microsoft NPS (Formatted ASP)

Task
1. Open Network Policy Server (NPS) or the NPS Microsoft Management Console (MMC) snap-in.
2. Click Accounting in the console tree.
3. In the details pane under Log File Properties, click Change Log File Properties.
For Server 2008, click Configure Local file Logging.
4. On the Log File Properties page, enable the logging you want, then click Apply.
5. On the Log File tab, enter the path for log file storage in the Directory field. If you are not using the McAfee Collector, make sure
that the path is accessible to the McAfee Event Receiver.
The default path is systemroot/System32/LogFiles.
6. From the Format drop-down list, select IAS (Legacy).
For platforms earlier than Server 2008 R2, select IAS in the Format field.
7. To create a log file at specific intervals, select the interval that you want to use.
8. Click Apply, then click OK.

Add Microsoft NPS (Formatted ASP)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Network Policy Server

390 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Format Default

Data Retrieval The method used to retrieve data.

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 391
Option Definition
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft NPS (formatted ASP) log format and field mapping

Log format
The expected format for this device is:
NAS-IP-Address, User-Name, Record-Date, Record-Time, Service-Name, Computer-Name, AttributeNumber1, ValueForAttributeNum

Log sample
This is a sample log from a Microsoft IAS device:
192.0.2.1,client,01/01/2012,00:00:00,UAS,CLIENTCOMP,44,2666,25,311 1 172.1.1.1 01/00/2012 00:00:00 2665,8153,0,8111,0,413

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Client Domain

User-Name Username

Date and Time Firsttime/Lasttime

Service-Name Application

Computer-Name (Radius/AD Server IP) Destination IP

NP-Policy-Name Object name

Packet-type Action

Framed-IP-Address Source IP

NAS-ID External Device Name

NAS-IP-Address Device IP

Called-Station-ID Destination MAC

Calling-Station-ID Source MAC

Application Application

Reason-Code Reason

Connection-Info Message_Text

392 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Configuring Microsoft NPS (XML ASP)
DTS Compliant (XML) logging is not available on platform earlier than Server 2008 R2.

Task
1. Open the Network Policy Server or the NPS Microsoft Management Console (MMC) snap-in.
2. In the console tree, click Accounting.
3. In the details pane under Log File Properties, click Change Log File Properties.
4. In the Log File Properties window, enable the logging you want, then click Apply.
5. Click the Log File tab.
6. Enter the path for log file storage in the Directory field. If you are not using the McAfee Collector, make sure that the path is
accessible to the McAfee Event Receiver.
The default path is systemroot/System32/LogFiles.
7. From the Format drop-down list, select DTS Compliant.
8. To create a log file at specific intervals, select the interval that you want to use.
9. Click Apply, then click OK.

Add Microsoft NPS (XML ASP)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Internet Authentication Service – XML (ASP)

Data Format Default

Data Retrieval The method used to retrieve data.

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 393
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft NPS (XML ASP) log format and field mapping

Log format
The expected format for this device is:
<Event><Timestamp data_type="VALUE"> VALUE </Timestamp><Computer-Name data_type="VALUE"> VALUE </Computer-Name><Event-So

Log sample
This is a sample log from a Microsoft IAS device:
<Event><Timestamp data_type="4">01/01/2012 00:00:00.000</Timestamp><Computer-Name data_type="1">S0020222</Computer-Name>

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

394 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

User-Name Domain

User-Name Username

Date and Time Firsttime/Lasttime

Calling Station ID Source MAC

Computer-Name Destination_Hostname

Called Station ID Destination MAC

Policy Name Message

Framed-IP-Address Source IP

Client-IP-Address Device IP

Class Destination IP

NAS-IP-Address Device IP

NAS-Identifier External Device ID

Reason-Code Reason

Microsoft Office 365


Configure Microsoft Office 365
Sending logs from Microsoft Office 365 using API requires access to the Microsoft Office Azure portal with administrator rights.

Before you begin


Configuring this data source requires:
• McAfee ESM version 10.1.0 or later
• Access to the Microsoft Office Azure portal with administrator rights

Task
1. In the Microsoft Azure portal, navigate to Azure Active Directory. If Azure Active Directory is not visible in the left menu, click More Services
then search for it.
2. From the Active Directory submenu, click the Properties tab.
3. Copy the Directory ID value to use as the Tenant ID when setting up McAfee ESM for the Microsoft Office 365 data source.
4. Navigate to App registrations.
5. Add an application.
a. Click New application registration.
b. Name the application.
c. Select the Web app/API type.
d. In Sign-on URL , enter http://localhost:1234
e. Click Create at the bottom of the screen.
6. Select the newly created application.
7. Copy and save the Application ID to use as the Client ID when setting up McAfee ESM for the Microsoft Office 365 data source.
8. Enable McAfee ESM to pull event data.
a. Click Required permissions.
b. Click Add at the top of the screen.
c. From Add API Access, click Select an API.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 395
d. Search for and select Office 365 Management APIs. Then click Select at the bottom of the screen.
e. In Required Permissions, select Office 365 Management APIs.
f. Enable all Application Permissions.
g. Enable all Delegated Permissions then click Save at the top of the screen.
h. Work with your administrator to grant the application new permissions by clicking Grant Permissions at the top of the screen.
9. Set up a security key.
a. Click Keys on the application settings.
b. Enter a key description and select a duration.
c. Click Save.
d. On the next screen, save the secret key value to a secure location for future reference.
Note: The secret key value does not appear again. McAfee ESM requires the secret key to set up the Microsoft Office 365
data source.
10. To get collected data for Microsoft Office 365 subscriptions to specific content types, use a tool that can send API POST and
GET comments. Starting a subscription requires an access token to call the subscription API.
a. For the POST URL, enter https://login.microsoftonline.com/"insert tenant id here"/oauth2/token
b. For POST raw body of the request, enter grant_type=client_credentials&client_id="insert client id
here"&client_secret="insert secret key here"&resource=https://manage.office.com
c. In the header, set Key to 'Content-Type' and the value to 'application/x-www-form-urlencoded'
d. Send the post results in JSON and retrieve the access token from the response to use in the next request.
Note: For information about access tokens, see https://msdn.microsoft.com/en-us/office-365/get-started-with-office-365-
management-apis#requesting-access-tokens-from-azure-ad.
11. Start subscriptions.
a. For the POST URL, enter https://manage.office.com/api/v1.0/"insert tenant id here"/activity/feed/
subscriptions/start?contentType="insert desired subscription content type"
b. In the header, set Key to 'Authorization' and the value 'bearer "insert accesss token here"'
JSON indicates that the content type is enabled.
Note: As of June 12, 2017, content types are Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General,
and DLP.All. For information about starting subscriptions, see https://msdn.microsoft.com/en-us/office-365/office-365-
management-activity-api-reference#start-a-subscription.
12. Verify which content types are subscribed.
a. For the GET URL, enter https://manage.office.com/api/v1.0/"insert tenant id here"/activity/feed/subscriptions/
list
b. In the header, set Key to 'Authorization' and the value to 'bearer "insert accesss token here"'
JSON returns with a list of all content types that are enabled.
Note: For information about listings subscriptions, see https://msdn.microsoft.com/en-us/office-365/office-365-
management-activity-api-reference#list-current-subscriptions.

Add Microsoft Office 365


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Office 365

Data Format Default

396 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Retrieval API

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname manage.office.com

Authentication Hostname login.microsoftonline.com

Tenant ID Tenant ID

Client Key Client key

Client Secret Key Client secret key

Use proxy Proxy, if required by installation

Proxy IP Address The IP address of the proxy

Proxy Username/Password Credentials for logging on to the proxy

Support Generic Syslogs Parse as generic syslog

Generic Rule Assignment Office 365

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 397
Option Definition

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft Office 365 log format and field mapping

Log format
The expected format for this device is:
<Date-Time> <Id> <Operation> <OrganizationId> <RecordType> <ResultStatus> <UserKey> <UserType> <Version><Workload> <User

Log sample
This is a sample Microsoft Office 365 log:
{"CreationTime":"2000-01-01T22:00:04","Id":"00000000-0000-0000-0000-000000000000","Operation":"Create","OrganizationId":"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

CreationTime first time, last time

ResultStatus action

Workload application

ClientIP, ClientIPAddress, ActorIpAddress source IP address

Operation sid, msg, sigid

UserId, MailboxOwnerUPN user name

RecordType request type

ua, UserAgent user agent

AzureActiveDirectoryEventType attribute type

UserType authentication type

ObjectID URL

ItemType object type

OrganizationName domain

398 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Subject subject

ExternalAccess access privileges

ClientApplication process name

ChannelGuid instance GUID

Microsoft SQL
Add Microsoft MSSQL Error Log
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model MSSQL Error Log

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source.

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay <Default>

Mask <Enable>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone where the data source is physically located

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 399
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft Windows DHCP


Configure Microsoft Windows DHCP
Enable DHCP server audit logging.

Task
1. Open the DHCP Microsoft Management Console (MMC) snap-in.
2. In the console tree, select the DHCP server that you want to configure.
For Server 2008 and later, expand the navigation tree and select IPv4 or IPv6.
3. From the Action menu, select Properties.
4. On the General tab, select Enable DHCP audit logging, then click OK.
5. (Optional) Click the Advanced tab and enter the logging path in the Audit log file path.

400 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Note: By default, the location of DHCP audit logs is %windir%\System32\dhcp.

Add Microsoft Windows DHCP


This data source supports multiple modes of data delivery, including SCP, HTTP, FTP, SFTP, NFS, and CIFS/Windows File Share.
Additional setup might be required on the DHCP server to allow sending data to the McAfee Event Receiver using these methods.
The recommended method for data delivery is to use the McAfee Collector. These agents have the added benefit of being able to
send only the logs that haven’t yet been sent, eliminating duplicates.
See the respective delivery method documentation for setup and usage information.

Configure McAfee Collector for Microsoft Windows DHCP


This data source supports multiple modes of data delivery.

Option Definition

Name A unique name

Host ID Optional – A unique host ID

Data Source IP IP Address of data source

Log Directory Enter path to DHCP audit log files.

Log File Enter Dhcp*.log to gather all DHCP audit logs.

Tail Mode Beginning of file

Multi-line Events Unchecked

Event Delimiter None

Event Delimiter is a Regex None

Max Lines Per Max Event 1

Enabled Checked

Add Microsoft Windows DHCP


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Windows DHCP (ASP)

Data Format Default

Data Retrieval MEF

Enabled Select options for processing events. Some options may not be available for
your data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 401
Option Definition
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Use encryption Enable to require the Receiver to communicate over TLS.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

402 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft Windows DHCP log format and field mapping

Log format
For platforms earlier than Windows Server 2008: the expected format for this device is:
ID,Date,Time,Description,IP Address,Host Name,MAC Address,

The expected format for this device is as follows for Windows Server 2008 and 2008 R2
ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID,QResult,Probationtime,CorrelationID,

The expected format for this device is as follows for Windows Server 2012 and above:
ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID,QResult,Probationtime, CorrelationID,

Log sample
This is a sample log from a Windows Server 2003 DHCP device:
35,01/01/01,01:01:01,DNS update request failed,192.0.2.1,sampleHost,000000000000,

This is a sample log from a Windows Server 2008 DHCP device:


10,01/01/01,01:01:01,Assign,192.0.2.10,sampleHost1,000000000000,,17739,0,,,

This is a sample log from a Windows Server 2012 R2 DHCP device:


10,01/01/01,01:01:01,Assign,192.0.2.20,sampleHost2, 000000000000,,3096562285,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log Fields McAfee ESM Fields

ID Sid

IP Address Source IP

Host Name Host

MAC Address Source MAC

Date + Time First Time, Last Time

TransactionID Session ID

User Name Source User

QResult Return_Code

VendorClass(ASCII) External_Device_Name

DnsRegError DNS – Response_Code

Microsoft Windows Event Log WMI

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 403
Configure Microsoft Windows Event Log WMI
Use Microsoft Windows Event Log WMI to pull events directly using the McAfee Event Receiver.

Task
1. Do one of the following:
◦ For Windows XP, Server 2003, or later, create a user account added to the Administrators group.
◦ For Windows 8.1 or Server 2012 R2, use the Administrator user account or create a user account and add it to the
Administrators, Distributed COM Users, and Event Log Readers groups.
2. If using the second option, configure the data source to use RPC.

Add Microsoft Windows Event Log WMI


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Use System Profiles System Profiles are a way to use settings that are repetitive in nature,
without having to enter the information each time.

Data Source Vendor Microsoft (set by default if using profile)

Data Source Model Windows Event Log WMI (set by default if using profile)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

NetBIOS Name The NetBIOS name (host name) associated with the data source device

Username The user name of the account being connected to on the data source
device

Password The password of the account being connected to on the data source device

Event Logs The names of the Windows event logs to be collected

Interval How long the Receiver waits before checking for new data

Use RPC Use RPC – Whether to use Remote Procedure Calls (RPC) to connect to the
data source device

404 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Connect Tests the connection to the data source device

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Microsoft Windows Event Log log format

Log format
The expected format for this device is:
<dsip>(%s)||<Log File>(%s)||<Record Number>(%u)||<Source Name>(%s)||<Event ID>(%d)||<Windows Version>(%d)||<Time Generat

Log sample
This is a sample log from a WMI data source:
10.33.146.158||System||164812||NtServicePack||4377||52||1387354608||3||MYOFFICEPC||MYDOMAIN\MyUserName||||2||Windows Serv

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 405
Motorola AirDefense
Configure Motorola AirDefense

Task
1. Log on to the AirDefense user interface. The dashboard opens by default.
2. From the Tools menu, select Configuration. By default, the User Preferences section is displayed.
3. Click the Notification Manager tab.
4. To add a syslog destination, click Add.
5. In the Create Notification window, select Syslog as the type, and enter the IP address of the syslog server.
6. (Optional) Set the default intervals for the notification system, and enable or disable all syslog notifications. To log everything,
all syslog notifications must be enabled.

