McAfee Enterprise Security Manager

Data Source Configuration Reference

Guide
Contents

ESM data source overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

ESM data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Supported data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Adding data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Add data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Configure receivers to create data sources automatically. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Configure auto create rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Add child data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Add client data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Add ASP data sources with different encoding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Managing data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Set date formats for data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Select Tail File data source collection method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Locate data source clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Migrate data sources to Receivers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Move data sources to another system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Import data sources from a .csv file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Configuring McAfee data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

McAfee Active Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Configure McAfee Active Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
McAfee Advanced Threat Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configure McAfee Advanced Threat Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Add McAfee Advanced Threat Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
McAfee Advanced Threat Defense log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
McAfee Correlation Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Add McAfee Correlation Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
McAfee Data Loss Prevention Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Configure McAfee Data Loss Prevention Monitor (McAfee DLP Monitor). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Add McAfee Data Loss Prevention Monitor (McAfee DLP Monitor). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Map McAfee DLP Monitor fields to McAfee ESM fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
McAfee Database Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Configure McAfee Database Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Configure Database Activity Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
 Add McAfee Database Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Map McAfee Database Security events to McAfee ESM fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
McAfee Email and Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configure McAfee Email and Web Security 6.x.x or later (CEF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configure McAfee Email and Web Security 5.x.x (syslog). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Add McAfee Email and Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Map McAfee Email and Web Security 6.x.x fields to McAfee ESM fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
McAfee Email and Web Security 5.x.x events to McAfee ESM fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
McAfee ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Configure the Database Server user account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Configure the application server user account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Differences in configuration options for ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Add McAfee ePolicy Orchestrator as a data source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Add McAfee ePolicy Orchestrator as a device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
McAfee ePolicy Orchestrator log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Integrate McAfee ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
McAfee ePO device authentication problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
McAfee Firewall Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Configure McAfee Firewall Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Add McAfee Firewall Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
McAfee Firewall Enterprise log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
McAfee MVISION Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
MVISION Cloud (Syslog). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
MVISION Cloud (API). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
McAfee MVISION EDR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Add McAfee MVISION EDR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
McAfee MVISION EDR field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
McAfee MVISION ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Configure McAfee MVISION ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Add MVISION ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
MVISION ePO log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
McAfee MVISION Mobile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Configure McAfee MVISION Mobile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Add McAfee MVISION Mobile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
McAfee MVISION Mobile log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
McAfee Network Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Add McAfee Network Security Manager (syslog delivery). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
McAfee Network Security Manager (syslog) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Add McAfee Network Security Manager as a device (SQL pull). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Add McAfee Network Security Manager as a data source (SQL pull). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
 McAfee Network Security Manager (SQL pull) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . 176
McAfee Network Threat Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Configure McAfee Network Threat Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Add McAfee Network Threat Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Associate sensor groups with McAfee Network Threat Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
McAfee Network Threat Response field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
McAfee Risk Advisor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Enable McAfee Risk Advisor data acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Integrate McAfee Risk Advisor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
McAfee Threat Intelligence Exchange. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Configure McAfee Threat Intelligence Exchange. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
McAfee Threat Intelligence Exchange log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
McAfee UTM Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Configure McAfee UTM Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Add McAfee UTM Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
McAfee UTM Firewall log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
McAfee Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Configure McAfee Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Add McAfee Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
McAfee SaaS Web Protection log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
McAfee Web Gateway Cloud Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Configure McAfee Web Gateway Cloud Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Add a McAfee Web Gateway Cloud Service data source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
McAfee Web Gateway Cloud Service field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Configuring 3rd-party data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

