McAfee Enterprise Security Manager

Parser Request Checklist

 Important Note:

The information contained in this document is confidential and proprietary.

Please do not re-distribute without permission.
Table of Contents
1   Overview 4  
2   Product Description 5  
3   Product Details 5  
4   Logging Details 5  
4.1   Supported Logging Methods 5  
4.1.1   Syslog 6  
4.1.2   Local File 6  
4.1.3   Database 6  
4.1.4   API 7  
4.2   Logging Format 7  
5   Requested Parsing Requirements 7  

McAfee ESM Page 3 of 7

1 Overview
Parsing requests for McAfee ESM are typically made through the Accept 360 portal. McAfee
SIEM engineering reviews and scopes each parsing request received. The scope is based on the
details provided within the request, in addition to the information available from McAfee
technology partners. Engineering can speed the scoping process if more detailed information is
provided about the requested appliance or application.
This document serves as a general checklist, to help identify important information for parsing
requests. It covers the most prevalent logging methods used by requested appliances and
applications. The suggestions within this document will not cover all possible requests. Providing
the information outlined in this document does not guarantee that McAfee can fill the request. In
some cases, the ability for McAfee to produce a parser may be limited to the information provided
with the request.
Please provide as much data and log samples as you can. The variety and quality of log samples
provided will directly affect the quality and event coverage of the parser.

McAfee ESM Page 4 of 7

2 Product Description
Please provide a short description of what the appliance or application is used for in your
environment. Also, please note if the request is for an application that is custom-built by your
organization.
• Provide a short description of the appliance or application, and whether or not it is
custom-built by your organization.

3 Product Details
Please provide accurate details for the product. If the request is for an application installed on a
server, then provide the host OS details as well. Please provide the following details if possible.

• Vendor Name
• Product Name
• Version
• OS Vendor
• OS Version

4 Logging Details
Appliances and applications may produce logging from many different areas of the system. For
example, there may be user audit logs, application error logs, access logs, etc. It can be helpful to
know the types of logs generated, and typically used in day-to-day reporting.

• Provide a brief comment about the type of information logged by the appliance or
application.

4.1 Supported Logging Methods

Some appliances or applications support multiple logging options. Below are a few of the most
common options, with suggestions for collecting the log data.

McAfee ESM Page 5 of 7

4.1.1 Syslog
Many appliances and applications support sending logs, using syslog, over a network to a log
collector. One of the best options for collecting a syslog data sample is to save a packet capture
of the streaming logs. A packet capture, often referred to as a pcap, is usually the best option for
collecting syslog data. Wireshark is a popular application for saving a pcap, and is available at no
cost for Linux and Windows. One of the most popular methods for saving a pcap is through the
use of the tcpdump command, which is generally available on most Linux distributions. Below is
an example of a tcpdump command that should work on most systems. The usage for tcpdump
can be found online or via the manual (man) pages, usually included in your Linux distribution.
tcpdump –w LogSample.pcap –nei eth0 –s 0 udp port 514 and host 1.0.0.1
This command tells tcpdump to listen for packets received through the UDP protocol, using port
514, and from the IP address 1.0.0.1. It will then write the full-length packets to a file called
“LogSample.pcap”. The IP, “1.0.0.1”, should be modified to be the IP address of the sending
host.
• Please provide a pcap of the syslog data.
The variety and quality of log samples provided will directly affect the quality and event coverage
of the parser.

4.1.2 Local File

Many appliances and applications support writing logs to a locally stored file. McAfee ESM has
the ability to collect files using FTP, SFTP, SCP, CIFS, and NFS.
• Please provide the default file path where the logs are stored, and include the log name
as it is written by the application.
• Please provide copies of the actual log files if possible.
The variety and quality of log samples provided will directly affect the quality and event coverage
of the parser.

4.1.3 Database
Many appliances and applications support writing logs to a database. If the application logs to a
database, please provide the vendor and database name with the request. If possible, a copy of a
populated database is preferred. A populated database gives context to the database field
names, and allows McAfee engineers to make better decisions in regards to collecting and
mapping the data.
• Please provide the database vendor and database name.
• Please provide a populated copy of the database if possible.

McAfee ESM Page 6 of 7

4.1.4 API
Many appliances and applications support the use of an Application Programming Interface, or
API, to collect log data. If the application requires the use of an API to collect the data, then the
ability for McAfee engineering to produce a parser may be based on the availability of API
documentation and access to the actual application for development and testing purposes.
• Please provide the API documentation if possible.

4.2 Logging Format

Many logs are written in common formatting standards. If the log is well formatted, please provide
the details of the format. CEF, LEEF, CSV, Key=Value Pairs, and W3C are common formats
used by local file and syslog logging options. XML and JSON are common formats returned
through web service APIs, such as SOAP or REST.
• Please provide the format of the log if it is available.
• Please provide further information if the logged fields are customizable, and whether or
not your log has been customized.

5 Requested Parsing Requirements

There may be certain log types that are critical in regard to reporting within your organization.
There are usually specific details you, or your organization, watch for within a particular log, and
the use cases for handling certain log types can vary.
• Please provide details around specific parsing, and field mappings that your organization
needs.

McAfee ESM Page 7 of 7