Add Motorola AirDefense


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Motorola

Data Source Model AirDefense

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

406 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Motorola AirDefense log format and field mapping

Log format
The expected format for this device is:
computer date time IP protocol source destination original client IP source network destination network action status ru

Log sample
This is a sample log from a Motorola AirDefense device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal Establish 0x0 - HTT

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log Fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 407
NetFort Technologies LANGuardian
Configure NetFort Technologies LANGuardian

Task
1. From the LANGuardian web interface, navigate to the Configuration page.
2. In the System section, click Configuration, set the IP address and SNMP collectors of the system.
3. On the Configuration page, find the field named [Beta] Splunk Syslog Collector.
4. Enter the IP address of the McAfee Event Receiver, then click Save.

Add NetFort Technologies LANGuardian


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor NetFort Technologies

Data Source Model LANGuardian (ASP)

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

408 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

NetFort Technologies LANGuardian log format and field mapping

Log format
The expected format for this device is:
<priority> <date> <time> LANGuardian event[<event ID>]: sen_id=<ID> app_id=<ID> src_ip=<IP address> dest_ip=<IP address>

Log sample
This is a sample log from a NetFort Technologies LANGuardian device:
<123>Jan 01 01:01:01 LANGuardian event[1234]: sen_id=1 app_id=1 src_ip=192.0.2.1 dest_ip=192.0.2.2 host=example.example.c

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

date, time First Time, Last Time

appname Application

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 409
Log fields McAfee ESM fields

src_ip Source IP

dest_ip Destination IP

host Domain

from_addr, username Source User

to_addr Destination User

subject, database Object

smb_action Command

NetWitness Spectrum
Configure NetWitness Spectrum

Task
1. Browse to System settings Syslog Auditing.
2. Select CEF from the drop-down list.
3. Enter the IP address/host name and port of McAfee Event Receiver.

Add NetWitness Spectrum


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor NetWitness

Data Source Model Spectrum CEF (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

410 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

NetWitness Spectrum log format and field mapping

Log sample
Jun 1 18:28:57 NWAPPLIANCE12921 CEF:0|NetWitness|Spectrum|1.1.5.6|Suspicious Event|Detected suspicious network event ID

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 411
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log Fields McAfee ESM fields

file.name Destination_Filename.Destination_Filename

filetype File_Type.FileType

threat.category Category.Category

File.md5.hash File_Hash.File_Hash

domain.dst domain

ip.proto protocol

host hostname

ip.src src_ip

ip.dst dst_ip

tcp.srcport src_port

tcp.dstport dst_port

eth.src src_mac

eth.dst dst_mac

sessionid sessionid

time firsttime/lasttime

Niara
Configure Niara

Task
1. Set up Forwarding.
a. From the Niara Analyzer Interface, navigate to System Configuration → Syslog Destinations.
b. Fill in the Parameter Description, for example, McAfee ESM.
c. In the Syslog Destination field, enter the IP address or host name of the McAfee Event Receiver.
d. Set the protocol (default is UDP).
e. Set the port (default is 514).
2. Set up Notification.
a. From the Niara Analyzer Interface, navigate to System Configuration → Security Alerts/Emails.
b. Click Add New.
c. Select Enable Alert Syslog Forwarding.
d. Leave the default values for Query, Severity, and Confidence.
e. For Sending Notification, select As Alerts are produced.
f. For TimeZone, set as your local time zone.

Add Niara
Log in to ESM and add the data source to a receiver.

412 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Niara

Data Source Model Niara

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 413
Option Definition

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Niara log format and field mapping

Log format
The expected format for this device is:
DATE TIME HOSTNAME KEY=VALUE KEY=VALUE KEY=VALUE…

Log sample
This is a sample log from a device:
Jan 1 01:01:01 example.hostname msg_type=alert detection_time="2001-01-01 01:01:01 -01:00" alert_name=BitTorrent alert_t

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

detection_time First Time, Last Time

alert_name Message

alert_type Threat_Name

alert_category Threat_Category

alert_severity Severity

alert_confidence Confidence

user_name Source Username

src_host_name Host

src_ip Source IP

414 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

dest_ip Destination IP

description Description

alert_id Message_Text

Nortel Networks Contivity


Configure Nortel Networks Contivity

Task
In the command line interface (CLI), enter these commands:
• enable password where password is your administrative password.
• config t
• logging ip address facility-filter all level all where ip address is the IP address of the McAfee Event Receiver.
• exit

Add Nortel Networks Contivity


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Nortel Networks

Data Source Model Contivity (ASP)

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay <Enable>

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 415
5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Nortel Networks Contivity log format and field mapping

Log sample
This is a sample log from a Nortel Contivity device:
<131> 272 06/18/2014 10:33:00 tEvtLgMgr 0 : tIsakmp [03] No proposal chosen in message from 10.10.3.21
<134> 272 06/18/2014 10:33:00 tEvtLgMgr 0 : Security [06] Session: IPSEC[uname] attempting login

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

416 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Usernames Source Username

First IP address Source IP

Second IP address Destination IP

Groups Group_Name

File names Filename

Message type Category

Severity mapping
Each log that contains the following severity format (in brackets) is mapped according to the following sample and table:
<134> 272 06/18/2014 10:33:00 tEvtLgMgr 0 : Security [06] Session: IPSEC[uname] attempting login

The following table shows the conversion from the severity level in the Nortel log to the severity level recorded in the ESM:

Nortel severity McAfee ESM severity

01 99 (Emergency)

02 75 (Critical)

03 60 (Error)

04 50 (Warning)

05 25 (Alert)

06 10 (Debug)

07 10 (Informational)

Nortel Networks Passport 8000 Series Switches


Configure Nortel Networks Passport 8000 Series Switches
This syslog configuration is done at the command line. See your product documentation for instructions about how to access
and use the command line.

Task
1. At the command line, enter this command:
config sys syslog host <ID>

where <ID> is the ID of the host that is sending syslog events. The ID can be a number from 1–10.
2. Specify where to send syslog events:
address <IP address>

where <IP address> is the IP address of the McAfee Event Receiver.


3. Specify the facility:
host <ID> facility local0

Replace <ID> with the ID used in Step 1.


4. Enable the host:
host enable

5. Specify the severity level:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 417
host <ID> severity info

Replace <ID> with the ID used in Step 1.


6. Enable the host to send syslog events:
state enable

Add Nortel Networks Passport 8000 Series Switches


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Nortel Networks

Data Source Model Passport 8000 Series Switches (ASP)

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:

418 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Nortel Networks Passport 8000 Series Switches log format and field mapping

Log format
The expected format for this device is:
<device> <date time> <log type> <severity> <message> <id> <port number> <MAC address>

Log sample
This is a sample log from a Nortel Networks Passport 8000 Series Switch device:
<123>DEVICE [01/01/01 01:01:01] SNMP INFO Spanning Tree Topology Change(StgId=123, PortNum=1234, MacAddr=a1:b2:c3:d4:e5:

Field mapping
This table shows the mapping between the data source and McAfee ESM.

Log fields McAfee ESM

Application Application

User Source User

IP Address Source IP

Station Source MAC

Interface Object

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 419
Novell eDirectory
Configuring Novell eDirectory
See the Novell eDirectory product documentation for setup instructions about sending syslog data to a remote server. Use the IP
address of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.

Add Novell eDirectory


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Novell

Data Source Model eDirectory (ASP)

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

420 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Novell eDirectory log format and field mapping

Log format
The expected format for this device is:
<date time> <device name> <account> <domain> <user ID source> <domain ID> <SysAddr> <SysName> <target CN> <target O> <ac

Log sample
This is a sample log from a Novell eDirectory device:
Jan 01 01:01:01 eDirectory : INFO {"Source" : "eDirectory","Observer" : {"Account" : {"Domain" : "ExampleDomain","Name"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

SysName Hostname

SysAddr Source IP

NetAddress Destination IP, Destination Port

Attribute Name Object

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 421
Log fields McAfee ESM fields

Account: Name: CN Source User

Target: Name: CN Destination User

Account: Name: O, Target: Name: O Domain

Event: Name Event_Class

Event ID Signature_Name

Subevent Category

ClassName Target_Class

Privileges Message_Text

Novell Identity and Access Management


Configure Novell Identity and Access Management

Task
1. From the application, select Auditing → Novell Auditing.
2. In the Sever field, enter the IP address or the FQDN of the McAfee ESM.
3. In the Port field, enter the listening port (default is 514).
4. Under Management Console Audit Events, specify the events you want to send.
5. Click OK.

Add Novell Identity and Access Management


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Novell

Data Source Model Identity and Access Management – IAM (ASP)

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

422 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 423
Novell Identity and Access Management log format and field mapping

Log format
The expected format for this device is:
<date time> <device IP> <device name> <date time> device name> <application> <hostname> <Source IP> <User Identifier> <UR

Log sample
This is a sample log from a Novell Identity and Access Management device:
<123>Jan 01 01:01:01 192.0.2.1 Novell Access Manager\AG\URL Acc:[wMon, 01 Jan 2001 01:01:01 +0100] [Novell Access Manage

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

AMDEVICEID Hostname

Application Application

Source ID Address, Remote Client IP Addr Source IP

User Identifier, cn Username

URL URL

Oracle Audit (SQL)


Configure Oracle Audit (SQL)
Note: The supported parser queries the DB_Audit_Trail table within the database to pull events. As this table grows, performance
slows noticeably because two values must be pulled into the query: Timestamp and Transaction_ID. To alleviate impact on
performance, index the table. If there is still a considerable impact after indexing, use another option (Syslog, flat File, etc.) to pull
audit data.

Task
1. Enter db as the AUDIT_TRAIL parameter.
Example:
ALTER SYSTEM SET AUDIT_TRAIL=db;

2. Restart the service for the change to take effect.


3. Enable auditing for the appropriate tables.

Add Oracle Audit (SQL)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

424 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event
data for this data source (maximum of 512 characters). You
can access this URL by clicking the Launch Device URL icon
at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where
the ESM Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day).
When using client data sources, clients using this setting
inherit the date order of the parent data source.
◦ Month before day — The month goes before the day
(04/23/2018).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 425
◦ Day before month — The day goes before the month
(23/04/2018).

Zone To assign this data source to a zone, select the zone from
the list.

External data source link Automatically selected when you import events from
another receiver. You can clear the checkbox which would
remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2.
The External data source link is applied to the logs being sent so
that when logs are imported, the ESM can differentiate the
forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source
data.

Data is NitroFile format Use this option when you are exporting raw data source
data.
Note: When you export data sources to a remote file, they
are exported in NitroFile format. If you import those files to
another Receiver automatically, Data is NitroFile is selected for
each of the data sources you are importing. This indicates
that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing manually is in NitroFile format,
select this option if the data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is
selected for any data source that has a checksum file. If you
import them manually, you must select it. The only
exception is when you are importing a data source file that
doesn't have a checksum file, but you want to view it
anyway.

Oracle Audit (SQL) log format and field mapping

Log format
The expected format for this device is:
AUDIT_TYPE="" SESSION_ID="" PROXY_SESSIONID="" STATEMENTID="" ENTRYID="" EXTENDED_TIMESTAMP="" GLOBAL_UID="" DB_USER=" "

Log sample
This is a sample log from an Oracle Audit device:
AUDIT_TYPE="Standard Audit" SESSION_ID="1" PROXY_SESSIONID="0" STATEMENTID="1" ENTRYID="1" EXTENDED_TIMESTAMP="2015-01-01

This is a sample log from an Oracle Unified Audit device

AUDIT_TYPE="Standard Audit" SESSION_ID="1" PROXY_SESSIONID="0" STATEMENTID="1" ENTRYID="1" EXTENDED_TIMESTAMP="2

Field mapping for DBA_COMMON_AUDIT_TRAIL


This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

RETURNCODE Action, Return_Code

426 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

AUDIT_TYPE Category

DBID Database_ID

OS_USER Destination User

EXTENDED_TIMESTAMP First Time, Last Time

USERHOST Host

STATEMENT_TYPE Action, Rule Message

OBJECT_NAME Object

POLICY NAME Policy Name

COMMENT_TEXT Protocol, Source IP, Source Port

SQL_TEXT SQL_Statement

SESSION_ID Session_ID

ACTION SID

DB_USER Source User

Field mapping for UNIFIED_AUDIT_TRAIL


This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

RETURN_CODE Action, Return_Code

AUDIT_TYPE Category

DBID Database_ID

OS_USERNAME Destination User

EVENT_TIMESTAMP First Time, Last Time

USERHOST Host

ADDITIONAL_INFO Message_Text

OBJECT_NAME Object

OBJECT_SCHEMA Database_Name

AUTHENTICATION_TYPE Protocol, Source IP, Source Port

FGA_POLICY_NAME Policy_Name

SESSIONID Session_ID

ACTION_NAME SQL_Command, sid

CLIENT_PROGRAM_NAME Application

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 427
Log fields McAfee ESM fields

UNIFIED_AUDIT_POLICIES Rule_Name

DBUSERNAME Source User

SQL_TEXT SQL_Statement

SYSTEM_PRIVILEGE_USED Command

Oracle Audit (syslog)


Configure Oracle Audit (syslog)

Task
1. Enter OS as the AUDIT_TRAIL parameter.
Example:
ALTER SYSTEM SET AUDIT_TRAIL=OS;

2. Edit the initsid.ora configuration file and enter the facility and priority in the AUDIT_SYSLOG_LEVEL parameter.
Example:
AUDIT_SYSLOG_LEVEL=facility.priority

3. Log on to the server with the syslog configuration file, /etc/syslog.conf, with root permissions.
4. Add the audit file location to syslog.conf
5. Restart the syslog logger (example: /etc/rc.d/init.d/syslog restart).
6. Restart the database instance (example: CONNECT SYS / AS SYSOPER).