A10 Networks Load Balancer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Configure A10 Networks Load Balancer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Configure A10 Networks Load Balancer from the command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Add A10 Networks Load Balancer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
A10 Networks Load Balancer log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
A10 Networks Load Balancer troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Accellion Secure File Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Configure Accellion Secure File Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Add Accellion Secure File Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Accellion Secure File Transfer log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Access Layers Portnox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Configure Access Layers Portnox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Add Access Layers Portnox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Access Layers Portnox log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Adiscon Rsyslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Configure Adiscon Rsyslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Add Adiscon Rsyslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Adtran Bluesocket. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Configure Adtran Bluesocket. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Add Adtran Bluesocket. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
AdTran Bluesocket log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Adtran NetVanta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Configure Adtran NetVanta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Add Adtran NetVanta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Adtran NetVanta log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
AirTight Networks SpectraGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Configure AirTight Networks SpectraGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Add AirTight Networks SpectraGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
AirTight Networks SpectraGuard log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Alcatel-Lucent NGN Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Configure Alcatel-Lucent NGN Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Add Alcatel-Lucent NGN Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Alcatel-Lucent NGN Switch log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Alcatel-Lucent VitalQIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Configure Alcatel-Lucent VitalQIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Add Alcatel-Lucent VitalQIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Alcatel-Lucent VitalQIP log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Amazon SQS Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Configure Amazon SQS Collector data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Add Amazon SQS Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Amazon SQS Collector log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Ansible. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Configure Ansible. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Add Ansible. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Apple Mac OS X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Configure Apple Mac OS X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Add Apple Mac OS X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Apple Mac OS X log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Arbor Networks Pravail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Configure Arbor Networks Pravail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Add Arbor Networks Pravail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Arbor Networks Pravail log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
ArcSight Common Event Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Configure ArcSight Common Event Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
 Add ArcSight Common Event Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
ArcSight Common Event Format log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Aruba ClearPass. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Configure Aruba ClearPass. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Add Aruba ClearPass. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Aruba ClearPass log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Attivo Networks BOTsink. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Configure Attivo Networks BOTsink. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Add Attivo Networks BOTsink. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Attivo Networks BOTsink log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Axway SecureTransport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Configure Axway SecureTransport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Add Axway SecureTransport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Axway SecureTransport log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Barracuda Spam Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Configure Barracuda Spam Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Add Barracuda Spam Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Barracuda Spam Firewall log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Barracuda Web Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Configure Barracuda Web Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Add Barracuda Web Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Barracuda Web Application Firewall log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Barracuda Web Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Configuring Barracuda Web Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Add Barracuda Web Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Barracuda Web Filter log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
BeyondTrust BeyondInsight. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Configure BeyondTrust BeyondInsight. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Add BeyondTrust BeyondInsight. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
BeyondTrust BeyondInsight log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Bit9 Parity Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Configure Bit9 Parity Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Add Bit9 Parity Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Bit9 Parity Suite Basic (RFC 3164) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Bit9 Parity Suite - CEF (ArcSight) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Blue Coat Director. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Configure Blue Coat Director. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Add Blue Coat Director. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Blue Coat Director log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Blue Coat ProxySG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
 Create a custom log format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Enable Access Logging globally. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Configure Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Add Blue Coat ProxySG (syslog). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Add Blue Coat ProxySG (FTP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Blue Coat ProxySG log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Configure FileZilla FTP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Configure FTP Upload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Blue Coat ProxySG troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Blue Coat Reporter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Configure Blue Coat Reporter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Add Blue Coat Reporter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Blue Coat Reporter log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
BlueCat DNS/DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Configure BlueCat DNS/DHCP Server using Linux syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Configure BlueCat DNS/DHCP Server using the vendor documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Add BlueCat DNS/DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Blue Ridge Networks BorderGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Configure Blue Ridge Networks BorderGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Add Blue Ridge Networks BorderGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Blue Ridge Network BorderGuard field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Brocade IronView Network Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Configure Brocade IronView Network Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Add Brocade IronView Network Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Brocade IronView Network Manager log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Brocade VDX Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Configure Brocade VDX Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Add Brocade VDX Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Brocade VDX Switch log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Check Point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Log Exporter (Syslog). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Checkpoint LEA (OPSEC). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Cimcor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Add Cimcor CimTrak Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Cimcor CimTrak Management Console log format and filed mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Cisco Content Security Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Configure Cisco Content Security Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Add Cisco Content Security Management (CSM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Cisco Content Security Management log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Cisco Firepower. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
 Configure Cisco Firepower Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Configure Cisco Firepower Defense Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Add Cisco Firepower Management Console - eStreamer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Cisco Firepower Management Console - eStreamer log format and field mapping. . . . . . . . . . . . . . . . . . . . 363
Cisco Firepower Management Console - eStreamer supported events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Configure Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Add Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Cisco IOS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Configure Cisco IOS IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Add Cisco IOS IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Cisco IOS IPS field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Cisco Meraki. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Configure Cisco Meraki. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Add Cisco Meraki. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Cisco Meraki field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Cisco NX-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Configure Cisco NX-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Add Cisco NX-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Cisco NS-OX log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Cisco PIX ASA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Configure Cisco PIX ASA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Add Cisco PIX ASA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Cisco PIX ASA field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Cisco Unified Computing System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Configure Cisco Unified Computing System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Add Cisco Unified Computing System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Cisco Unified Computing System log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Cisco Wireless LAN Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Configure Cisco Wireless LAN Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Add Cisco Wireless LAN Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Cisco Wireless LAN Controller log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Citrix NetScaler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Configure Citrix NetScaler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Add Citrix NetScaler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Citrix NetScaler log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Citrix Secure Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Configure Citrix Secure Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Add Citrix Secure Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Citrix Secure Gateway log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Cluster Labs Pacemaker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Configure Cluster Labs Pacemaker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Add Cluster Labs Pacemaker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Cluster Labs Pacemaker log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Code Green Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Configure Code Green Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Add Code Green Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Code Green Data Loss Prevention log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Cofense Intelligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Configure Cofense Intelligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Add Cofense Intelligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Cofense Intelligence log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Cofense Triage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Configure Cofense Triage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Add Cofense Triage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Cofense Triage log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Cooper Power Systems Cybectec RTU. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Configure Cooper Power Systems Cybectec RTU. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Add Cooper Power Systems Cybectec RTU. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Cooper Power Systems Cybectec RTU log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Cooper Power Systems Yukon IED Manager Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Configure Cooper Power Systems Yukon IED Manager Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Add Cooper Power Systems Yukon IED Manager Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Cooper Power Systems Yukon IED Manager Suite log format and field mapping. . . . . . . . . . . . . . . . . . . . . . 429
Corero IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Configure Corero IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Add Corero IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Corero IPS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Crowdstrike. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Configure Crowdstrike. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Add Crowdstrike. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Crowdstrike log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
CyberArk Enterprise Password Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Configure CyberArk Enterprise Password Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Add CyberArk Enterprise Password Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
CyberArk Enterprise Password Vault log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
CyberArk Privileged Identity Management Suite (DEF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Configure CyberArk Privileged Identity Management Suite (CEF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Add CyberArk Privileged Identity Management Suite (CEF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
CyberArk Privileged Identity Management Suite CEF log format and field mapping. . . . . . . . . . . . . . . . . . . . 449
CyberArk Privileged Threat Analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Configure CyberArk Privileged Threat Analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Add CyberArk Privileged Threat Analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
CyberArk Privileged Threat Analytics log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Damballa Failsafe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Configure Damballa Failsafe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Add Damballa Failsafe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Damballa Failsafe log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Dell Aventail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Configure Dell Aventail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Add Dell Aventail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Dell Aventail field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Dell PowerConnect Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Configure Dell PowerConnect Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Add Dell PowerConnect Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Dell PowerConnect Switches log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Dell SonicOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Configure Dell SonicOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Add Dell SonicOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Dell SonicOS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
DG Technology - InfoSec MEAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Configure DG Technology - InfoSec MEAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Add DG Technology - InfoSec MEAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
DG Technology - InfoSec MEAS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Dragos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Configure Dragos Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Add Dragos Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Dragos Platform log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Econet Sentinel IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Configure Econet Sentinel IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Add Econet Sentinel IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Econet Sentinel IPS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
EdgeWave iPrism Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Configure EdgeWave iPrism Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Add EdgeWave iPrism Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
EdgeWave iPrism Web Security log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Enforcive Cross-Platform Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Configure Enforcive Cross-Platform Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Add Enforcive Cross-Platform Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Enforcive Cross-Platform Audit log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Entrust IdentityGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Configure Entrust IdentityGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Add Entrust IdentityGuard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Entrust IdentityGuard log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Extreme Networks ExtremeWare XOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Configure Extreme Networks ExtremeWare XOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Add Extreme Networks ExtremeWare XOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Extreme Networks ExtremeWare XOS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
