McAfee Enterprise logging to Windows Application Log
We currently have McAfee configured to log to the Windows Application log. I can run reports by querying for McLogEvent as the Application source. However, the description for all events is "No description string found". I have all the event IDs and descriptions from the McAfee site. I can also build it as we go, since the Windows Application log also gives the description in the log entry, (which may be better since we would only have to add the events being generated and not all 169 events listed on the McAfee site).
My thoughts are to add these to the existing Windows event XML. Has anyone done this? Are there any better ideas? This would be my first attempt at this, but I'm willing to give it a shot if no one has a better solution.
I got this tool from RSA Support. I don't mind sharing it, but I don't know if there any licensing considerations or other restrictions. The name of the file is EventLogStrings and the name of the executable is Extractor.exe.
Perhaps someone from RSA can let me know if it's OK to pass this tool along?
I can't comment about the licensing (I don't have that information), however if you have a need for the tool support can provide it to you.
The tool merely extracts the pre-defined string information from event sources that registered within Windows. Those strings are stored in etc\windows\strings.
I believe the issue you have is related to how providers register their DLLs in Windows 2008. There's basically two methods, legacy and the new event log model in Windows 2008. An application that registers itself as an event log provider in Windows 2008 does not have to provide legacy compatibility. The string extractor utility has a problem in that scenario because it's using the legacy API calls to extract the string information which it doesn't find.
There is a workaround to this but it's not an easy task. Windows 2008 has a utility that allows you to manually extract the string data which can be pasted into the existing strings files. That program is called wevtutil. There are updated string files for 2008 which were previoulsy shipped with the ESU. What was the last ESU you applied?
I'm current on the ESU, though I can't say off the top of my head what the date was.
I'll take a look at wevtutil this afternoon and see how that works. I don't mind adding them to the string files manually.