Add Oracle Audit (syslog)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Oracle

Data Source Model Oracle Audit (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be
available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log
Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

428 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

IP Address/Hostname The IP address associated with the data source device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 429
Oracle Audit (syslog) log format and field mapping

Log format
The expected format for this device is as follows:
<Priority Number>Process Name[]: LENGTH: '' ACTION:[] SQLTXT DATABASE USER:[] PRIVILEGE:[] CLIENT USER:[] CLIENT TERMINAL

Log sample
This is a sample log from an Oracle Audit device:
<133>Oracle Audit[8435]: LENGTH : '317' ACTION :[168] 'select decode(status, 'OPEN', 1, 0), decode(archiver, 'FAILED', 1,

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

STATUS, RETURNCODE Action

DBID Database_ID

CLIENT USER, OS$USERID Destination User

EXTENDEDTIMESTAMP First Time, Last Time

USERHOST Host

Message Message

OBJ$NAME, OBJECTNAME Object

POLICY NAME Policy Name

PRIVILEGE Privileged_User

PROTOCOL Protocol

RETURNCODE, STATUS Return_Code

Session ID Session ID

Signature ID Signature ID

HOST Source IP

PORT Source Port

DATABASE USER, USERID Source User

SQL TEXT, ACTION SQL_Statement

Oracle Audit (XML)


Configure Oracle Audit (XML)

Task
1. Enter XML as the AUDIT_TRAIL parameter.
Example: ALTER SYSTEM SET AUDIT_TRAIL=XML;
2. Restart the service for the change to take effect.
3. Enable auditing for the appropriate tables.
4. Optionally, change the directory in which audit trail files are written.

430 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Example: ALTER SYSTEM SET AUDIT_FILE_DEST = ‘/audit_trail’ DEFERRED;
5. Navigate to the file destination you set, and open the XML once it is generated. Ensure that the audit trail is being written
inside that file.

Add Oracle Audit (XML)


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Oracle

Data Source Model Oracle Audit – XML File Pull (ASP)

Data Format Default

Data Retrieval File (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address associated with the data source device.

Port 22

Number of lines per record 1

File copy timeout 1 second

Login timeout 1 second

Interval 15 minutes

File Completion 60 Seconds

Delete processed file Unchecked

Path Path to file

Wildcard expression Wild card for log file (example: *.log)

Username Device user name

Password Device password

Transfer compression Unchecked

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 431
Option Definition

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Oracle Audit (XML) log format and field mapping

Log format
The expected format for this device is:
<AuditRecord><Audit_Type></Audit_Type><Session_Id></Session_Id><StatementId></StatementId><EntryId></EntryId><Extended_T

Log sample
This is a sample log from an Oracle Audit device:
<AuditRecord><Audit_Type>0</Audit_Type><Session_Id>0</Session_Id><StatementId>0</StatementId><EntryId>0</EntryId><Extende

432 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

STATUS, RETURNCODE Action

DBID Database_ID

CLIENT USER, OS$USERID Destination User

EXTENDEDTIMESTAMP First Time, Last Time

USERHOST Host

Message Message

OBJ$NAME, OBJECTNAME Object

POLICY NAME Policy Name

PRIVILEGE Privileged_User

PROTOCOL Protocol

RETURNCODE, STATUS Return_Code

Session ID Session ID

Signature ID Signature ID

HOST Source IP

PORT Source Port

DATABASE USER, USERID Source User

SQL TEXT, ACTION SQL_Statement

Oracle Unified Auditing (SQL)


Configure Oracle Unified Auditing (SQL)
Oracle 12c introduced Unified Auditing. Previously, separate audit trails were kept for individual components. The Unified Audit
trail combines all auditing into a single audit trail. By default, Oracle 12c is in “Mixed Mode” and all log data is written to both the
traditional locations and the new location. Once Unified Auditing is explicitly enabled, all audit data are stored in the new location
exclusively.

Task
1. Verify whether Unified Auditing is enabled.
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';

2. If this query returns the following, Unified Auditing has not been enabled.
PARAMETER VALUE
------------------ ----------
Unified Auditing FALSE

3. To enable Unified Auditing in Oracle 12c, first shut down your Oracle databases and listeners that are associated to the Oracle
Home.
4. Next, relink the Oracle executable to support Unified Auditing by doing the following:
Unix/Linux:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 433
cd $ORACLE_HOME/rdbms/lib

make –f ins_rdbms.mk uniaud_on ioracle

Windows:
cd %ORACLE_HOME%\bin

mv orauniadu12.dll.dbl orauniaud12.dll

5. Start your Oracle databases and listeners associated to the Oracle Home.
6. Both ORA_SECURECONFIG and ORA_LOGON_FAILURES polices are enabled by default and can be configured as needed.
7. Enable auditing for the appropriate table(s).

Oracle Internet Directory Server


Configuring Oracle Internet Directory Server

Task
1. Log on to the Oracle Directory Manager as administrator.
2. In the Navigator pane, expand the server listing and select a server instance.
3. Click the Debug Flags tab.
4. Select Debug Flags.
5. Click Save.
Logs are stored in:
%ORACLE_HOME%/ldap/log

Add Oracle Internet Directory Server


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Oracle

Data Source Model Internet Directory Server

Data Format Default

Data Retrieval MEF (McAfee Event Format)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

434 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Oracle Internet Directory Server log format and field mapping

Log format
The expected format for this device is:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 435
[Timestamp][ServerType][ThreadIdentifier][Severity][FunctionName][Hostname][PID][ThreadID] :[[
BEGIN
ConnectionID MessageID OperationID OperationName ConnectionIP ConnectionDomain
Trace information
END
]]

Log sample
This is a sample log from an Oracle Internet Directory Server device:
LDAP Audit Logs:
[2015-06-09T20:07:18+00:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: example.oraclecloud.com] [pid: 29238] [tid: 8] ServerWo
BEGIN
ConnID:10578 mesgID:1 OpID:0 OpName:bind ConnIP:192.168.2.2 ConnDN:Anonymous
INFO : gslfbidbDoBind * Version=3 BIND dn="cn=orcladmin" method=128
ConnId = 10578, op=0, IpAddr=10.10.10.10
2015-06-09T20:07:18 * INFO:gsleswrASndResult OPtime=2112 micro sec RESULT=0 tag=97 nentries=0
END
]]

System Logs:
[2015-06-09T20:13:56+00:00] [OID] [NOTIFICATION:16] [] [OIDLDAPD] [host: example.oraclecloud.com] [pid: 29238] [tid: 0]

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Timestamp First Time, Last Time

OperationName Message

ConnectionIP Source IP

ConnectionDomain Domain

PID PID

ConnectionID External_Session_ID

OperationID External_Event_ID

Configure McAfee Collector for Oracle Internet Directory Server


To configure the McAfee Collector to send events, edit the McAfee Collector configuration file.

Task
1. Open the configuration file at /opt/McAfee/siem/mcafee_siem_collector.conf.
2. Edit these values:
a. Set rec_ip to the IP address of the McAfee Event Receiver.
b. Set rec_port to 8082.
c. Set rec_encrypt to 0.
d. Set type to filetail.
e. Set ft_dir to the folder that contains the Oracle Internet Directory Server logs.
f. Set ft_filter to a wildcard expression that matches the log files.
g. Set ft_delim to the following regular expression:
\x5b\d{4}\x2d\d{2}\x2d\d{2}T(?:\d{2}\x3a){2}\d{2}(?:\x2b|\x2d)\d{2}\x3a\d{2}\x5d

h. Set ft_delim_end_of_event to 0.
i. Set ft_start_top to 1.
3. Save and close the file.

Palo Alto Networks PAN-OS

436 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Configure Palo Alto Networks PAN-OS
See your version of PAN-OS Administrator’s Guide for the complete steps to set up a syslog server within the product.

Add Palo Alto Networks PAN-OS


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Palo Alto Networks

Data Source Model Palo Alto Firewalls (ASP)

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 437
Option Definition
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Palo Alto Networks PAN-OS log format and field mapping

Log format
The expected format for this device is:
Traffic Logs:
FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source

Threat Logs:
FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source

Log sample
This is a sample log from a Palo Alto PANOS device:
2001/01/01 01:01:01,0004A100455,THREAT,vulnerability,148,2001/01/01 01:01:01, 192.168.0.1,192.168.0.2,0.0.0.0,0.0.0.0,p-

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Generation Time First Time, Last Time

Source IP Source IP

Destination IP Destination IP

Rule Name Signature_Name

438 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Source User Source User

Subtype, Application Application

Hostname Host

Inbound Interface Interface

Source Zone Source_Zone

Destination Zone Destination_Zone

Message Message_Text

Category Category

Outbound Interface Interface_Dest

Bytes Sent Bytes_Sent

Bytes Received Bytes_Received

Domain Domain

NAT NAT_Details

Direction Direction

File Path File_Path

MAC Source MAC

Command Command

Event ID Event_Class

External Host External_Hostname

OS Operating_System

Protocol Protocol

URL URL

Session ID Session ID

Proofpoint Messaging Security Gateway


Configure Proofpoint Messaging Security Gateway
Use the McAfee Event Receiver IP address for the address of the remote server.

Add Proofpoint Messaging Security Gateway


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 439
Option Definition

Data Source Vendor Proofpoint

Data Source Model Messaging Security Gateway (ASP)

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

440 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Proofpoint Messaging Security Gateway log format and field mapping

Log format
Filter log format provided by Proofpoint:
date Loglevel s=<External SessionID> mod=<Application> cmd=Command file=<File Name>

Log samples
This is a sample log from a Proofpoint Message Security Gateway device:
[2015-06-17 16:51:00.354586 -0700] rprt s=1v3jen000d m=1 x=1v3jen000d-1
omime=text/plain oext=txt corrupted=0 protected=0 size=159 virtual=0 a=0
mod=mail cmd=attachment id=0 file=text.txt mime=text/plain type=txt

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Hostname

Instancename Severity

Serivcename|mod|module Application

Timestamp Firsttime | Lasttime

cmd Command

ip Source IP

Eid Event Class

Session-id (s=) External Session ID

Rule Rule Name

File Filename

Definitions Object

Sudo=yes Privileged User

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 441
Log fields McAfee ESM fields

Evt Reason

Stage Job Name

To Destination User

Delay Elapsed Time

port Device Port

Raytheon SureView
Configure Raytheon SureView
See documentation for information about how to send CEF events through syslog to a remote server or McAfee ESM, and use the
IP address of the McAfee Event Receiver for the address of the remote server.

Add Raytheon SureView


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Raytheon

Data Source Model SureView (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

442 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Raytheon SureView log format and field mapping

Log format
The expected format for this device is:
CEF:<version>|<device vendor>|<device product>|<device version>|<signature ID>|<name>|<severity>|<key=value> <key=value>

Log sample
This is a sample log from a Raytheon SureView device:
CEF:0|Raytheon|SureView|6.6|{1A2B3C4D-5E6F-1A2B-3C4D-5E6F1A2B3C4D}:1234|SIEM Notification3|1|Event ={1A2B3C4D-5E6F-1A2B-

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 443
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

coming, AgentLabel, shost Host

proto Protocol

src Source IP

dst Destination IP

spt Source Port

dpt Destination Port

smac Source MAC

dmac Destination MAC

cnt Event Count

dproc Application

sntdom Domain

fname, spriv Object

UserLabel, suser Source User

duser Destination User

act Event Subtype

Raz-Lee Security iSecurity Suite


Configure Raz-Lee Security iSecurity Suite
Use the command line interface (CLI) to configure your IBM iSeries (or AS/400) system.

Task
1. Log on to your IBM iSeries (or AS/400) system from the command line.
2. Type STRAUD and press Enter.
3. From the audit menu, select System → Configuration.
4. From the System Configuration Menu, select SYSLOG → Definitions.
◦ Set the value of Send SYSLOG message to Yes.
◦ Set the value of Destination address to the IP address of your McAfee Event Receiver.
◦ Set the value of Facility to use to your preferred facility level.
◦ Set the value of Severity range to auto send to your preferred severity range.
5. Save your changes.

Add Raz-Lee Security iSecurity Suite


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.

444 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Raz-Lee Security

Data Source Model iSecurity Suite

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 445
Option Definition

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Raz-Lee Security iSecurity Suite log format and field mapping

Log format
The expected format for this device is:
Timestamp IP MsgID Object File User Command Job

Note:
The expected format for this device depends on the logged event.

Log sample
This is a sample log from a Raz-Lee Security iSecurity Suite device:
2016-03-01 03:31:47 Local6.Notice 192.0.2.0 AU RAZLEE Audit: MCA0100 *SECURITY Authority of *N/*N *SOCKET /tmp/.ct_mc_0

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Timestamp First Time, Last Time

IP Source IP

File Filename

Program, Rcvr Application

Object Object

Source Port Source Port

Dest Port Destination Port

446 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

User Source User

New User Destination User

Job Mainframe_Job_Name

CMD/Command Command

Debug Message Message_Text

Destination Host Destination_Hostname

Group Group_Name

Msg ID Message_ID

Token Type Authentication_Type

Library Facility

Job Type/IPC Type Job_Type

Renamed New_Value

Device External_Device_Name

Red Hat JBoss Application Server/WildFly 8


Configure Red Hat JBoss Application Server
By default, logs are stored locally in the installation directory for JBoss.
In a standalone system, that file is located in this directory: <INSTALL_PATH>/standalone/log/server.log
If JBoss is installed in a managed domain, the files are located in this directory: <INSTALL_PATH>/domain/servers/
<SERVER_NAME>/log/server.log
Where <INSTALL_PATH> is the directory where JBoss was installed and <SERVER_NAME> is the server instance to be monitored.
Syslog is not natively supported for logging on to JBoss. You can retrieve these files using a file-pull method (for example SCP or
SFTP) through the McAfee Event Receiver or Collector. You can also use a syslog program to send the information from the files
directly to the McAfee Event Receiver. See the relevant product documentation for more information.

Configure WildFly 8

Task
From the command line, run these commands:
/subsystem=logging/syslog-handler=syslog:add(syslog-format=RFC5424, level=INFO)
/subsystem=logging/root-logger=ROOT:add-handler(name=syslog)
/subsystem=logging/syslog-handler=syslog:write-attribute(name=hostname,value="<ReceiverIpAddress>")

where the <ReceiverIPAddress> is the IP address of the McAfee Event Receiver.