F5 Networks FirePass SSL VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Configure F5 Networks FirePass SSL VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Add F5 Networks Firepass SSL VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
F5 Networks Firepass SSL VPN log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
F5 Networks Local Traffic Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Configure F5 Networks Local Traffic Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Add F5 Networks Local Traffic Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Fidelis XPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Configure Fidelis XPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Add Fidelis XPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Fidelis XPS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
FireEye Malware Protection System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Configure FireEye Malware Protection System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Add FireEye Malware Protection System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
FireEye Malware Protection System log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Fluke Networks AirMagnet Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Configure Fluke Networks AirMagnet Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Add Fluke Networks AirMagnet Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Fluke Networks AirMagnet Enterprise log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Force10 Networks FTOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Configure Force10 Networks FTOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Add Force10 Networks FTOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Force10 Networks FTOS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Forcepoint Next Generation Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Configure Forcepoint Next Generation Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Add Forcepoint Next Generation Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Forcepoint Next Generation Firewall log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Forcepoint Websense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Configure Forcepoint Websense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Add Forcepoint Websense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Forcepoint Websense log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
ForeScout CounterACT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
 Configure ForeScout CounterACT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Add ForeScout CounterACT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
ForeScout CounterACT log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Configure ForeScout CounterACT for CEF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Add ForeScout CounterACT for CEF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
ForeScout CounterACT for CEF log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Fortinet FortiGate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Configure Fortinet FortiGate using the command line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Configure Fortinet FortiGate UTM through the Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Add Fortinet FortiGate UTM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Fortinet FortiGate UTM log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
Fortinet FortiMail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Configure Fortinet FortiMail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Add Fortinet FortiMail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Fortinet FortiMail log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Fortinet FortiManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Configure Fortinet FortiManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Add Fortinet FortiManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Fortinet FortiManager log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Fortscale User and Entity Behavior Analytics (UEBA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Configure Fortscale User and Entity Behavior Analytics (UEBA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Add Fortscale User and Entity Behavior Analytics (UEBA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Fortscale User and Entity Behavior Analytics (UEBA) log format and field mapping. . . . . . . . . . . . . . . . . . . . 566
FreeRADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Configure FreeRADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Add FreeRADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
FreeRADIUS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Gigamon GigaVUE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Configure Gigamon GigaVUE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Add Gigamon GigaVUE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Gigamon GigaVUE log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Globalscape Enhanced File Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Configure Globalscape Enhanced File Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Add Globalscape Enhanced File Transfer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Globalscape Enhanced File Transfer log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Gurucul Risk Analytics Data Forwarder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Configure Gurucul Risk Analytics Data Forwarder (CEF logs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Configure Gurucul Risk Analytics Data Forwarder (JSON logs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Add Gurucul Risk Analytics Data Forwarder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Gurucul Risk Analytics log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
HashiCorp Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Configure HashiCorp Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Add HashiCorp Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
HBGary Active Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Configure HBGary Active Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Add HBGary Active Defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
HBGary Active Defense log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Hewlett-Packard 3Com Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Configure Hewlett-Packard 3Com Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Add Hewlett-Packard 3Com Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Hewlett-Packard 3Com Switches log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Hewlett-Packard LaserJet Printers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Add Hewlett Packard LaserJet Printers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Configure Hewlett-Packard LaserJet Printers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Hewlett Packard LaserJet Printers log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Hewlett-Packard ProCurve. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Configure Hewlett-Packard ProCurve. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Add Hewlett-Packard ProCurve. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Hewlett-Packard ProCurve log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
HyTrust Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Configure HyTrust Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Add HyTrust Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
HyTrust Appliance log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
IBM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Configure IBM Guardium. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Add IBM Guardium. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Configure IBM Websphere Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
IBM Guardium log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Imperva. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Add Imperva. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Imperva field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Indegy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Configure Indegy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Add Indegy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Indegy log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Infoblox NIOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Configure Infoblox NIOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Add Infoblox NIOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Configure Syslog for a grid member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Infocyte. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
 Add Infocyte HUNT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Infocyte HUNT log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
InterSect Alliance Snare for Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Configure InterSect Alliance Snare for Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Add InterSect Alliance Snare for Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
InterSect Alliance Snare for Windows log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Interset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Configure Interset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Add Interset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Integrate Interset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Interset log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Juniper Networks JUNOS Structured-Data Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Configure Juniper Networks JUNOS Structured-Data Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Add Juniper Networks JUNOS Structured-Data Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Juniper Networks JUNOS Structured-Data Format log format and field mapping. . . . . . . . . . . . . . . . . . . . . . 650
Juniper Networks NetScreen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Configure Juniper Networks NetScreen using the command-line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Add Juniper Networks NetScreen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
Juniper Networks NetScreen log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
Juniper Networks Network and Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
Configure Juniper Networks Network and Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
Add Juniper Networks Network and Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
Juniper Networks Network and Security Manager log format and field mapping. . . . . . . . . . . . . . . . . . . . . . 659
Kaspersky Administration Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
Configure Kaspersky Administration Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
Add Kaspersky Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
Kapersky Administration Kit log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Lastline Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
Configure Lastline Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
Add Lastline Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
Lastline Enterprise log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Locum RealTime Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Configure Locum RealTime Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Add Locum RealTime Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Locum RealTime Monitor log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
LOGbinder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Configure LOGbinder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Add LOGbinder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
LOGbinder log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Lumension Bouncer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
 Configure Lumension Bouncer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
Add Lumension Bouncer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
Lumension Bouncer (CEF) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Lumension Bouncer (syslog) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
Lumension LEMSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Configure Lumension LEMSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Add Lumension LEMSS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Lumension LEMSS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Malwarebytes Breach Remediation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Configure Malwarebytes Breach Remediation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Add Malwarebytes Breach Remediation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
Malwarebytes Breach Remediation log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Malwarebytes Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
Configure Malwarebytes Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
Add Malwarebytes Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
Malwarebytes Management Console log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
Microsoft Azure Event Hubs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Configure a Microsoft Azure Event Hub. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Add a Microsoft Azure Event Hub. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Microsoft Azure Event Hub example log and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
Microsoft Defender Advanced Threat Protection (ATP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
Configure Microsoft Defender Advanced Threat Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
Add Microsoft Defender ATP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Microsoft Defender ATP log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Microsoft DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Configure Microsoft DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Add Microsoft DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Microsoft Windows DNS log sample. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
Microsoft Forefront Endpoint Protection 2010. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
Configure Microsoft Forefront Endpoint Protection 2010. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
Add Microsoft Forefront Endpoint Protection 2010. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
Microsoft Forefront Endpoint Protection 2010 log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . 716
Microsoft Internet Authentication Service (IAS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
Configure Microsoft Internet Authentication Service (IAS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
Configure Microsoft IAS (Formatted ASP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
Add Microsoft IAS (Formatted ASP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
Microsoft IAS (formatted ASP) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
Configure Microsoft IAS (database compatible). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
Add Microsoft IAS (Database Compatible). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
Microsoft IAS (database compatible) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
Microsoft Internet Information Services (IIS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Configure Microsoft IIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Add Microsoft IIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Microsoft IIS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730
Install Microsoft IIS Advanced Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
Configure Microsoft IIS Advanced Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
Microsoft Internet Information Service (IIS) - SMTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
Configure Microsoft Internet Information Services - SMTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
Add Microsoft IIS - SMTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
Microsoft IIS - SMTP log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738
Microsoft Network Policy Server (NPS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
Configure Microsoft Network Policy Server (NPS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
Configure Microsoft NPS (Database Compatible). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
Add Microsoft NPS (Database Compatible). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740
Microsoft NPS (database compatible) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742
Configure Microsoft NPS (Formatted ASP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744
Add Microsoft NPS (Formatted ASP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745
Microsoft NPS (formatted ASP) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
Configuring Microsoft NPS (XML ASP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Add Microsoft NPS (XML ASP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Microsoft NPS (XML ASP) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752
Microsoft Office 365. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753
Configure Microsoft Office 365. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753
Add Microsoft Office 365. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Microsoft Office 365 log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758
Microsoft SharePoint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
Configure Microsoft SharePoint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
Add Microsoft SharePoint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
Microsoft SharePoint log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
Microsoft SQL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761
Add Microsoft MSSQL Error Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761
Microsoft Windows DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
Configure Microsoft Windows DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
Add Microsoft Windows DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
Microsoft Windows DHCP log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768
Mimecast. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Configure Mimecast. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Add Mimecast. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Mimecast log format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773
Microsoft Windows Event Log WMI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773
 Configure Microsoft Windows Event Log WMI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773
Add Microsoft Windows Event Log WMI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
Microsoft Windows Event Log log format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Motorola AirDefense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Configure Motorola AirDefense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Add Motorola AirDefense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Motorola AirDefense log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780
NetFort Technologies LANGuardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
Configure NetFort Technologies LANGuardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
Add NetFort Technologies LANGuardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
NetFort Technologies LANGuardian log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783
NetFlow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
Add NetFlow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
NetFlow field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
NetWitness Spectrum. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
Configure NetWitness Spectrum. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
Add NetWitness Spectrum. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
NetWitness Spectrum log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Niara. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Configure Niara. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Add Niara. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Niara log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796
