McAfee ePO antivirus threat event logs to RSA SA

Discussion created by Visham Rawat on May 13, 2019
Latest reply on May 14, 2019 by Visham Rawat

Like • Show 0 Likes0
Comment • 2

Hi,

I've integrated McAfee ePO 5.9.1 via ODBC to RSA SA. I'm receiving logs as well. However, on closer inspection, what I've noticed is that only ePO administrative event logs are being sent to SA. I'm not receiving the anti-virus threat event logs, which is what I'm actually after.

Any ideas on how to receive ePO threat event logs?

I've added the DB name in the McAfee ePO DSN, and it is this DB that contains all the threat event logs as well. Yet, all I'm receiving are the admin logs.

Need assistance.

Outcomes

Dave Glover

May 13, 2019 10:15 AM

What version of AV are you on?

There should be a secondary "event source" that you need to set up for the AV events.

Actions

Visham Rawat @ Dave Glover on May 14, 2019 6:33 AM

Hi Dave,

I've got to integrate several products from within the McAfee suite. I've managed to integrate

1. ePolicy Orchestrator 5.9.1

2. VSE 8.8

3. HIPS 8.0

I'm having problems integrating the following products

4. MSME 8.5 : For McAfee Security for Microsoft Exchange, I'm unable to find the parser and event source type, both of which are listed as 'mcafeesecurity'.

5. ENS 10.2.x. : For McAfee Endpoint Security ENS, I'm unable to find the event source type 'epolicyens10_5autoid'.

Please note, my RSA SA version is 10.6.4.1, and the documents say it qualifies for integration (anything 10.0 and above).

Also, as an added note, I've also been asked to integrate

6. McAfee VirusScan Enterprise for Linux VSES

7. McAfee VirusScan Enterprise for Storage VSEL

They have VSES 1.2 and VSEL 1.9 and 2.3 deployed. Now, in the documentation I see that VSE 8.8 can be integrated, which I've done as well, but I'm not sure what to do with VSES and VSEL.

Any insight on the above?

Actions

2 Replies

Dave Glover May 13, 2019 10:15 AM
What version of AV are you on?

There should be a secondary "event source" that you need to set up for the AV events.
Like • Show 0 Likes0
Actions
- Visham Rawat @ Dave Glover on May 14, 2019 6:33 AM
  Hi Dave,
  
  I've got to integrate several products from within the McAfee suite. I've managed to integrate
  1. ePolicy Orchestrator 5.9.1
  2. VSE 8.8
  3. HIPS 8.0
  
  I'm having problems integrating the following products
  4. MSME 8.5 : For McAfee Security for Microsoft Exchange, I'm unable to find the parser and event source type, both of which are listed as 'mcafeesecurity'.
  5. ENS 10.2.x. : For McAfee Endpoint Security ENS, I'm unable to find the event source type 'epolicyens10_5autoid'.
  
  Please note, my RSA SA version is 10.6.4.1, and the documents say it qualifies for integration (anything 10.0 and above).
  
  Also, as an added note, I've also been asked to integrate
  6. McAfee VirusScan Enterprise for Linux VSES
  7. McAfee VirusScan Enterprise for Storage VSEL
  They have VSES 1.2 and VSEL 1.9 and 2.3 deployed. Now, in the documentation I see that VSE 8.8 can be integrated, which I've done as well, but I'm not sure what to do with VSES and VSEL.
  
  Any insight on the above?
  Like • Show 0 Likes0
  Actions

McAfee ePO antivirus threat event logs to RSA SA

Outcomes

Related Content

Recommended Content