Add Red Hat JBoss Application Server/WildFly 8


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 447
Option Definition

Data Source Vendor Red Hat

Data Source Model JBoss / WildFly v8

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.

448 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Red Hat JBoss Application Server/WildFly 8 log format and field mapping

Log format
The expected format for this device, which is the default logging format, is:
Date Time Severity Class Thread LogID: Message

It is defined by the following string:


%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n

Log sample
This is a sample log from a Red Hat WildFly 8 device:
2017-05-15 02:22:20,825 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015876: Starting deployment o

The expected format for the server.log is:


2017-02-16 21:53:19,520 INFO [org.jboss.as] (Controller Boot Thread) JBAS015961: Http management interface listening on

2014-02-16 21:53:19,523 INFO [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console listening on http://127.0

2017-02-16 21:53:19,525 INFO [org.jboss.as] (Controller Boot Thread) JBAS015874: WildFly 8.0.0.Final \"WildFly\" started

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Date Time First Time, Last Time

LogID Signature ID, External_EventID

Class Target_Class

Severity Severity

RedSeal Networks RedSeal 6

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 449
Configure RedSeal Networks RedSeal 6
See documentation for information about how to send syslog events to a remote server or McAfee ESM. Use the IP address of
the McAfee Event Receiver for the IP address of the remote server.

Add RedSeal Networks RedSeal 6


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor RedSeal Networks

Data Source Model RedSeal 6 (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

450 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

RedSeal Networks RedSeal 6 log format and field mapping

Log format
The expected format for this device is:
<date> - <key>=<value> | <key>=<value> | <key>=<value>…

Log sample
This is a sample log from a RedSeal Networks RedSeal 6 device:
Jan 01 1:01:01 - EventAction=Violation | EventDate=Jan 01, 2001 1:01:01 PM PDT | EventName=BestPracticesCheckEvent | Devi

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

HostName Host

PrimaryService Protocol

PrimaryIp Source IP

RedSealServerIPAddress Destination IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 451
Log fields McAfee ESM fields

EventAction Application

PolicyName Command

RedSealServerName Domain

CheckName Object

AttackDepth, Exposure, ServicesCount, VulnerabilityCount, URL


Risk, DownstreamRisk, Confidence

Message Message_Text

OperatingSystem Version

EventAction Event Subtype

EventSeverity, Value Severity

ReversingLabs N1000 Network Security Appliance


Configure ReversingLabs N1000 Network Security Appliance
See your product documentation for instructions about sending logs to a remote server. Use the McAfee Event Receiver IP
address for the IP address of the remote server.

Add ReversingLabs N1000 Network Security Appliance


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor ReversingLabs

Data Source Model N1000 Network Security Appliance

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

452 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 453
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

ReversingLabs N1000 Network Security Appliance log format and field mapping

Log format
The expected format for this device is:
CEF:0|deviceVendor|deviceProduct|deviceVersion|sig|eventName|severity|key value pairs

Log sample
This is a sample log from a ReversingLabs N1000 device:
CEF:0|ReversingLabs|N1000|1.0.0.0|detection|Threat detection|0|deviceDirection=0 proto=tcp app=HTTP spt=8080 cn1=38974 dp

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

start First Time, Last Time

CEF Severity Severity

proto Protocol

app Application

spt Source Port

dpt Destination Port

occurrence Count

classification Event_Class

detectionName Threat_Name

detectionReason Category

deviceDirection Direction

CEF DeviceProduct External_Device_Type

filehash File_Hash

fname Filename

fsize File_Size

fileType File_Type

fileHash File_Hash

oldFileHash Parent_File_Hash

requestMethod Method

dvc Device_IP

dvchost External_Device_Name

454 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

request URL

act Status

RioRey DDOS Protection


Configure RioRey DDOS Protection
See your product documentation for instructions about sending syslog events to a remote server. Use the McAfee Event Receiver
IP address for the IP address of the remote server.

Add RioRey DDOS Protection


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor RioRey

Data Source Model DDOS Protection

Data Format SYSLOG (Default)

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 455
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

RioRey DDOS Protection log format and field mapping

Log format
The expected format for this device is:
TimeStamp Host %EventSource: Message

Log sample
This is a sample log from a RioRey DDOS Protection device:
2014-01-01 01:01:01+00:00 abc-123 %SYSTEM: %ACD: AlarmInfoGet -> sysAlrm was normal_ylw_off_red_off now normal_ylw_on_re

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

456 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

TimeStamp First Time, Last Time

DeviceName Hostname

EventSource Application

Message Message

was <Old_Value> now <New_Value> Old_Value, New_Value

Victim IP Victim_IP

Command Command

Application Application

Destination IP Destination IP

Source IP Source IP

Threat Threat_Category

Riverbed Steelhead
Configure Riverbed Steelhead using the Management Console

Task
1. From the Steelhead Management Console, click the Setup tab.
2. Click Logging to expand the logging menu.
3. Click Remote Log Servers.
4. In the Add Remote Syslog Server section, fill in the Server IP field with the IP address of the McAfee Event Receiver.
5. From the drop-down list, select a value for Minimum Severity of events to send to the McAfee Event Receiver.
6. Click Add Server.
7. Click Save.

Configure Riverbed Steelhead using the command line


This documentation assumes that you are already logged on to the command line interface (CLI) with administrative privileges.
See the product documentation from Riverbed Steelhead for more information about how to access and use the command line
interface.

Task
1. Set up remote logging.
logging <ip-address>

Replace <ip-address> with the IP address of the McAfee Event Receiver.


2. (Optional) Set the minimum severity of the events being sent.
logging <ip-address> trap <log level>

Where <ip-address> is the IP address of the McAfee Event Receiver, and <log level> is one of these settings:

Setting Definition
emerg Emergency

alert Alert

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 457
Setting Definition
critical Critical

err Error

warning Warning

notice Notice (default)

info Informational

Add Riverbed Steelhead


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Riverbed

Data Source Model Steelhead (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

458 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Riverbed Steelhead log format and field mapping

Log format
The expected format for this device is:
<priority><hostname>[<ID>]: [<service>/<name>] <Log ID> <message>…

Log sample
This is a sample log from a Riverbed Steelhead device:
<13>hostname[1234]: [splice/name.INFO] 1234567 {- -} sock 123 id 123456 client 192.0.2.1:12345 server 192.0.2.2:56789 re

Filed mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 459
Log fields McAfee ESM fields

hostname Host

service Application

Server, Client Source IP

Remote Destination IP

Server, Client Source Port

Remote Destination Port

Log ID Session ID

Command Command

host Domain

module Object

user Source User

RSA Authentication
Configure RSA Authentication Manager 8 and later from the Security Console

Task
1. In the RSA Authentication Manager Security Console, navigate to Setup → System Settings.
2. In the Basic Settings section, select Logging.
3. Select the instance where you want to collect logs, then click Next.
4. In the Log Levels section:
a. Set Administrative Audit Log to Success
b. SetRuntime Audit Log to Success
c. Set System Log to Warning.
5. In Log Data Destination, set all three fields to Save to remote database and internal Syslog at the following hostname or IP address, and enter the
host name or IP address of the McAfee Event Receiver.
6. Click Save to save changes.

Configure RSA Authentication Manager 7.1 SP2 or later for Linux

Task
1. Edit this file with a text editor: /usr/local/RSASecurity/RSAAuthenticationManager/utils/resources/ims.properties
2. Edit or add these lines in that file:
ims.logging.audit.admin.syslog_host = 192.0.2.1
ims.logging.audit.admin.use_os_logger = true
ims.logging.audit.runtime.syslog_host = 192.0.2.1
ims.logging.audit.runtime.use_os_logger = true
ims.logging.system.syslog_host = 192.0.2.1
ims.logging.system.use_os_logger = true

where 192.0.2.1 is the IP address of the McAfee Event Receiver.


3. Save and close the file.
4. Edit this file with a text editor: /etc/syslog.conf
5. Add this line:
*.* @192.0.2.1

where 192.0.2.1 is the IP address of the McAfee Event Receiver.


6. Restart the syslog daemon:

460 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
service syslog restart

Configure RSA Authentication Manager 7.1 SP2 or later for Windows

Task
1. Edit this file with a text editor: \Program Files\RSASecurity\RSAAuthenticationManager\utils\Resources\ims.properties
2. Edit or add these lines in the file:
ims.logging.audit.admin.syslog_host = 192.0.2.1
ims.logging.audit.admin.use_os_logger = true
ims.logging.audit.runtime.syslog_host = 192.0.2.1
ims.logging.audit.runtime.use_os_logger = true
ims.logging.system.syslog_host = 192.0.2.1
ims.logging.system.use_os_logger = true

where 192.0.2.1 is the IP address of the McAfee Event Receiver.


3. Save and close the file.
4. Restart the RSA Authentication Manager by navigating to Start → Administrator Tools → Computer Management → Services and Applications
→ Services.
5. Select RSA Authentication Manager.
6. Click Restart.
7. Open the Authentication Manager Security Console and select Setup → Instances.
8. Right-click the server instance and select Logging.
9. In the Log Data Destination section, select Send system messages to OS system log.

Add RSA Authentication Manager


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor RSA

Data Source Model Authentication Manager (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 461
Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event
data for this data source (maximum of 512 characters). You
can access this URL by clicking the Launch Device URL icon
at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where
the ESM Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day).
When using client data sources, clients using this setting
inherit the date order of the parent data source.
◦ Month before day — The month goes before the day
(04/23/2018).
◦ Day before month — The day goes before the month
(23/04/2018).

Zone To assign this data source to a zone, select the zone from
the list.

External data source link Automatically selected when you import events from
another receiver. You can clear the checkbox which would
remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2.
The External data source link is applied to the logs being sent so
that when logs are imported, the ESM can differentiate the
forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source
data.

Data is NitroFile format Use this option when you are exporting raw data source
data.
Note: When you export data sources to a remote file, they
are exported in NitroFile format. If you import those files to
another Receiver automatically, Data is NitroFile is selected for
each of the data sources you are importing. This indicates
that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing manually is in NitroFile format,
select this option if the data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is
selected for any data source that has a checksum file. If you

462 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
import them manually, you must select it. The only
exception is when you are importing a data source file that
doesn't have a checksum file, but you want to view it
anyway.

RSA Authentication Manager field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Date Time First Time, Last Time

Severty Severity

1st listed IP Address Source IP

2nd listed IP Address Destination IP

Event ID Signature ID

SafeNet Hardware Security Modules


Configure SafeNet Hardware Security Modules
See your product documentation for instructions about sending syslog logs to a remote server. Use the McAfee Event Receiver IP
address for the IP address of the remote server.

Add SafeNet Hardware Security Modules


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor SafeNet

Data Source Model Hardware Security Modules (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 463
Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event
data for this data source (maximum of 512 characters). You
can access this URL by clicking the Launch Device URL icon
at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where
the ESM Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day).
When using client data sources, clients using this setting
inherit the date order of the parent data source.
◦ Month before day — The month goes before the day
(04/23/2018).
◦ Day before month — The day goes before the month
(23/04/2018).

Zone To assign this data source to a zone, select the zone from
the list.

External data source link Automatically selected when you import events from
another receiver. You can clear the checkbox which would
remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2.
The External data source link is applied to the logs being sent so
that when logs are imported, the ESM can differentiate the
forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source
data.

Data is NitroFile format Use this option when you are exporting raw data source
data.
Note: When you export data sources to a remote file, they
are exported in NitroFile format. If you import those files to
another Receiver automatically, Data is NitroFile is selected for
each of the data sources you are importing. This indicates

464 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing manually is in NitroFile format,
select this option if the data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is
selected for any data source that has a checksum file. If you
import them manually, you must select it. The only
exception is when you are importing a data source file that
doesn't have a checksum file, but you want to view it
anyway.

SafeNet Hardware-Security-Modules log format and field mapping

Log format
The expected format for this device is:
firsttime hostname application: [firsttime] INFO src_ip [-] payctrlusr ID Crypto payctrlprd:1 [op#1 ENCRYPTSTANDARD] - [

Log sample
This is a sample log from a device:
<142>Apr 4 09:39:04 test.box.com testBox: [2016-04-04 09:39:04] INFO 172.0.0.1 [-] payctrlusr 0 Crypto payctrlprd:310066

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

firsttime First Time, Last Time

hostname Host

src_ip Source IP

action Event SubType

key name Object

application Application

Skycure Enterprise
Configuring Skycure Enterprise

Task
1. From the Skycure Management Console, go to Dashboard → Configuration and select Configuration next to SIEM Integration.
2. In the IP Address field, enter the IP address of the McAfee Event Receiver.
3. In the Port field, enter 514 (the default port for syslog).
4. In the Protocol field, select UDP from the drop-down list.
5. In the Format field, select McAfee ESM from the drop-down list.
6. Click Save.

Add Skycure Enterprise


Log in to ESM and add the data source to a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 465
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Skycure

Data Source Model Skycure Enterprise

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

466 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Skycure Enterprise log format and field mapping

Log format
The expected format for this device is:
<priority> <date> <time> <host> CEF:0|Skycure|Skycure|<version>|<event type>|<event name>|<severity>|<key>=<value> <key>

Log sample
This is a sample log from a Skycure Enterprise device:
<123>Jan 01 2001 01:01:01 ip-192-0-2-1 CEF:0|Skycure|Skycure|1.0|suspicious_app_removed|Suspicious App Removed|0|duid=123

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

shost Host

Severity Severity

EVENT_NAME Message

end First Time, Last Time

hotspot/ SSID Object

User Source User

duser Destination User

version Version

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 467
Log fields McAfee ESM fields

duid External_Device_Name

from Old_Value

to New_Value

Sophos Web Security and Control


Configure Sophos Web Security and Control

Task
1. From the web interface for Sophos Web Security and Control, navigate to Configuration → System → Alerts → Monitoring.
2. Click the Syslog tab.
3. Make sure that Enable syslog transfer of web traffic is selected.
4. In the Hostname/IP field, type in the IP address or host name of the McAfee Event Receiver.
5. In the Port field, enter the standard syslog port of 514.
6. In the Protocol drop-down list, select UDP.
7. Click Apply to save the settings.