Nortel Networks Contivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Configure Nortel Networks Contivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Add Nortel Networks Contivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Nortel Networks Contivity log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800
Nortel Networks Passport 8000 Series Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
Configure Nortel Networks Passport 8000 Series Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
Add Nortel Networks Passport 8000 Series Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
Nortel Networks Passport 8000 Series Switches log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . 805
Novell eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Configuring Novell eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Add Novell eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Novell eDirectory log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808
Novell Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
Configure Novell Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
Add Novell Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
Novell Identity and Access Management log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
Okta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Configure Okta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
 Add Okta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Oracle Audit (SQL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817
Configure Oracle Audit (SQL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817
Add Oracle Audit (SQL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817
Oracle Audit (SQL) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820
Oracle Audit (syslog). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823
Configure Oracle Audit (syslog). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823
Add Oracle Audit (syslog). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823
Oracle Audit (syslog) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 826
Oracle Audit (XML). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
Configure Oracle Audit (XML). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
Add Oracle Audit (XML). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
Oracle Audit (XML) log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
Oracle Cloud Infrastructure (OCI). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832
Configure Oracle Cloud Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832
Add Oracle Cloud Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832
Oracle Unified Auditing (SQL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Configure Oracle Unified Auditing (SQL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Oracle Internet Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Configuring Oracle Internet Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Add Oracle Internet Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Oracle Internet Directory Server log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839
Configure McAfee Collector for Oracle Internet Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Palo Alto Networks PAN-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Configure Palo Alto Networks PAN-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Add Palo Alto Networks PAN-OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Palo Alto Networks PAN-OS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
Proofpoint Messaging Security Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846
Configure Proofpoint Messaging Security Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846
Add Proofpoint Messaging Security Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
Proofpoint Messaging Security Gateway log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849
Proofpoint Targeted Attack Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Configure Proofpoint Targeted Attack Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Add Proofpoint Targeted Attack Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
Proofpoint Targeted Attack Protection log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
Raytheon SureView. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858
Configure Raytheon SureView. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858
Add Raytheon SureView. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858
Raytheon SureView log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861
Raz-Lee Security iSecurity Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862
 Configure Raz-Lee Security iSecurity Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862
Add Raz-Lee Security iSecurity Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
Raz-Lee Security iSecurity Suite log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865
Red Hat JBoss Application Server/WildFly 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
Configure Red Hat JBoss Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
Configure WildFly 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
Add Red Hat JBoss Application Server/WildFly 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868
Red Hat JBoss Application Server/WildFly 8 log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . 870
RedSeal Networks RedSeal 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
Configure RedSeal Networks RedSeal 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
Add RedSeal Networks RedSeal 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 872
RedSeal Networks RedSeal 6 log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874
ReversingLabs N1000 Network Security Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Configure ReversingLabs N1000 Network Security Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Add ReversingLabs N1000 Network Security Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876
ReversingLabs N1000 Network Security Appliance log format and field mapping. . . . . . . . . . . . . . . . . . . . . 878
RioRey DDOS Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 880
Configure RioRey DDOS Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 880
Add RioRey DDOS Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 880
RioRey DDOS Protection log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
Riverbed Steelhead. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884
Configure Riverbed Steelhead using the Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884
Configure Riverbed Steelhead using the command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884
Add Riverbed Steelhead. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
Riverbed Steelhead log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888
RSA Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Configure RSA Authentication Manager 8 and later from the Security Console. . . . . . . . . . . . . . . . . . . . . . . . 889
Configure RSA Authentication Manager 7.1 SP2 or later for Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Configure RSA Authentication Manager 7.1 SP2 or later for Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
Add RSA Authentication Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891
RSA Authentication Manager field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893
SafeNet Hardware Security Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894
Configure SafeNet Hardware Security Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894
Add SafeNet Hardware Security Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894
SafeNet Hardware-Security-Modules log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
SAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897
Configure SAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897
Add SAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 898
SAP Enterprise Threat Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
Add SAP Enterprise Threat Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
 SAP Enterprise Threat Detection log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903
Skycure Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905
Configuring Skycure Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905
Add Skycure Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905
Skycure Enterprise log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907
Sophos Web Security and Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
Configure Sophos Web Security and Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
Add Sophos Web Security and Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
Sophos Web Security and Control log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912
SS8 BreachDetect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
Configure SS8 BreachDetect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
Add SS8 BreachDetect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
SS8 BreachDetect log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 916
SS8 DataBreach JSON Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922
SSH Communications Security CryptoAuditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922
Configure SSH Communications Security CryptoAuditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922
Add SSH Communications Security CryptoAuditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
SSH Communications Security CryptoAuditor log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . 925
STEALTHbits StealthINTERCEPT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927
Configure STEALTHbits StealthINTERCEPT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927
Add STEALTHbits StealthINTERCEPT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927
STEALTHbits StealthINTERCEPT log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
Symantec Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932
Configure Symantec Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932
Configure Symantec Data Loss Prevention for common event format (CEF). . . . . . . . . . . . . . . . . . . . . . . . . . 932
Add Symantec Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
Symantec Data Loss Prevention CEF log format and field mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935
Symantec Data Loss Prevention log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937
Symantec Endpoint Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937
Configure Symantec Endpoint Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937
Add Symantec Endpoint Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938
Symantec Endpoint Protection log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940
Symantec Messaging Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942
Configure Symantec Messaging Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942
Add Symantec Messaging Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
Symantec Messaging Gateway log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945
Symantec PGP Universal Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946
Configure Symantec PGP Universal Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946
Add Symantec PGP Universal Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947
Symantec PGP Universal Server log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 949
Symantec Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950
Configure Symantec Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950
Add Symantec Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950
Symantec Web Gateway log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953
Tenable Nessus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 954
Configure Tenable Nessus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 954
Add Tenable Nessus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 954
ThreatConnect Threat Intelligence Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957
Add ThreatConnect Threat Intelligence Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957
ThreatConnect Threat Intelligence Platform log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . 960
Configure ThreatConnect Threat Intelligence Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 961
TippingPoint SMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 961
Configure TippingPoint SMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 961
Add TippingPoint SMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 961
TippingPoint SMS log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964
Tofino Firewall LSM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965
Configure Tofino Firewall LSM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965
Add Tofino Firewall LSM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 966
Tofino Firewall LSM log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 968
Topia Technology Skoot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
Configure Topia Technology Skoot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
Add Topia Technology Skoot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
Topia Technology Skoot log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972
TrapX Security DeceptionGrid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973
Configure TrapX Security DeceptionGrid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973
Add TrapX Security DeceptionGrid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973
TrapX Security DeceptionGrid log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 976
Trend Micro Control Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 977
Add Trend Micro Control Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 977
Trend Micro Deep Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979
Configure Trend Micro Deep Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979
Add Trend Micro Deep Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 980
Trend Micro Deep Security log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 982
Trend Micro Deep Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
Configure Trend Micro Deep Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
Add Trend Micro Deep Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
Trend Micro Deep Security Manager log format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 986
Trend Micro OfficeScan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987
Configure Trend Micro OfficeScan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987
Add Trend Micro OfficeScan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987
 Trend Micro OfficeScan log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 990
Trustwave Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
Configure Trustwave Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
Add Trustwave Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
Trustwave Data Loss Prevention log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994
Trustwave Network Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995
Configure Trustwave Network Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995
Add Trustwave Network Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995
Trustwave Network Access Control log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998
Tychon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999
Add Tychon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999
Tychon log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Type80 Security Software SMA_RT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002
Configure Type80 Security Software SMA_RT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002
Add Type80 Security Software SMA_RT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003
Type80 Security Software SMA_RT log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005
Unix Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006
Configure Unix Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006
Add Unix Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1007
Verdasys Digital Guardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009
Configure Verdasys Digital Guardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009
Add Verdasys Digital Guardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1010
Verdasys Digital Guardian log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1012
VMware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Configure VMware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Add VMware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
VMware log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016
VMware AirWatch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
Configure VMware AirWatch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
Add VMware AirWatch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
VMware AirWatch log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1020
VMware Horizon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021
Configure VMware Horizon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021
VMware Horizon log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024
VMware vCenter Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1025
Configure VMware vCenter Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1025
Add VMware vCenter Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1025
VMware vCenter Server log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028
Vormetric Data Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
 Configure Vormetric Data Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
Add Vormetric Data Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
Vormetric Data Security Manager log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
WatchGuard Technologies Firebox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
Configure WatchGuard Technologies Firebox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
Add WatchGuard Technologies Firebox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1034
WatchGuard Technologies Firebox log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
Websense Enterprise SQL Pull. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
Configure Websense Enterprise SQL Pull. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
Add Websense Enterprise SQL Pull. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
Websense Enterprise SQL Pull log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1041
WurldTech OpShield. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043
Configure WurldTech OpShield. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043
Add WurldTech OpShield. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043
WurldTech OpShield field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1046
Ximus Wi-Fi Arrays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047
Configure Xirrus Wi-Fi Arrays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047
Add Xirrus Wi-Fi Arrays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1048
Xirrus 802.11abgn Wi-Fi Arrays log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1050
Yubico YubiKey. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051
Configure Yubico YubiKey. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051
Add Yubico YubiKey. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051
ZeroFox Riskive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1054
Configure ZeroFox Riskive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1054
Add ZeroFox Riskive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1054
ZeroFox Riskive log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1057
ZScaler Nanolog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058
Configure ZScaler Nanolog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058
Add ZScaler Nanolog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058
ZScaler Nanolog log format and field mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1061

Configuring asset data sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063

Configure an Altiris asset data source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063
Configure an Active Directory asset data source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064
Add McAfee Vulnerability Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1065

Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
General troubleshooting tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
Check data source health. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
Data source not sending events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
 Received data is not parsed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1072
Parsed data not displayed on dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073
Settings and policies not implemented. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073

Generic syslog configuration details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1075

1| ESM data source overview

ESM data source overview

ESM data sources
This guide details how to configure data sources to send log data in the proper format to a McAfee Event Receiver.

The information in this document regarding McAfee or third-party products or services is provided for the education and
convenience of McAfee customers only.

All information contained herein is subject to change without notice, and is provided AS IS without guarantee or warranty as to
the accuracy or applicability of the information to any specific situation or circumstance.

A data source holds the location and connection information of your network's sources of data. It acts as a connector to your
source of data.

Data Sources exist on a McAfee Event Receiver (ERC).

Define a Data Source for each network item from which you want to collect data.

Data Sources hold your Rules.

Client data sources

Note

If the data source is already a parent or child, or if it is a WMI data source and Use RPC is selected, this option is unavailable.

You can add more than one client data source with the same IP address and use the port number to differentiate them. This
allows you to segregate your data using a different port for each data type, then forward the data using the same port it came
into.

When you add a client data source, select whether to use the parent data source port or another port.

Client data sources have these characteristics:

• They don't have VIPS, Policy, or Agent rights.

• They appear on the system navigation tree but not on the Data Sources table.
• They share policy and rights as the parent data source.

Note

WMI client data sources do not have time zone configurations because the query sent to the WMI host determines the time
zone.

Correlation data sources

After configuring a correlation data source, you can:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 25

1| ESM data source overview

• Roll out the correlation’s default policy

• Edit the base rules in this correlation's default policy
• Add custom rules and components
• Roll out the policy
• Enable or disable each rule
• Set the value of each rule's user-definable parameters

When adding a correlation data source, select McAfee as the vendor and Correlation Engine as the model.

Enabling the correlation data source allows McAfee ESM to send alerts to the receiver correlation engine.

Note

Only one correlation data source can be added per McAfee Event Receiver (ERC). If more than one is required, McAfee ACE is
recommended.

Supported data sources

A data source might not be supported by all versions of McAfee ESM. Check compatibility before adding the data source. Some
data sources have additional requirements.

Important

In many cases, integrations will work with newer versions of third-party products than those listed. Exceptions to this are:

• Log file format changes in third-party products that require SIEM parsing rule modifications.
• Code changes in third-party products that require new code-based SIEM collectors.

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

A10 Load Balancer Load Balancer All ASP Syslog 10.0 AX Series
Networks and
later

Accellion Secure File Application All ASP Syslog 10.0 -

Transfer and
later

26 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Access Portnox NAC 2.x ASP Syslog 10.0 -

Layers and
later

Adtran Bluesocket Wireless All ASP Syslog 10.0 -

Access Point and
later

NetVanta Network All ASP Syslog 10.0 -

Switches and and
Routers later

AirTight SpectraGuard Application All ASP Syslog 10.0 -

Networks and
later

Alcatel- NGN Switch Switch All ASP Syslog 10.0 -

Lucent and
later

VitalQIP Applications / All ASP Syslog 10.0 -

Host / Server / and
Operating later
Systems / Web
Content /
Filtering /
Proxies

Amazon CloudTrail Generic N/A ASP API 10.x to -

11.2.x

SQS Generic N/A ASP API 11.3.0 Parsing

and support for
later CloudTrail,
CloudWatch,
and
GuardDuty.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 27

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

You can also

create
custom
parsers for
other log
data
retrieved
from an SQS
queue.

American Uninterruptible Power All ASP Syslog 10.0 -

Power Power Supply Supplies and
Conversion later

Ansible Ansible System 3.5.3 ASP Syslog 10.1.0 -

Management and
later

Apache Apache Web Applications / 1.x, 2.x ASP Syslog 10.0 -

Software Server Host / Server / and
Foundation Operating later
Systems / Web
Content /
Filtering /
Proxies

Apple Inc. Mac OS X Applications / All ASP Syslog 10.0 -

Host / Server / and
Operating later
Systems / Web
Content /
Filtering /
Proxies

Arbor Peakflow SP Network 2.x ASP Syslog 10.0 -

Networks Switches and and
Routers later

28 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Peakflow X Network All ASP Syslog 10.0 -

Switches and and
Routers later

Pravail IDS / IPS All ASP Syslog 10.0 -

and
later

ArcSight Common Event Event Format All ASP Syslog 10.0 -

Format and
later

Aruba Aruba OS Wireless N/A Code Syslog 10.0 -

Access Point Based and
later

ClearPass Wireless 5.x ASP Syslog 10.0 -

Access Point and
later

Attivo BOTsink Generic 3.3 ASP Syslog 10.0 -

Networks and
later

Avecto Privilege Guard IAM / IDM 3.x ASP ePO - SQL 10.0 -
(ePO) and
later

Axway SecureTransport Applications / All ASP Syslog 10.0 -

Host / Server / and
Operating later
Systems / Web
Content /
Filtering /
Proxies

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 29

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Barracuda Spam Firewall Security 3.x, 4.x ASP Syslog 10.0 -

Networks Appliances / and
UTMs later

Web Application Security All ASP Syslog 10.0 -

Firewall Appliances / and
UTMs later

Barracuda Web Security All ASP Syslog 10.0 -

Filter Appliances / and
UTMs later

BeyondTrust BeyondInsight Auditing 6.0 ASP Syslog 10.0 -

and
later

BeyondTrust Vulnerability All N/A N/A 10.0 -

REM Systems and
later

BeyondTrust Vulnerability All N/A N/A 10.0 -

Retina Systems and
later

Bit9 Bit9 Security Application All ASP Syslog 10.0 -

Platform / Parity and
Suite - CEF later

Bit9 Security Application All ASP Syslog 10.0 -

Platform / Parity and
Suite later

Carbon Black IDS / IPS All ASP Syslog 10.0 -

and
later

30 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Blue Coat Director Web Content / All ASP Syslog 10.0 -