Add Sophos Web Security and Control


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Sophos

Data Source Model Web Security and Control (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

468 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Sophos Web Security and Control log format and field mapping

Log format
The expected format for this device is:
h=<remote host> u=<remote user> s=<HTTP status> X=<connection status> t=<timestamp> T=<request time microseconds> Ts=<re

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 469
Log sample
This is a sample log from a Sophos Web Security and Control device:
h=192.0.2.1 u="domain\\user" s=123 X=+ t=978310861 T=12345 Ts=0 act=1 cat="0x2300000123" rsn=- threat="-" type="-" ctype

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

u Source User

dom Domain

h Source IP

target_ip Destination IP

req URL

threat Object

rsn Command

cat Severity

act Event Subtype

SS8 BreachDetect
Configure SS8 BreachDetect
Configure SS8 DataBreach to send data to McAfee ESM.

Task
1. In the DataBreach interface, locate the configuration file SA.properties file and open it.
2. Remove the comment characters from the SA_SIEM_INTEGRATION = ESM entry at the end of the file.
3. At the prompt, type security-analytics restart to restart all SA components.

Add SS8 BreachDetect


Add the data source to the McAfee ESM receiver.

Task
1. From the McAfee ESM dashboard, select the receiver and click the Add Data Source icon.
2. Configure the data source.

Option Definition

Data Source Vendor SS8

Data Source Model BreachDetect

Data Format Default

Data Retrieval SCP File Source

Enabled Select options for processing events. Some options may not
be available for your data source.

470 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name <name of data source>

IP Address/Host Name <IP address and host name of the SA server>

Port 22

Number of lines per record 1

Delete processed files Selected

Path /home/sa/esm

Username sa

Password Password for the "sa" account on SA

Wildcard expression *.json

3. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 471
Option Definition
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

SS8 BreachDetect log format and field mapping

Raw event log sample

{
"Pname":"pop-1",
"FCBytes":1733,
"RepSrc":"threatintel",
"Long":112.5603,
"EventTime":"2017-09-27T22:50:55.0Z",
"Country":"cn",
"App":"ssh",
"FCMinTTL":64,
"RepURL":127,
"FCTotPkts":21,
"FEndTm":"2017-09-27T22:50:55.0Z",
"FBytes":6334,
"PHostID":"+37.4118175:-121.9203741",
"FSTCPFlags":27,
"FSAvgIntpktTm":521578,
"EIP":0,
"PIP":"10.0.156.239",
"RepIP":65,
"Family":"encrypted",
"FCAvgIntpktTm":443346,
"FSBytes":2007,
"Sport":22,
"EventType":"flow",
"FCTCPFlags":27,
"SST":0,
"Cport":58432,
"Lat":37.8694,
"FSMaxTTL":64,
"PS":"base.eth.ip.tcp.ssh",
"ThreatTs":0,
"FSMinTTL":64,
"Mail ET":"1969-12-31T16:00:00.0Z",
"FCMaxTTL":64,
"FSTotPkts":18,
"City":"taiyuan",
"CIP":"10.0.100.61",

472 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
"FSMaxIntpktTm":5014062,
"FTOS":0,
"SID":"1_1425475393_1504900255.980007",
"FCMaxIntpktTm":5053752,
"FS":0,
"IPProto":"6",
"FCTotBytes":3131,
"SIP":"223.12.54.36",
"UID":"ss8\\hazelfletcher",
"MacID":"124b13b318b0",
"FSTotBytes":3203,
"CallST":"1969-12-31T16:00:00.0Z",
"FPkts":39,
"KEY":"2.85"

Alert event log sample

{
"assetDetails":{
"browsers":[],
"fPrintFlags":[0],
"linkType":[],
"macIDs":[],
"osType":[],
"userAgents":["10.0.100.124"],
"userIDs":[]
},
"assetID":"10.0.100.124",
"assetScore":19.073617935180664,
"assetType":"ClientIP",
"behaviorURL":"clientip/10_0_100_124/behavior.json",
"dataURL":"clientip/10_0_100_124/raw.json",
"dateFlagged":"2017-08-03T14:33:48.277Z",
"deviceStatus":1,
"iocFound":[],
"version":"3"
}

Behavior event log sample

{
"name":"bad_reputation_url",
"type":3,
"killChain":"Delivery",
"impact":1,
"deviceStatus":1,
"numOfEvents":1,
"threatSource":"webroot",
"rowIDs":[
"3.8"
],
"startTime":"2017-08-03T14:33:30.0Z",

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 473
"endTime":"2017-08-03T14:33:30.0Z",
"data":{
"Server":"www.google.com",
"RepSrc":"webroot",
"Country":"us",
"App":"blogspot",
"RepURL":26,
"FCTotPkts":1,
"CatURL":"sports",
"EIP":2,
"RepIP":26,
"Sport":80,
"Cport":10,
"ThreatTs":393,
"FSTotPkts":2,
"CIP":"10.0.100.124",
"FS":0,
"IPProto":"6",
"FCTotBytes":378,
"SIP":"74.125.141.104",
"FSTotBytes":1386
}
}

Field mapping

Log fields McAfee ESM fields

App AppID, application

assetID src_ip

assetScore Reputation_Score

assetType Object_Type

behaviorURL URL

browsers AppID

CIP src_ip

Cookie Message_Text

Cport src_port

deviceStatus Sub_Status

EventTime firsttime, lasttime

EventType Subcategory

Family Category

FCTotBytes Bytes_Sent

FN Filename

474 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

fPrintFlags Device_Action

FS File_Size

FSTotBytes Bytes_Received

FT File_Type

HostName HostID

iocFound Signature_Name

IPProto protocol

linkType Job_Type

MacID src_mac

osType Operating_System

Pname External_Device_Type

PS CommandID

RepIP Reputation

RespCode Response_Code

SCN Description

Sender From

Server External_Device_Name, HostID

SIP dst_ip

Sport dst_port

StartTime firsttime,lasttime

SUA User_Agent

threatSource SWF_URL

UID username

URL URL

URLQuery Search_Query

userAgents User_Agent

SS8 DataBreach JSON Keys

SSH Communications Security CryptoAuditor


Configure SSH Communications Security CryptoAuditor

Task
1. Log on to the web interface for CryptoAuditor as administrator.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 475
2. Navigate to Settings → External Services → External Syslog Servers → Add Syslog Server.
a. Enter the IP address of the McAfee Event Receiver and port 514 (the default port for syslog).
b. Save and apply the changes.
3. Navigate to Settings → Alerts → Add Alert Group.
a. Enter a name for the group in the Name field.
b. In the External Syslog server drop-down list, select the IP address of the McAfee Event Receiver.
c. Save and apply the changes.
d. Under Requests, click the + icon next to each alert you want to add them to the newly created alert group.
e. Save and apply the changes.

Add SSH Communications Security CryptoAuditor


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor SSH Communications Security

Data Source Model CryptoAuditor

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

476 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

SSH Communications Security CryptoAuditor log format and field mapping

Log format
The expected format for this device is:
<facility>dateTime hostname CEF:0|Vendor|Product|Version|sigId|severity|rt=date outcome=action

Log sample
This is a sample log from a CryptoAuditor device:
<189>Aug 18 16:17:47 auditor CEF:0|SSH|CryptoAuditor|1.5.2|4050|Admin_login|4|rt=Aug 18 2015 16:17:47 outcome=failure

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 477
Log fields McAfee ESM fields

sigID Signature ID

rt First Time, Last Time

externalID External_EventID

src Source IP

spt Source Port

shost Host

duser Destination User

dst Destination IP

dpt Destination Port

dhost Destination_Hostname

outcome Event Subtype

severity Severity

msg Rule Message

suser, SshAuditorAdminname Source User

SshAuditorReason Reason

SshAuditorRule Policy_Name

STEALTHbits StealthINTERCEPT
Configure STEALTHbits StealthINTERCEPT

Task
1. Log in to StealthINTERCEPT.
2. Open the Administration Console.
3. From the menu bar, select Configuration → Alerts.
4. Click the SIEM tab and click Configure in the SI System Alerting window.
5. Enter the IP address of the Receiver in the Host Address field.
6. In the Port field, enter 514.
7. From the Mapping File drop-down lists, select the McAfee ESM SIEM format.
8. Click Events and select the event types that you want for SIEM reporting.
9. Click OK to apply the new configuration.

Add STEALTHbits StealthINTERCEPT


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

478 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Data Source Vendor STEALTHbits

Data Source Model StealthINTERCEPT

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 479
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

STEALTHbits StealthINTERCEPT log format and field mapping

Log format
The expected LEEF Log format for this device is:
LEEF:1.0|Device Vendor|Device Product|Device Version|Signature
ID|Key value pairs

The expected CEF format for this device is:


CEF:Version|Device Vendor|Device Product|Device Version|Signature
ID|Name|Severity|Key value pairs

Log sample
This is a sample log from a device:
Oct 01 16:14:03 2008R264BITSRVR CEF:0|STEALTHbits|StealthINTERCEPT|3.1.262.1|Active DirectoryuserObject ModifiedFalseTru

Sep 19 15:26:08 2008R264BITSRVR LEEF:1.0|STEALTHbits|StealthINTERCEPT|3.1.233.1|Active DirectoryuserObject ModifiedFalse

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

CEF Event Message Message

CEF Severity Severity

Rt First Time, Last Time

suser Source User

shost Hostname

src Source IP, Source Port

Policy_Name Policy_Name

Blocked Action / Event Subtype

480 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Success Action / Event Subtype (Fallback)

Old_Attribute_Value Old_Value

New_Attribute_Value New_Value, Filename (when applicable)

Attribute_Name Attribute_Type

duser Object, Filename (when applicable)

Object_Class Object_Type

Symantec Data Loss Prevention


Configure Symantec Data Loss Prevention
For successful integration of Symantec Data Loss Prevention with McAfee ESM, you must first enable syslog functionality. Once
syslog is enabled, you must also add Response Rules in the Symantec Data Loss Prevention user interface.

Task
1. For Windows – Go to the directory \Vontu\Protect\config.
For Linux – Go to the directory /opt/Vontu/Protect/config.
2. Open the file Manager.properties for editing.
3. Edit these three lines:
#systemevent.syslog.host=
#systemevent.syslog.port=
#systemevent.syslog.format=

a. Remove the symbol ‘#’ from these the beginning of each line.
b. Set the value for systemevent.syslog.host= to the IP address of the McAfee Event Receiver.
c. Set the value for systemevent.syslog.port= to the port where the McAfee Event Receiver is listening (default is 514).
d. Set the value for systemevent.syslog.format= to [{0}] {1} - {2}.
The three original lines should now look similar to this:
systemevent.syslog.host=192.0.2.1
systemevent.syslog.port=514
systemevent.syslog.format=[{0}] {1} - {2}

4. Save these changes and restart the Vontu Server (Symantec Data Loss Prevention server).

Configure Symantec Data Loss Prevention for common event format (CEF)

Task
1. Log on to the Symantec DLP server with the appropriate permissions.
2. Navigate to Manage → Policies → Response Rules → Add Response Rule.
3. Select Automated Response in the new window, then click Next.
4. Configure the rule by completing these fields.
a. Rule Name – Enter a rule name.
b. Description – Enter a description for the rule name.
5. In the Actions section, click the drop-down list and select Log to a Syslog Server.
6. Click Add Action.
7. Configure the actions by completing these fields.
a. Host – Enter the IP address of the remote log collector.
b. Port – Enter 514.
c. Message – Enter the following:
CEF:0|Symantec|DLP|12.5.0|ruleID|$POLICY$|5|BLOCKED=$BLOCKED$ INCIDENT_ID=$INCIDENT_ID$ INCIDENT_SNAPSHOT=
$INCIDENT_SNAPSHOT$ MATCH_COUNT=$MATCH_COUNT$ PROTOCOL=$PROTOCOL$ RECIPIENTS=$RECIPIENTS$ SENDER=$SENDER$
SUBJECT=$SUBJECT$ SEVERITY=$SEVERITY$ FILE_NAME=$FILE_NAME$

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 481
Add Symantec Data Loss Prevention
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Symantec

Data Source Model Symantec Data Loss Prevention (ASP)

Data Format (Default)

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.

482 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Symantec Data Loss Prevention CEF log format and field mappings

Log format
The expected format for this device is:
CEF:0|Symantec|DLP|12.5.0|ruleID|$POLICY$|5|BLOCKED=$BLOCKED$ INCIDENT_ID=$INCIDENT_ID$ INCIDENT_SNAPSHOT=$INCIDENT_SNAP

Log sample
This is a sample log from a Symantec DLP (Vontu DLP) device:
<13>Sep 5 08:22:01 data.example.com CEF:0|Symantec|DLP|12.5.0|ruleID|Policy|5|BLOCKED=Passed INCIDENT_ID=204529 INCIDENT_

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

POLICY Policy_Name, Message

BLOCKED Event Subtype

INCIDENT_ID Incident_ID

INCIDENT_SNAPSHOT URL

MATCH_COUNT Count

PROTOCOL Application_Protocol

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 483
Log fields McAfee ESM fields

RECIPIENTS Destination IP, To_Address

SENDER Source IP, From_Address

SUBJECT Subject

SEVERITY Severity

FILE_NAME Filename

Symantec Data Loss Prevention log format and field mapping

Log format
The expected format for this device is:
<pri>Date Time Application: sessionNumber|[HostName]|Message|Source|E-MailAddress|WebAddress|

Log sample
This is a sample log from a Symantec Data Loss Prevention (Vontu) device:
<20>Jan 01 01:01:01 admin Incident: 12345|US_GBM_COLLECT_BUSINESS_SOURCECODE|192.168.2.1|HTTP incident| https://main.webs

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Application Application

SessionNumber Session ID

Source Source IP

Hostname Host

Message Message

E-mailAddress To

WebAddress URL

Symantec Endpoint Protection


Configure Symantec Endpoint Protection

Task
1. Log on to the Symantec Endpoint Protection Manager Console as administrator.
2. Navigate to Admin → Servers → Local Site → Configure External Logging, then select any Update Frequency.
3. Select Enable Transmission of Logs to a Syslog Server.
4. In the Syslog Server field, enter the IP address of the McAfee Event Receiver.
5. In the Destination Port field, enter the port used for receiving syslog on the McAfee Event Receiver (default is 514).
6. In the Log Facility field, enter any facility number according to your preference.
7. On the Log Filter tab, select any of the files you want to export.
8. Click OK to save and exit.