Filtering / and
Proxies later

ProxySG Web Content / 4.x-6.x ASP Syslog 10.0 Access Log

Filtering / and
Proxies later

Reporter Application 9.5.1 ASP Syslog 10.0 Cloud

and Access Log
later

Blue Ridge BorderGuard Firewall 5000, ASP Syslog 10.0 -

Networks 6000 and
later

BlueCat BlueCat DNS/ Application All ASP Syslog 10.0 -

Networks DHCP Server and
later

Bradford Campus NAC / All ASP Syslog 10.0 -

Networks Manager Network and
Switches and later
Routers

Bro Network Bro Network Network All ASP Syslog 10.0 -

Security Security Monitor Security and
Monitor later

Brocade BigIron, FastIron Network 7.5 ASP Syslog 10.0 -

and NetIron Switches and and
Routers later

IronView NAC / All ASP Syslog 10.0 -

Network Network and
Manager later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 31

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Switches and
Routers

VDX Switch Network All ASP Syslog 10.0 -

Switches and and
Routers later

CA DataMinder - DLP All ASP Syslog 10.0 CEF Format

Technologies CEF and
later

SiteMinder Web Access All ASP Syslog 10.0 -

and
later

Cerner Cerner P2 Healthcare All Code McAfee 10.0 -

Sentinel Auditing Based Event and
Format later

Check Point Check Point Firewall All ASP OPSEC 10.0 Firewall 1,
and Edge,
later Enterprise,
Express, NG,
NGX,
SmartEvent,
and VPN

Check Point via Firewall All ASP Syslog 10.0 Using

Splunk and Splunk app
later

Check Point via Firewall All ASP Syslog 10.1 Using Check
Syslog and Point Log
later Exporter

32 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Cimcor CimTrak Auditing n/a ASP Syslog 10.3.0 -

Management and
Console later

Cisco ASA NSEL Firewall / Flow All Netflow Netflow 10.0 -

and
later

CATOS v7xxx Host / Server / 6.x, 7.x ASP Syslog 10.0 -

Operating and
Systems / later
Network
Switches and
Routers

Content Security Security 13.x ASP Syslog 10.0 -

Management Management and
later

Firepower Other All ASP Syslog 10.0 -

Management and
Center - later
eStreamer

CSA Console Host / Code SQL 10.0 -

Server / Based and
Operating later
Systems /
IDS / IPS

IDS / IPS 5.x, 6.x ASP eStreamer 10.0 -

and
later

Firepower IDS / IPS 5.3.x, ASP Syslog 10.0 -

Management 5.4.x, 6.x and
Center - Syslog later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 33

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

IDS / IPS All ASP Syslog 10.0 -

and
later

Identity Services Other All ASP Syslog 10.0 -

Engine and
later

IDS (4.x+ RDEP IDS / IPS 4.x SDEE - 10.0 -

protocol) and
later

IOS IDS / IPS / 12.x ASP Syslog 10.0 A- CL, IOS

Network and FW, IOS IDS
Switches and later and DSP
Routers

IOS ACL Network 12.x - - - Use Cisco

Switches and IOS data
Routers source.

IOS EAP IDS / IPS / 12.x - - - Use Cisco

Network IOS data
Switches and source.
Routers

IOS Firewall Firewall / 12.x - - - Use Cisco

Network IOS data
Switches and source.
Routers

IOS IDS IDS / IPS / 12.x - - - Use Cisco

Network IOS data
Switches and source.
Routers

34 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

IOS IPS (SDEE Application All SDEE HTTP 10.0 -

protocol) Protocol and
later

IronPort Email Email Security 6.x, 7.x ASP Syslog 10.0 -

Security and
later

IronPort Web Web Content / 6.x, 7.x ASP Syslog 10.0 -

Security Filtering / and
Appliance Proxies later

MDS Network All ASP Syslog 10.0 -

Switches and and
Routers later

Meraki Wireless All ASP Syslog 10.0 -

and
later

NAC Appliance NAC / All ASP Syslog 10.0 Formerly

Network and Clean
Switches and later Access
Routers

NX-OS IDS / IPS / 4.x, 5.x ASP Syslog 10.0 -

Network and
Switches and later
Routers

Open TACACS+ Authentication All ASP Syslog 10.0 -

and
later

PIX IDS IDS / IPS / 12.x - - - Use Cisco

Network PIX/ASA/

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 35

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Switches and FWSM data

Routers source.

PIX/ASA/FWSM Firewall / IDS / 5.x ASP Syslog 10.0 -

IPS and
later

Secure ACS IDS / IPS 3.x, 4.x ASP Syslog 10.0 -

and
later

Unified Applications All ASP Syslog 10.0 -

Communications and
later

Unified Applications / All ASP Syslog 10.0 -

Computing Host / Server / and
System Operating later
Systems / Web
Content /
Filtering /
Proxies

WAAS Applications / All ASP Syslog 10.0 -

Host / Server / and
Operating later
Systems / Web
Content /
Filtering /
Proxies

WAP200 Wireless All ASP Syslog 10.0 -

Access Point and
later

36 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Web Security Application 11.0 and ASP Syslog 10.4.0 -

Appliance (WAS) later and
later

Wireless Control Network All ASP Syslog 10.0 -

System Switches and and
Routers later

Wireless LAN Network All ASP Syslog 10.0 -

Controller Switches and and
Routers later

Citrix NetScaler Flow All IPFix IPFix 10.0 -

(AppFlow) and
later

NetScaler Web Content / All ASP Syslog 10.0 Secure

Filtering / and Gateway
Proxies later and
NetScaler
Web also
supported

Secure Gateway Web Content / All ASP Syslog 10.0 -

Filtering / and
Proxies later

Cluster Labs Pacemaker Application 1.x ASP Syslog 10.0 -

and
later

Code Green TrueDLP Data DLP 8.x ASP Syslog 10.0 -

Loss Prevention and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 37

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Cofense Cofense Correlation ASP Syslog 10.0 CEF format

Intelligence and is
later supported.

Cofense Triage Email Security 2.0 ASP Syslog 10.0 CEF format
and is
later supported.

Cooper Cybectec RTU Network 5.x, 6.x ASP Syslog 10.0 -

Power Switches and and
Systems Routers later

Yukon IED Application All ASP Syslog 10.0 -

Manager Suite and
later

Corero Corero IPS IDS / IPS All ASP Syslog 10.0 -

and
later

Corvil Security Security 10.0 ASP Syslog 10.0 -

Analytics Management and
later

Critical Critical Watch Vulnerability All N/A N/A 10.0 -

Watch FusionVM Systems and
later

Crowdstrike Crowdstrike Generic All ASP API Pull 11.3.2 -

and
later

CyberArk Enterprise Application 5.x ASP Syslog 10.0 -

Password Vault and
later

38 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Privileged Application All ASP Syslog 10.0 -

Identity and
Management later
Suite - CEF

Privileged Threat UEBA 3.1 ASP Syslog 10.0 CEF format

Analytics and is
later supported.

Cyberoam Cyberoam UTM UTM / Firewall 10.0 ASP Syslog 10.0 -

and NGFW and
later

Cylance CylancePROTECT Antivirus 1.4.2 ASP Syslog 10.0 -

and
later

Cyrus Cyrus IMAP and Messaging 2.x ASP Syslog 10.0 -

SASL and
later

D-Link NetDefend UTM UTM All ASP Syslog 10.0 -

Firewall and
later

Damballa Failsafe Anti-Malware All ASP Syslog 10.0 -

and
later

Dell Aventail Virtual Private 10.x ASP Syslog 10.0 -

Network and
later

SonicOS Firewall All ASP Syslog 10.0 -

and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 39

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

PowerConnect Network All ASP Syslog 10.0 -

Switches Switches and and
Routers later

DenyAll rWeb Firewall / DoS rweb 4.1, ASP Syslog 10.0 -

4.1.1.1, and
4.1.3.2 later

DG Mainframe MainFrame 5.x, 6.x ASP Syslog 10.0 DG

Technology - Event and Technology
InfoSec Acquisition later MEAS agent,
System DB2/IMS/
Datacom/
IDMS, CICS,
FTP,
MasterConsole,
RACF/Top
Secret/ACF2,
Telnet,
VSAM/
BDAM/PDS,
TCP/IP,
SMP/E,
Authorized
Load
Libraries,
RMF
Performance
Data, Batch
Job and
Started,
Tasks Start/
Stop, Top
Secret, Type
80

40 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Digital Digital Defense Vulnerability All N/A N/A 10.0 -

Defense Frontline Systems and
later

Digital Digital Guardian DLP All ASP Syslog 10.0 -

Guardian Platform and
later

Dragos Dragos Platform Security 1.5 ASP Syslog 11.3.0 -

Management and
later

Econet Sentinel IPS IDS / IPS All ASP Syslog 10.0 -

and
later

EdgeWave iPrism Web Web Content / All ASP Syslog 10.0 -

Security Filtering / and
Proxies later

Enforcive Cross-Platform MainFrame All ASP Syslog 10.0 Formerly

Audit and Bsafe, AS/
later 400,
DB2/IMS/
Datacom/
IDMS, FTP,
RACF/Top
Secret/ACF2,
Telnet,
VSAM/
BDAM/PDS

Enterasys Dragon IPS IDS / IPS 1.x-7.x ASP Syslog 10.0 -

Networks and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 41

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Enterasys N and Network 7.x ASP Syslog 10.0 -

S Switches Switches and and
Routers later

Enterasys Network 7.x ASP Syslog 10.0 -

Network Access Switches and and
Control Routers later

Entrust IdentityGuard Application All ASP Syslog 10.0 -

and
later

Epic Clarity - CEF Healthcare 2015 ASP Syslog 10.0 Specific

Application and auditing
later events

Clarity - SQL Pull Healthcare 2010, ASP SQL 10.0

Application 2012, and
2014 later

Ergon Airlock WAF Firewall 6.0 ASP Syslog 10.0 -

and
later

Exabeam Exabeam UEBA UEBA 2.8 ASP Syslog 10.0 -

and
later

Extreme ExtremeWare Network 7.x, 8.x ASP Syslog 10.0 Alpine,

Networks XOS Switches and and BlackDiamond
Routers later and Summit

F5 Networks BIG-IP Access Network All ASP Syslog 10.0 -

Policy Manager Switches and and
Routers later

42 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

BIG-IP Web Content / All ASP Syslog 10.0 -

Application Filtering / and
Security Proxies later
Manager - CEF

Firepass SSL Virtual Private All ASP Syslog 10.0 -

VPN Network and
later

BIG_IP Local Web Content / All ASP Syslog 10.0 -

Traffic Manager - Filtering / and
LTM Proxies later

FairWarning Patient Privacy Application 2.9.x Code McAfee 10.0 -

Monitoring Security Based Event and
Format later

Fidelis Fidelis XPS Network All ASP Syslog 10.0 -

Security and
Applicance later

FireEye FireEye Malware Antivirus/ 5.x ASP Syslog 10.0 -

Protection Malware and
System - CEF later

Fluke AirMagnet Network 8.x ASP Syslog 10.0 -

Networks Enterprise Switches and and
Routers later

Forcepoint Next Generation IDS/IPS All ASP Syslog 10.0 -

Firewall and
later

Force10 FTOS Network All ASP Syslog 10.0 -

Networks Switches and and
Routers later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 43

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

ForeScout CounterACT Network 5.x and ASP Syslog 10.0 -

Switches and 6.x and
Routers later

CounterACT CEF Network 7.x ASP Syslog 10.0 -

Switches and and
Routers later

Fortinet FortiAuthenticator Authentication 3.x ASP Syslog 10.0 -

and
later

FortiGate UTM - Firewall All ASP Syslog 10.0 -

Comma and
Delimited later

FortiGate UTM - Firewall All ASP Syslog 10.0 -

Space Delimited and
later

FortiMail Email 6.x ASP Syslog 10.0 -

and
later

FortiManager Firewall All ASP Syslog 10.0 -

and
later

FortiWeb Web Firewall All ASP Syslog 10.0 -

Application and
Firewall later

Fortscale Fortscale UEBA UEBA 2.7 ASP Syslog 10.0 -

and
later

44 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

FreeRADIUS FreeRADIUS Authentication All ASP Syslog 10.0 -

and
later

Fujitsu IPCOM Firewall / IDS / All ASP Syslog 10.0 -

IPS and
later

Generic Advanced Syslog Other All ASP Syslog 10.0 -

Parser and
later

CIFS/SMB File Other N/A Code File pull 10.0 ELM only
Source Based and
later

FTP/FTPS File Other N/A Code File pull 10.0 ELM only
Source Based and
later

HTTP/HTTPS File Other N/A Code File pull 10.0 ELM only
Source Based and
later

McAfee Event Other N/A Code McAfee 10.0 -

Format Based Event and
Format later

NFS File Source Other N/A Code File pull 10.0 ELM only
Based and
later

SCP File Source Other N/A Code File pull 10.0 ELM only
Based and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 45

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

SFTP File Source Other N/A Code File pull 10.0 ELM only
Based and
later

GFI GFI LanGuard VA Scanner All Code File pull 10.0 -

Based and
later

Gigamon GigaVUE Switches and All ASP Syslog 10.0 -

Routers and
later

GitHub GitHub Application 2.13.0 ASP Syslog 10.0 -

Enterprise and
later

Global GNAT Box Firewall 5.3.x ASP Syslog 10.0 -

Technology and
Associates later

Globalscape Enhanced File File Transfer 7.x ASP McAfee 10.0 -

Transfer (EFT) Event and
Format later

Good Good Mobile Application All ASP Syslog 10.0 -

Technology Control and
later

Google Search Application All ASP Syslog 10.0 -

Appliance and
later

Gurucul Gurucul Risk UEBA 6.2 ASP Syslog 10.0 -

Analytics and
later

46 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

HashiCorp Vault ASP Syslog 10.1.0 -

and
later

HBGary Active Defense UTM All ASP Syslog 10.0 -

and
later

Hewlett- 3Com Switches Switches and All ASP Syslog 10.0 -

Packard Routers and
later

LaserJet Printers Printers All ASP Syslog 10.0 -

and
later

OpenVMS Operating SYSLOG ASP Syslog 10.0 Supported

Systems Client for and through
OpenVMS later "SYSLOG
1.x Client for
OpenVMS",
by
Framework
Solutions
LLC

ProCurve Network All ASP Syslog 10.0 -

Switches and and
Routers later

Virtual Connect Application 4.4x ASP Syslog 10.0 -

Devices and
later

Hitachi ID Identity and Authentication ASP Syslog 10.0 -

Systems Access and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 47

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Management
Suite

HyTrust HyTrust NAC 3.x, 4.x ASP Syslog 10.0 -

CloudControl and
later

IBM DB2 LUW 10.0 Database 8.x, 9.x, - - 10.0 Supported

and later, DB2 10.x and through
for Z/OS with later McAfee
CorreLog, DB2 Data Center
for iSeries (AS/ Security
400) with Raz- Suite for
Lee Databases

Guardium Database 6.x, 7.x ASP Syslog 10.0 -

Activity and
Monitoring later

ISS SiteProtector Security All Code SQL 10.0 -

Management Based and
later

MainFrame MainFrame All Use DG

Technoloty
MEAS
Parser.