Add Symantec Endpoint Protection


Log in to ESM and add the data source to a receiver.

484 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Symantec

Data Source Model Endpoint Protection (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 485
Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Symantec Endpoint Protection log format and field mapping

Log format
The expected format for this device is:
<date> [<device IP>] <date> SymantecServer <hostname>: <message>

Log sample
This is a sample log from a Symantec Endpoint Protection device:
Jan 01 01:01:01 [192.0.2.1] Jan 01 01:01:01 SymantecServer servername:,Category: 1,Symantec AntiVirus,Symantec Endpoint

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Host

Client Hostname Destination_Hostname

Protocol Protocol

IP Source IP

Remote IP Destination IP

Port Source Port

Remote Port Destination Port

MAC Source MAC

486 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Remote MAC Destination MAC

Session Session ID

Application name Application

Command Command

Domain Domain

Occurrences Count

File Filename

User Source User

Rule Rule_Name

Source Detection_Method

Operating System Operating_System

Remote File Path File_Path

Application type Category

Risk Name Threat_Name

Application hash File_Hash

Management Server Management_Server

Symantec Messaging Gateway


Configure Symantec Messaging Gateway

Task
1. Log on to the Symantec Message Gateway Control Center as administrator.
2. Navigate to Administration → Settings → Logs, then select the Remote tab.
3. Select Enable Syslogs for the following host, then select the host to send syslog data from.
4. In the Host field, enter the IP address of the McAfee Event Receiver.
5. Enter the port where the McAfee Event Receiver is listening (default is 514).
6. Set the Protocol field to UDP.
7. Set the Component Remote Log Levels to the level you want.
8. Select Enable Message Logs so that message logs are sent to the McAfee Event Receiver.
9. Set the Message log facility to the level you want.
10. Save changes.

Add Symantec Messaging Gateway


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 487
Option Definition

Data Source Vendor Symantec

Data Source Model Symantec Message Gateway

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.

488 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Symantec Messaging Gateway log format and field mapping

Log format
The expected format for this device is:
<pri> Date Time Application: [Hostname] (Severity.Reference.Number): [EventIDNumber] <Source Username> <Destination User

Log sample
This is a sample log from a Symantec Message Gateway device:
<23>Jan 1 01:01:01 antispam conduit: [Brightmail] (INFO:1234.12345678): [12345] Spamhunter module: loaded rulefile /data

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Application Application

Hostname Hostname

Severity Severity

EventIDNumber Signature ID

Filepath/Filename Filename

Source Username Source User

Destination Username Destination User

SrcIP Source IP

DstIP Destination IP

Message Message_Text

Symantec PGP Universal Server


McAfee Enterprise Security Manager Data Source Configuration Reference Guide 489
Configure Symantec PGP Universal Server

Task
1. Log on to the Symantec PGP Universal Server Device with a web browser.
2. Click Settings.
3. Select Enable External Syslog.
4. Set the Protocol to UDP.
5. Set the Hostname to the IP address of the McAfee Event Receiver.
6. Set the Port to 514 (the default port for receiving syslog on the McAfee Event Receiver).
7. Click Save.

Add Symantec PGP Universal Server


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Symantec

Data Source Model PGP Universal Server

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

490 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Symantec PGP Universal Server log format and field mapping

Log format
The expected format for this device is:
Date Time service[pid]: Message CLIENT USER from

Log sample
This is a sample log from a Symantec PGP Universal Server device:
2001/01/01 01:23:45 -00:00 NOTICE pgp/admin[2002]: Administrator [UNAUTHENTICATED USER] from 192.0.2.2 Using Passphrase

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 491
Log fields McAfee ESM fields

Service Severity/Application

Message Command

Client Source IP

User Source User

From Destination IP

Symantec Web Gateway


Configure Symantec Web Gateway

Task
1. Log on to your Symantec Web Gateway device through a web browser.
2. Navigate to Administration → Configuration → Syslog.
3. Set the Syslog Server value to the IP address of the McAfee Event Receiver.
4. Set Facility according to your preference.
5. Save changes.

Add Symantec Web Gateway


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Symantec

Data Source Model Symantec Web Gateway (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

492 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Symantec Web Gateway log format and field mapping

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 493
Log format
The expected format for this device is:
<pri>Alert type: [Alert Name] (Description), (Host), (Detection Type), (Threat Name), (Threat Category), (Severity), (Thr

Log sample
This is a sample log from a Symantec Web Gateway device:
<185>Symantec Web Gateway Alert: [Alert Name - Name] (Description: Alert events sent to syslog), (Count: 1), (Host: 192.0

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Host Host, Source IP

Threat Name Message

Threat Type Application

Severity Severity

ThreatConnect Threat Intelligence Platform


Add ThreatConnect Threat Intelligence Platform
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor ThreatConnect

Data Source Model Threat Intelligence Platform

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

494 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

ThreatConnect Threat Intelligence Platform log format and field mapping

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 495
Log format
The expected format for this device is:
CEF:0|threatconnect|threatconnect|<version>|<event class id>|<name>|<severity>|<key value pairs>

Log sample
This is a sample log from a device:
CEF:0|threatconnect|threatconnect|3|14936758|McAfee ESM Demo Source Email|8|cs5Label=Indicator cs3=This is one bad dude.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

cat sid

CEF.Severity Severity

Confidence Confidence

cat Category

CEF.SignatureID, spid External_EventID

Indicator, oldFileHash Threat_Name

fileHash New_Value

ThreatConnect URL Device_URL

cfp1 Reputation_Score

cfp2 Device_Confidence

deviceCustomDate1 firsttime,lasttime

Configure ThreatConnect Threat Intelligence Platform


See the ThreatConnect Threat Intelligence Platform product documentation for setup instructions about sending Remote Syslog
to an external server. Use the McAfee Event Receiver’s IP address as the destination IP address and port 514 as the destination
port.

TippingPoint SMS
Configure TippingPoint SMS

Task
1. From the Device Configuration screen, select Server Properties → Management tab.
2. At the bottom of the page, find Remote Syslog for Events:
◦ For a new configuration, click New.
◦ For an existing configuration, click Edit.
3. Enter the IP address for the McAfee Event Receiver.
4. Enter 514 for the port.
5. For Alert Facility, select None.
6. For Block Facility, select None.
7. For Delimiter, select Tab.
8. Click Apply to save changes.

496 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Add TippingPoint SMS
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor TippingPoint

Data Source Model SMS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do Nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 497
Option Definition
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

TippingPoint SMS log format and field mapping

Log format
<Syslog category> Action Type Severity Policy UUID Signature UUID Signature Name Signature Number Signature Protocol Sou

Log sample
Attention: The fields in this log are separated by tabs. If you copy and paste this log, the tabs may not copy correctly and you
may need to add them manually.
<34>8 400000002-0002-0002-0002-00000000102600000001-0001-0001-0001-0000000010261026:HTTP:cgiwrapVulnerability1026http1.2

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Action Type Event Subtype

Severity Severity

Signature UUID External_EventID

Signature Name Message

Signature Number Signature ID

Signature Protocol Protocol

Source Address Source IP

498 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Source Port Source Port

Destination Address Destination IP

Destination Port Destination Port

Hit Count Count

Source Zone Name Interface

Source Destination Name Interface_Dest

Device Name Host

Event timestamp in milliseconds First Time, Last Time

Tofino Firewall LSM


Configure Tofino Firewall LSM

Task
1. Ensure that the Event Logger Module is installed on the Tofino Firewall LSM.
2. Open the Tofino Configurator tool.
3. Under Package Explorer, navigate to the Event Logger and select it.
The right frame refreshes with the configuration settings for the Event Logger.
4. Set the Syslog Server IP Address to the IP address of the McAfee Event Receiver.
5. Set the Destination Port to the port set up on the McAfee Event Receiver for receiving syslog (default is 514).
6. Set the Lowest Priority Logged according to your preference.

Add Tofino Firewall LSM


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Tofino

Data Source Model Tofino Firewall LSM

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 499
Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you

500 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Tofino Firewall LSM log format and field mapping

Log format
The expected format for this device is:
Firewall Name and Version: Message

Log sample
This is a sample log from a 3.1 Tofino Security – Tofino Firewall LSM Configuration device:
Tofino Firewall LSM: MAC_SRC=00:11:22:33:44:55 MAC_DST=55:44:33:22:11:00 IP_SRC=192.168.1.2 IP_DST=192.168.2.1 PROTO=FTP

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

PORT_DST Destination Port

PROTO Protocol

DST_MAC Destination Mac

DST_IP Destination IP

SRC_MAC Source Mac

SRC_IP Source IP

SRC_PORT Source Port

Topia Technology Skoot


Configure Topia Technology Skoot
See documentation for information about how to send syslog events to a remote server or McAfee ESM. Use the IP address of
the McAfee Event Receiver for the IP address of the remote server.

Add Topia Technology Skoot


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Topia Technology

Data Source Model Skoot (ASP)

Data Format Default

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 501
Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.

502 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Topia Technology Skoot log format and field mapping

Log format
The expected format for this device is:
<severity> <date> User=<username; workspaceGUID=<GUID>;workspaceName=<name>;action=<action>;fileId=<IDnumber>;fileName=<

Log sample
This is a sample log from a Topia Technology Skoot device:
INFO 2001-01-01 01:01:01,001 - [email protected];workspaceGUID=a1b2c3d4-e5f6-a1b2-c3d4-e5f6a1b2c3d4;workspaceName=Exa

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM Fields

cat sid

CEF.Severity Severity

Confidence Confidence

cat Category

CEF.SignatureID, spid External_EventID

Indicator, oldFileHash Threat_Name

fileHash New_Value

ThreatConnect URL Device_URL

cfp1 Reputation_Score

cfp2 Device_Confidence

deviceCustomDate1 First Time, Last Time

TrapX Security DeceptionGrid


Configure TrapX Security DeceptionGrid

Task
1. Open up the device management screen and click the Configuration tab.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 503
2. Edit the Syslog server property.
3. In the Configure Syslog Service Settings window, select Enable Syslog Service.
4. In the Syslog server configuration IP field, enter the IP address of the McAfee Event Receiver.
5. Click Apply.

Add TrapX Security DeceptionGrid


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor TrapX Security

Data Source Model DeceptionGrid

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

504 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

TrapX Security DeceptionGrid log format and field mapping

Log format
The expected format for this device is:
<PRI>DATE TIME HOSTNAME DATE: TIME HOSTNAME MESSAGE

Log sample
This is a sample log from a device:
<123>Jan 01 01:01:01 localhost 20010101-1: 01:01.001 localhost connections['tcp' : 978310861 : '192.0.2.1' : 123 : '192.0

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Source IP Source IP

Destination IP Destination IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 505
Log fields McAfee ESM fields

Source Port Source Port

Destination Port Destination Port

Protocol Protocol

app Application

class Threat_Category

Hash File_Hash

Trend Micro Control Manager


Add Trend Micro Control Manager
Add Control Manager as a data source.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Trend Micro

Data Source Model Control Manager

Data Format Default

Data Retrieval SQL Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address The IP address of the data source device.

Instance Name The instance name of the SQL database.

User ID/Password Credentials for logging into the SQL database.

Port The port assigned for the connection. Port 1433 is the
default.

Database Name The name that will appear in lists of available databases.

Time Zone Time zone where the data source device is physically
located.

506 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Trend Micro Deep Security


Configure Trend Micro Deep Security
Follow the documentation for the version of Deep Security you have installed.

Add Trend Micro Deep Security


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 507
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Trend Micro

Data Source Model Deep Security

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Hostname The host name of the device

Syslog Relay None

Mask 32

Port 514

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

508 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Trend Micro Deep Security log format and field mapping

Log format
The expected format for this device is:
date time hostname CEF:0|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension|...

Log sample
This is a sample log from a Trend Micro Deep Security device:
Jan 01 01:01:01 SampleServer CEF:0|Trend Micro|Deep Security Manager|8.0.1046|600|User Signed In|3|src=1.2.3.4 suser=adm

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

suser Source User

duser Destination User

msg Message

dmac Destination MAC

dpt Destination Port

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 509
Log fields McAfee ESM fields

dst Destination IP

proto Protocol

smac Source MAC

spt Source Port

src Source IP

Time First Time, Last Time

TrendMicroDsFrameType Application

shost Host

request URL

Host ID Server_ID

Trend Micro Deep Security Manager


Configure Trend Micro Deep Security Manager
Follow the documentation for the version of Deep Security Manager you have installed.

Add Trend Micro Deep Security Manager


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Trend Micro

Data Source Model Deep Security Manager

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

510 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Host Name The host name of the device

Syslog Relay None

Mask 32

Require Syslog TLS 514

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 511
Trend Micro Deep Security Manager log format

Log format
The expected format for this device is:
Date time CEF:0|Company|Product|Version|EventID|Title|#|Message

Log sample
This is a sample log from a Trend Micro – Deep Security Manager device:
<134>Jan 01 00:00:00 AAAA01 CEF:0|Trend Micro|Deep Security Manager|8.0.0000|999|Contact by Unrecognized Client|6|src=10.

Trend Micro OfficeScan


Configure Trend Micro OfficeScan
See documentation for information about how to send syslog events to a remote server or McAfee ESM. Use the IP address of
the McAfee Event Receiver for the IP address of the remote server.

Add Trend Micro OfficeScan


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Trend Micro

Data Source Model OfficeScan (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

512 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Trend Micro OfficeScan log format and field mapping

Log format
The expected format for this device is:
<computer name> <domain> <device name> <epoch time> <threat name> <infected file> <file location>

Log sample
This is a sample log from a Trend Micro OfficeScan device:
COMPUTERNAME Domain 1 Device.Name 978310800 Threat_Name ~filename.tmp C:\Users\filelocation\ 0 0 0

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 513
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Name Host

Domain Domain

Device Name Object

URL URL

Infected Filename Destination_Filename

Operating System Operating_System

Location File_Path

Threat Name Threat_Name

GUID Instance_GUID

Time First Time, Last Time

IP Address Source IP

Port Source Port

Trustwave Data Loss Prevention


Configure Trustwave Data Loss Prevention
See documentation for information about how to send CEF-formatted syslog events to a syslog server or McAfee ESM. Use the IP
address of the McAfee Event Receiver for the IP address of the remote server.

Add Trustwave Data Loss Prevention


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Trustwave

Data Source Model Data Loss Prevention

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.

514 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 515
Option Definition

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Trustwave Data Loss Prevention log format and field mapping

Log format
The expected format for this device is:
<date time> < host > CEF:<version>|<device vendor>|<device product>|<device version>|<signature ID>|<name>|<severity>|rt

Log sample
This is a sample log from a Trustwave Data Loss Prevention device:
Jan 1 01:01:01 abcde12345 CEF:0|Trustwave|DLP|8.14|sigid|name|5|rt=978310861000 src="192.0.2.0" dst="5.6.7.8" sport=1234

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

dhost Host

suser Source User

duser Destination User

cs6 Domain

app Application

src Source IP

dst Destination IP

sport Source Port

dport Destination Port

proto Protocol

smac Source MAC

dmac Destination MAC

cnt Event Count

shost Object

fname File_Path

externalId Message_Text

Trustwave Network Access Control

516 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Configure Trustwave Network Access Control
See documentation for information about how to send syslog events to a remote server or McAfee ESM. Use the IP address of
the McAfee Event Receiver for the IP address of the remote server.

Add Trustwave Network Access Control


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Trustwave

Data Source Model Network Access Control (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 517
Option Definition

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Trustwave Network Access Control log format and field mapping

Log format
The expected format for this device is:
<date time> <device IP> <state> <date> <device name> <action> <priority> <hostname>

Log sample
This is a sample log from a Trustwave Network Access Control device:
Jan 01 01:01:01 [1.2.3.4] Jan 01 01:01:01 applianceReady: Date=2001/01/01 01:01:01,ReportingAppliance=device,Action=appli

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Source Appliance Host

Priority Severity

Managed Device Source MAC

Domain Domain

518 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

IP Address Source IP

Action Message

Tychon
Add Tychon
View events from Tychon in ESM Scorecard. Tychon is an Enterprise Detection and Response (EDR) product that lets you collect
additional data needed to populate Scorecard. In combination with McAfee Policy Auditor and Tychon, customers can use ESM to
visualize the 10 assessment items in the US DoD CyberSecurity Scorecard.
Note: This data source is supported in McAfee ESM 10.3 and higher.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Tychon

Data Source Model Tychon Login

Data Format Default

Data Retrieval SQL (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address of the McAfee ePO database.

User ID The McAfee ePO database user name.

Port The McAfee ePO database port (default is 1433).

Database Name The name of the Tychon database.

Database Instance The Tychon database instance (optional).

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 519
Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Tychon field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Tychon McAfee

lastLogon Firsttime, lasttime

AgentAssetGUID Source GUID

CHSHostname Hostname

520 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Tychon McAfee

username Source Username

domainName Domain

userSid User_Nickname

logonType Logon_Type

assignedGroups Group_Name

userAdmin Privileged_User

isException Sub_Status

Compliant Status

Type80 Security Software SMA_RT


Configure Type80 Security Software SMA_RT
See the Type80 Security Software SMA_RT product documentation for setup instructions about sending syslog data to a remote
server. Use the IP address of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.

Add Type80 Security Software SMA_RT


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Type80 Security Software

Data Source Model SMA_RT (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 521
Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Type80 Security Software SMA_RT log format and field mapping

522 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log format
The expected format for this device is:
<date time> <IP address> <device name> <date time> <severity> <object> <user> <group> <name> <terminal name>

Log sample
This is a sample log from a Type80 Security Software SMA_RT device:
Jan 01 01:01:01 192.0.2.0 DEVICE |||2001010101010101|||||YELLOW ALERT |ABC12345 USER(username) GROUP(groupname) NAME(name

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Terminal name Hostname

Object Object

IP Address Source IP

Terminal Address Destination IP

User Username

Name Source Username

Group Group_Name

Unix Linux
Configure Unix Linux

Task
1. Edit the /etc/syslog.conf file.
2. Add this line to the file:
*.*; @<ip_address>:514

where <ip_address> is the IP address of your McAfee Event Receiver, and 514 is the default port for syslog/.
3. Run this command:
service syslog restart

Add Unix Linux


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Unix

Data Source Model Linux

Data Format Default

Data Retrieval Default

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 523
Option Definition

Enabled Select options for processing events. Some options may not be available for
your data source.
◦ Parsing - if you want to parse events. Enabling parsing is recommended.
◦ Logging - if you want to log events on a McAfee Enterprise Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

524 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Verdasys Digital Guardian


Configure Verdasys Digital Guardian

Task
1. Log on to the Digital Guardian Management Console.
2. Select Workspace → Data Export → Create Export.
a. From the Data Sources list box, select Alerts or Events as the data source.
b. From the Export type list box, select ArcSight CEF.
c. From the Type list box, select UDP or TCP as the transport protocol.
d. In the Server Name field, type the IP address of your ArcSight server.
e. In the Port field, type 514.
f. From the Syslog Severity Level list box, select a severity level.
g. Select Is Active.
3. Click Next.
4. From the list of available fields, select the Alert or Event fields for your data export.
5. Select a criteria for the fields in your data export, then click Next.
6. Select a group for the criteria, then click Next.
7. Click Test Query, then click Next.
8. Save the data export.

Add Verdasys Digital Guardian


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Verdasys

Data Source Model Digital Guardian

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 525
Option Definition
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time Zone – Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

526 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Verdasys Digital Guardian log format and field mapping

Log sample
Jan 01 2014 01:01:01 APPSERVER.domain.com CEF:0|Verdasys|Digital Guardian|6.1.2.0464|File Write|File Write|10|cat=alerts

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

DG_SourceDriveType Object_Type

fname Filename

Custom field: Rule Rule_Name

Custom field: WasBlocked Process_Name

VMware
Configure VMware
See the specific product documentation of VMware for instructions about sending syslog events.

Add VMware
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor VMware

Data Source Model VMware (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 527
Option Definition
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

528 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

VMware log format and field mapping

Log sample
This is a sample log from a VMware device:
<166>Jan 1 12:34:56 Hostd: [2015-01-01 12:34:56.123 ABCD1234 severity service] Example Message

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

User Source User

IP Address Source IP

Virtual Machine Name Object

Destination Destination IP

Host Hostname

Application Application

Command Command

Changed Filename Destination Filename

Method Method

Severity Severity

File Filename

VMware AirWatch
Configure VMware AirWatch

Task
1. Log on to Admin Console and navigate to Groups → Settings → All Settings → System → Enterprise Integration → Syslog.
2. Enter the host name or IP address of the McAfee Event Receiver in the Host Name field.
3. Select UDP for Protocol.
4. Enter 514 in the Port field.
5. Select UserLevelMessages for Syslog Facility.
6. For Event Types Logged, select Console and Device.
7. Enter Airwatch in the Message Tag field.
8. Make sure that the Message Content field follows the default format.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 529
Add VMware AirWatch
Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor VMware

Data Source Model AirWatch

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.

530 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

VMware AirWatch log format and field mapping

Log format
The expected format for this device is:
AirWatch Syslog Details are as follows Event Type: {EventType}Event: {Event}User: {User}Event Source: {EventSource}Event

Log sample
This is a sample log from a device:
<101> October 11 11:12:22 AirWatch AirWatch Syslog Details are as follows Event Type: DeviceEvent: SecurityInformationUs

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

EventType Event_Class

Event Message

User Source User

EventSource Subcategory

EventModule Category

EventCategory Message_Text

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 531
Log fields McAfee ESM fields

Application Filename

Method Method

Destination User Destination User

OS Version Version

OS Operating_System

Status Status

Device Type External_Device_Type

Session External_SessionID

Event Source Object_Type

VMware vCenter Server


Configure VMware vCenter Server

Task
1. Log on to the vSphere web client.
2. Browse to the vCenter Server where you want to collect events.
3. Select Manage → Permissions → Add Permission.
4. Add minimum read-only permission to a user, then select Propagate to children.
Use an existing permission if one was created.

Add VMware vCenter Server


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor VMware

Data Source Model vCenter Server (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

532 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Name User-defined name of data source

IP Address/Hostname The IP address associated with vCenter Server.

Username User name associated with the read-only permission

Password Password associated with the user name

Port Default is 443

Use SSL Selected by default

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 533
VMware vCenter Server log format and field mapping

Log format
The expected format for this device is:
computer date time IP protocol source destination original client IP source network destination network action status rul

Log sample
This is a sample log from a VMware vCenter Server device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal Establish 0x0 - HTTP

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

Vormetric Data Security Manager


Configure Vormetric Data Security Manager

Task
1. From the DSM product, select Log → Syslog and add the required information.
2. Select Syslog Enabled via System → General Preferences on the System tab.
3. Configure the Syslog server for DSM logging for each domain.

Add Vormetric Data Security Manager


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Vormetric

Data Source Model Data Security (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.

534 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 535
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Vormetric Data Security Manager log format and field mapping

Log format
The expected format for this device is not available.

Log sample
These are sample logs from a Vormetric Data Security device:
<30>1 2013-06-29T18:44:42.420Z 10.10.10.1 vee-FS 0 CGP2601I [CGP@21513 sev="INFO" msg="Audit access" cat="[AUDIT]" pol="

<14> Jan 06 05:31:03 cpu.mydom.com CEF:0|Vormetric, Inc.|dsm|5.2.0.1|DAO0048I|update host|3|cs4Label=logger cs4=DAO spid

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

filePath Destination_Filename

cat Category

url URL

Message ID Signature ID

sev Severity

msg, Action Message

user, suser, admin, uinfo Source User

shost Host, Source IP

dvchost Destination_Hostname

sproc, Process Application

act Event Subtype, Command

denyStr Event Subtype

spt Source Port

count Event Count

cs1_policy, policy, pol Policy_Name, Command

“faked as USERNAME” from suser User_Nickname

showStr, reason Reason

rt First Time, Last Time

key Registry_Key

536 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Res Object

WatchGuard Technologies Firebox


Configure WatchGuard Technologies Firebox

Task
1. From the Fireware web interface, go to System → Logging.
2. Click the Syslog Server tab.
3. Select Enable Syslog output to this server and enter the IP address of the McAfee Event Receiver in the adjacent textbox.
4. In the Settings section, use the drop-down lists to select the syslog facility for each type of log message.
5. Click Save.

Add WatchGuard Technologies Firebox


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor WatchGuard Technologies

Data Source Model Firebox and X Series (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 537
5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

WatchGuard Technologies Firebox log format and field mapping

Log format
The expected format for this device is:
<priority> <time> <date> <hostname> (<time> <date>) <process>[<process id>]: <key>=<value> <key>=<value> <key>=<value>…

Log sample
This is a sample log from a WatchGuard Technologies Firebox device:
<123>Jan 01 01:01:01 HOSTNAME (2001-01-01T01:01:01) http-proxy[1234]: msg_id="1A2B-3C4D" Allow 1-Trusted 6-External tcp 1

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

538 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

Host, server Host

protocol Protocol

source IP Source IP

destination IP Destination IP

source port Source Port

destination port Destination Port

mac Source MAC

destination mac Destination MAC

message Message

msg_id Message_ID

action Event Subtype

socket ID, process ID, pid, Session ID

VLAN ID VLAN

Severity Severity

date, time First Time, Last Time

application Application

domain Domain

filename Filename

detail name Object

Authentication Method Method

src_user Source User

interface Interface

external interface Interface_Destination

domain name, GET URL

Group Group_Name

member External_Device_Name

member External_Device_ID

diagnostic file location External_Device_Type

session number External_Session_ID

Cluster ID External_Event_ID

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 539
Log fields McAfee ESM fields

Proxy Action Device_Action

Ruleset Rule_Name

Task UUID UUID

path File_Path

Policy Name Policy_Name

Service Service_Name

Websense Enterprise SQL Pull


Configure Websense Enterprise SQL Pull

Task
1. Make sure that you have the credentials for a user with the necessary permissions to the database.
2. Make sure that you have your database’s open port and IP address to set up the McAfee Event Receiver.

Add Websense Enterprise SQL Pull


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Websense

Data Source Model Websense Enterprise – SQL Pull

Data Format Default

Data Retrieval SQL (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Instance Name Enter the database Instance Name.

User ID/Password User ID and password to log on to the database.

540 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Port 1433

Database Name Name of database.

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

Websense Enterprise SQL Pull log format and field mapping

Log format
The log format is specific to this data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 541
Log sample
This is a sample log from a Websense Enterprise - SQL Pull device:
record_number="100000034293" first_time="1323776050" last_time="1323776050" ip_src="10.0.2.231" ip_dst="10.0.66.80" dpor

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

action Action

protocol Protocol

ip_src Source IP

ip_dst Dest. IP

First Time | Last Time

dport Dest. Port

username_src Source User

username_dst Destination User

Url.Url URL

domain Domain

sig_desc Rule Message

disposition_code Signature ID

bytes_sent Bytes_Sent

bytes_received Bytes_Received

Command Category

WurldTech OpShield
Configure WurldTech OpShield

Task
1. In top right corner of the interface, hover over username.
2. When the menu appears, select Configuration.
3. Go to Syslog Settings and Syslog servers.
4. Select Enable.
5. From the Protocol menu, select UDP or TCP.
6. Enter the IP address of the McAfee Event Receiver in the IP Address field.
7. Set Port to 514 or another port as needed.
8. Select the logging level you want.
9. Click Save.

Add WurldTech OpShield


Log in to ESM and add the data source to a receiver.

542 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Wurldtech

Data Source Model OpShield

Data Format Default

Data Retrieval Syslog (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Enter the desired name for the data source.

IP Address/Hostname Enter the IP address and host name (optional) associated


with OpShield.

Syslog Relay None

Mask 32

Require Syslog TLS Unchecked

Support Generic Syslogs Do nothing

Time Zone Select the time zone offset applicable to the data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 543
Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

WurldTech OpShield field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Channel Category

Incident Type Subcategory

NGFW Device Name Device Name

Source IP Source IP

Destination IP Destination IP

protocol Protocol, Application

Source Port Source Port

Destination Port Destination Port

signatureName Policy Name

class Event_Class

methodName Method

privilege Access_Privileges

544 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Log fields McAfee ESM fields

errorMessage Message_Text

incidentAction Device_Action, Action

deviceSN External_Device_ID

Ximus Wi-Fi Arrays


Configure Xirrus Wi-Fi Arrays
The syslog configuration is done at the command line. See your product documentation for more information about how to
access and use the command line.

Task
1. At the command line, turn on syslog:
syslog enable

2. Send syslog to the McAfee Event Receiver:


syslog primary x.x.x.x level 7

Where x.x.x.x is the IP address of the McAfee Event Receiver, and 7 is the severity level of the logs that are to be sent.
3. (Optional) If a primary server has already been defined, syslog can be sent to a secondary server:
syslog secondary x.x.x.x level 7

Where x.x.x.x is the IP address of the McAfee Event Receiver, and 7 is the severity level of the logs that are sent.

Add Xirrus Wi-Fi Arrays


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Xirrus

Data Source Model 802.11abgn Wi-Fi Arrays (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source
device

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 545
Option Definition

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

546 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Xirrus 802.11abgn Wi-Fi Arrays log format and field mapping

Log format
The expected format for this device is:
<device IP> <severity> <data> <time> <station MAC> <message>

Log sample
This is a sample log from a Xirrus 802.11abgn Wi-Fi Array:
[1.2.3.4] <15>Jan 01 01:01:01: info : Station a1:b2:c3:d4:e5:f6, EAP Response packet (type PEAP) received

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Client Name Host

SSID Domain

VLAN ID / packet type / Manufacture Object

Username Source User

Station MAC Source MAC

Source IP Address Source IP

Source Port Source Port

Destination IP Address Destination IP

ZeroFox Riskive
Configure ZeroFox Riskive
See Riskive Documentation to enable syslog messages.

Add ZeroFox Riskive


Log in to ESM and add the data source to a receiver.

Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor ZeroFox

Data Source Model Riskive

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 547
Option Definition
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.

548 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

ZeroFox Riskive log format and field mapping

Log sample
This is a sample log from a Riskive device:
<133> Sep 20 16:02:19 2013 ZF1.0 192.168.0.3 5232117c1004db252d6479db: AlertPriority="MEDIUM" AlertType="CONTENT_ALERT"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

URL URL.URL

URL Web_Domain.Web_Domain

DNS DNS_Name.DNS_Name

Percentile Severity

AlertPriority Severity

IP src_ip

Headers Firsttime / Lasttime

ZScaler Nanolog
Configure ZScaler Nanolog
Use the Zscaler NSS admin portal for the configuration.

Task
1. Navigate to Policy → Administration → Configure Nanolog Streaming Service.
2. Click Add Feed, and type a name for the feed.
3. From the NSS Name list, select the Zscaler NSS system.
4. From the Status list, select Enabled.
5. Enter the IP address of the McAfee Event Receiver in the SIEM IP field.
6. Enter 514 in the TCP Port field.
7. Use the default CSV format for the Feed Output Type and Feed Output Format.
8. Click Done to save changes.

Add ZScaler Nanolog


Log in to ESM and add the data source to a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 549
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Zscaler

Data Source Model Nanolog Streaming Service

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not
be available for your data source.
◦ Parsing - if you want to parse events. Enabling parsing is
recommended.
◦ Logging - if you want to log events on a McAfee Enterprise
Log Manager.
◦ SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data
source (maximum of 512 characters). You can access this URL by clicking
the Launch Device URL icon at the bottom of the Event Analysis view.

Vendor, Product, Version Enter the vendor, product, and version of the device where the ESM
Common Event Format (CEF) forwards events.

Date Order Select the format for the dates on data sources:
◦ Default — Uses the default date order (month before day). When using
client data sources, clients using this setting inherit the date order of the
parent data source.
◦ Month before day — The month goes before the day (04/23/2018).
◦ Day before month — The day goes before the month (23/04/2018).

550 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data source link Automatically selected when you import events from another receiver. You
can clear the checkbox which would remove the distinction of imported
data.
For example, you export logs from receiver 1 into receiver 2. The External data
source link is applied to the logs being sent so that when logs are imported,
the ESM can differentiate the forwarded events.

Export in NitoFile format Use this option when you are exporting raw data source data.

Data is NitroFile format Use this option when you are exporting raw data source data.
Note: When you export data sources to a remote file, they are exported in
NitroFile format. If you import those files to another Receiver automatically,
Data is NitroFile is selected for each of the data sources you are importing.
This indicates that the file is in NitroFile format. If you import them
manually, you must select this box for each data source.

Validate SHA1 checksum If the data you are importing is in NitroFile format, select this option if the
data source has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any
data source that has a checksum file. If you import them manually, you
must select it. The only exception is when you are importing a data source
file that doesn't have a checksum file, but you want to view it anyway.

ZScaler Nanolog log format and field mapping

Log format
The expected format for this device is:
"%s{time}","%s{login}","%s{proto}","%s{url}","%s{action}","%s{appname}","%s{appclass}","%d{reqsize}","%d{respsize}","%d{

Log sample
This is a sample log from a Zscaler Nanolog Streaming Service device:
"Mon Jan 01 01:01:01 2001","example","HTTP","1.2.3.4/","Allowed","General Browsing","General Browsing","123","321","78","

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

time First Time, Last Time

login Source User

url URL

reqsize Bytes_from_Client

respsize Bytes_from_Server

urlclass – urlsupercat – urlcat URL_Category

malwarecat Threat_Category

threatname Threat_Name

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 551
Log fields McAfee ESM fields

riskscore Reputation_Score

cip Source IP

sip Destination IP

reqmethod Command

ua User_Agent

552 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Troubleshooting
Find a solution to your data source configuration issue.

General troubleshooting tips


If a data source is not receiving events, verify that the data source settings have been written out and that policy has been rolled
out to the McAfee Event Receiver.
If there are errors saying events are being discarded because the Last Time value is more than one hour in the future, or the values
are incorrect, the Time Zone settings for the data source or ESM might need to be adjusted.
When creating custom ASP rules, the Key and Value table located in the Parsing tab displays potential field mappings based on the
log text entered in the Sample Log Data section. None of the data from the Key and Value table is populated by default. Actual field
assignments are set in the Field Assignment tab by dragging and dropping the key onto the wanted field.
When analyzing parsed event details, fields on the Custom Types tab are not present if the data intended to be captured for that
specific field is absent from the received logs.

Check data source health


View the operational status of a data source.
If you suspect a data source is not operating correctly, use the Health feature to view its status.

Task
1. From the device tree, select the data source, then click Properties.
2. In the Data Source Properties window, click Health.
The Data Source Health Check window displays status information.
3. Search the output for errors or warnings that indicate a problem with the data source.

Data source not sending events


Identify and resolve issues that prevent a data source from sending events to a McAfee Event Receiver.

Before you begin


Determine which Ethernet adapter is in use. On non-HA Receivers, it is usually eth0, and on HA Receivers it is usually eth1 or the
'floating' IP.

Task
1. Use SSH to connect to the McAfee Event Receiver.
2. Enter tcpdump –nni ethx host x.x.x.x where x.x.x.x is the IP address of the data source, and ethx is the Ethernet adapter
in use.
Note: For syslog data sources, you should see incoming traffic on port 514 UDP. Slower data sources might need a few
minutes of observation before a packet is observed, and faster ones such as a firewall are almost immediate. If no packets are
observed, you may have a firewall or endpoint issue.
3. Check the IP and Ethernet numbers. If these are correct, the problem is likely on the endpoint. For non-syslog data sources,
perform a connection test from the GUI while running tcpdump. (WMI will 'pull' data over port 135, SQL will pull data over port
1433, and so on.)
Note: If the IP and port information is correct and incoming traffic is not seen in the tcpdump, the problem could be related to
a firewall or network issue preventing inbound traffic over the specified port. Consult your network administrator.
4. Enter iptables –n –v –L|grep x.x.x.x. Ensure there is a rule in place for the data source IP address that will let it through
the firewall.
Note: Typical output from iptables includes the port and IP address of the data source.
5. In McAfee ESM, select the data source from the device tree.
6. Open the Device Status dashboard. Scroll down to find the vipsid number of the data source.
7. Use SSH to connect to the McAfee Event Receiver and enter ls –al /var/log/data/inline/thirdparty.logs/<vipsID
number>/in.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 553
If the file size of Data.xxxxxx is larger than zero, data is being stored on the McAfee Event Receiver.

Received data is not parsed


Identify and resolve issues that prevent data from being parsed after it is stored on the McAfee Event Receiver.

Task
1. Ensure the correct parser is selected. In instances where there is more than one possible parser, choose the one with (ASP) in
the title.
2. Ensure the delivery and format settings are set to default values (unless you are using MEF or non-syslog data sources).
3. Make sure the data source settings and policy are current.

a. Select the data source and click Properties.


b. Click Editor.
c. Make a minor change such as adding and deleting a space and click OK.
d. On the Data Source Properties page, click Write.
4. Roll out policy.

a. Select the McAfee Event Receiver from the device tree and click Policy Editor.
b. On the Policy Editor page, click Operations → Rollout.
c. On the Rollout page, select the McAfee Event Receiver and click OK.
5. For syslog data sources, enable logging of unknown events.

a. Select the data source and click Properties.


b. Click Editor.
c. Under Support Generic Syslogs, select Log "unknown syslog" event.
Unknown event types are logged as unknown rather than being discarded.
6. Make sure port numbers are assigned correctly (Interface → Communication).
7. In Policy Editor, make sure rules for the data source are enabled.
Note: Default policy rules are disabled by default and should not be enabled at the default level.

Parsed data not displayed on dashboard


Identify and resolve issues that prevent data from being displayed on the dashboard.

Task
1. Check if other data sources are working as expected.
2. If no data sources are displaying events, stop and start the McAfee Event Receiver.

Settings and policies not implemented


Identify and resolve issues with settings and policies that prevent data from being displayed.

Task
1. On the Configuration page, select the McAfee Event Receiver and click Properties.
2. Click Data Sources.
3. If the Write button is dimmed, make a minor change (add a space and remove it) to a data source.
4. Click Write.
5. If the Rollout page opens, select Rollout policy to all devices now.
6. If the Rollout page does not open, roll out policy manually.
a. From the dashboard and select the ESM device.

b. Click Policy Editor.


c. Click Operations → Rollout.
d. Select Rollout policy to all devices now and click OK.

554 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
Generic syslog configuration details
Different options are available when configuring a new data source. When some options are selected, additional parameters
might appear.
This section outlines the general options available in the Add Data Source configuration screen and provides details.

Option Definition

Use System Profiles System Profiles are a way to use settings that are repetitive in
nature, without having to enter the information each time. An
example is WMI credentials, which are needed to retrieve
Windows Event Logs if WMI is the chosen mechanism.

Data Source Vendor List of all supported vendors.

Data Source Model List of supported products for a vendor.

Data Format The expected format of the received / collected data. Options
are Default, CEF, and MEF. Generally, this option is left as
Default for supported data sources; it is intended to be used
for custom data sources.
Note: If CEF is selected, the generic CEF parsing rule is
enabled and rolled into policy for that data source. If selected
on supported CEF data sources, the generic parsing rule
might override existing parsing rules that are designed to
parse data source-specific details. This results in degraded
reporting for the specific data source.

Data Retrieval The expected collection method used by the McAfee Event
Receiver to collect the data. The default is generally syslog.
Typically, this option is changed to match the needs in a
specific user's environment. The data needs to remain in the
expected format, otherwise the parsing rules cannot parse
the events.

Enabled: Parsing/Logging/SNMP Trap Parsing enables the data source to pass events to the parser.
Logging enables the data source to pass raw event data to the
McAfee Enterprise Log Manager (ELM). SNMP enables
reception of SNMP traps for select data sources. If none of
the options are checked, the settings are saved to McAfee
ESM, but effectively disables the data source. The default is
Parsing.

Name This is the name that appears in the Logical Device Groupings
tree and the filter lists.

IP Address/Hostname The IP address and host name associated with the data
source device.

Syslog Relay Allows data to be collected via relays with the option to group
events under specific data sources based on syslog header
details. Enable syslog relay on relay sources such as Syslog-
NG.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 555
Option Definition

Mask Allows a mask to be applied to an IP address so that a range


of IP addresses can be accepted.

Require Syslog TLS When enabled, requires the McAfee Event Receiver to
communicate over TLS.

Support Generic Syslog Allows users to select one of the following options: Parse generic
syslog , Log unknown syslog event , or Do nothing. These options
control how McAfee ESM handles unparsed logs. Parse generic
syslog creates an event for every unique unparsed event
collected. Log unknown creates a single generic event and
increment the count for every unparsed event. Do nothing
ignores unparsed events. Use Parse generic syslog sparingly as it
can negatively impact McAfee Event Receiver and McAfee
ESM performance when there is a high incoming rate of
unparsed logs. If unparsed events must be reported in
McAfee ESM, use the Log unknown option; otherwise, leave the
setting as Do nothing.

Time Zone Set based on the time zone used in the log data. Generally, it
is the time zone where the actual data source is located.

Interface Opens the McAfee Event Receiver interface settings to


associate ports with streams of information.

Advanced Opens advanced settings for the data source.

556 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
COPYRIGHT
Copyright © 2019 McAfee, LLC

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.

You might also like