Proventia GX Other All ASP Syslog 10.0

and
later

System Z DB2 Database All - - - Use DG

Technoloty
MEAS
Parser.

48 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Tivoli Endpoint Host / Server / All ASP Syslog 10.0 Linux Agent
Manager - BigFix Operating and Required
Systems / later
Other

Tivoli Identity IAM / IDM All ASP SQL 10.0 -

Manager - SQL and
Pull later

WebSphere Application 7.0 ASP File pull 10.0 -

Application and
Server later

WebSphere Application 4.x ASP Syslog 10.0 -

DataPower SOA and
Appliances later

z/OS, z/VM MainFrame - - - - Use DG

Technoloty
MEAS
Parser.

Imperva WAF/DAM - CEF Database All ASP Syslog 10.0 -

and
later

Indegy Security Security All ASP Syslog 10.0 -

Platform Management and
later

Infoblox NIOS Application All ASP Syslog 10.0 -

and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 49

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Infocyte HUNT Security n/a ASP Syslog 10.4.0 -

Management and
later

InterSect Snare for AIX Other All ASP Syslog 10.0 -

Alliance and
later

Snare for Solaris Other All ASP Syslog 10.0 -

and
later

Snare for Other All ASP Syslog 10.0 -

Windows and
later

Interset Interset UEBA 4.1 ASP Syslog 10.0 -

and
later

Invincea Enterprise - CEF Host / Server / All ASP Syslog 10.0 -

Operating and
Systems / later
Other

IPFIX IPFIX Network Flow All IPFix IPFix 10.0 -

Collection and
later

Ipswitch WS_FTP Application All ASP Syslog 10.0 -

and
later

iScan Online iScan Online Vulnerability All N/A N/A 10.0 -

Systems and
later

50 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Itron Itron Enterprise Smart Grid All ASP Syslog 10.0 -

Edition Application and
later

Jflow Jflow (Generic) Network Flow 5, 7, 9 Netflow 10.0 -

Collection and
later

JFrog Artifactory Application 7.0 and ASP Syslog 10.4.0 -

later and
later

Juniper Juniper Secure VPN All ASP Syslog 10.0 -

Networks Access/MAG and
later

JUNOS - Network All ASP Syslog 10.0 -

Structured-Data Switches and and
Format Routers later

JUNOS Router Network All ASP Syslog 10.0 -

Switches and and
Routers later

NetScreen / IDP Network All ASP Syslog 10.0 -

Switches and and
Routers later

Network and Applications / All ASP Syslog 10.0 -

Security Host / Server / and
Manager - NSM Operating later
Systems

Secure Access VPN 5.x-7.x ASP Syslog 10.0 -

version 7 and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 51

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Steel Belted Radius Server 5.x ASP Syslog 10.0 -

Radius and
later

Kaspersky Administration Antivirus All ASP SQL 10.0 -

Kit - SQL Pull and
later

KEMP LoadMaster Network 4.x, 5.x ASP Syslog 10.0 -

Technologies Switches and and
Routers later

Kerio Kerio Control Firewall All ASP Syslog 10.0 -

Technologies and
later

Lancope StealthWatch IDS / IPS / 6.x ASP Syslog 10.0 -

Network and
Switches and later
Routers

LANDESK LANDESK Vulnerability All N/A N/A 10.0 -

Systems and
later

Lastline Lastline UTM 7.3 ASP Syslog 10.0 CEF syslog

Enterprise - CEF and format is
later covered by
the data
source.

Legacy Event Center Other All ASP Syslog 10.0 -

and
later

52 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Informant IDS / IPS All ASP Syslog 10.0 -

and
later

Lieberman Enterprise Application All ASP Syslog 10.0 XML

Random and
Password later
Manager

Locum RealTime Application All ASP Syslog 10.0 -

Monitor and
later

LOGbinder LOGbinder for Application 4.0, 5.0, ASP Syslog 10.0 CEF and
SharePoint (SP) 5.1 and Standard
later Syslog
formats are

LOGbinder for Application 2.0, 2.5, ASP Syslog 10.0 covered by

Exchange (EX) 3.0, 3.1 and the

later LOGbinder
data source.

LOGbinder for Application 1.5, 2.0, ASP Syslog 10.0

SQL Server (SQL) 2.1, 2.5 and
later

Lumension Device Control - DLP 8 ASP Syslog 10.0 -

Endpoint and
Manager later
Security Suite
(L.E.M.S.S.)

Bouncer - CEF Application 5.x ASP Syslog 10.0 -

and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 53

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Bouncer Application 4.x ASP Syslog 10.0 -

and
later

Lumension Vulnerability All N/A N/A 10.0 -

Systems and
later

MailGate, MailGate Server Applications / 3.5 ASP Syslog 10.0 -

Ltd. Security and
Management / later
Host / Server /
Operating
Systems

Malwarebytes Breach Antivirus / 2.6.2 ASP Syslog 10.0 CEF syslog

Remediation Anti-Malware and format is
later covered by
the data
source.

Management Antivirus / 1.7 ASP Syslog 10.0 Management

Console Anti-Malware and Console,
later part of
Malwarebytes
Enterprise
Endpoint
Security,
sends
security
events
generated
by
Malwarebytes
Anti-
Malware
and

54 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Malwarebytes
Anti-Exploit
running on
managed
endpoints.
ESM
supports
CEF
formatted
syslog.

McAfee Advanced Correlation All - - 10.0 -

Correlation and
Engine later

Advanced Threat Antimalware 3.2.2.4x ASP Syslog / 10.0 -

Defense DXL and
later

AntiSpyware Antivirus All ASP ePO - SQL 10.0 -

(ePO) and
later

Application and Web Content / All ASP ePO - SQL 10.0 -

Change Control Filtering / and
(ePO) Proxies later

Application Data Application All Code - 10.0 -

Monitor (ADM) Based and
later

Asset Manager Asset All ASP Syslog 10.0 -

Sensor Management and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 55

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Correlation Other All Correlation - 10.0 -

Engine and
later

Database Database All Code - 10.0 -

Activity Based and
Monitoring later
(DAM)

Database Database All ASP Syslog 10.0 -

Security - CEF and
later

Database Database All ASP ePO - SQL 10.0 -

Security - ePO and
later

Deep Defender Other All ASP ePO - SQL 10.0 -

(ePO) and
later

DLP Monitor DLP All ASP Syslog 10.0 -

and
later

Email Gateway - Web Content / 6.x ASP Syslog 10.0 -

CEF Filtering / and
Proxies later

Endpoint Application All ASP ePO - SQL 10.0 -

Encryption (ePO) and
later

Endpoint Antivirus 2.0 ASP Syslog 10.0 -

Protection for and
Mac (ePO) later

56 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Endpoint Firewall 10.2 ASP ePO - SQL 10.0 -

Security Firewall and
(ePO) later

Endpoint Auditing 10.2 ASP ePO - SQL 10.0 -

Security and
Platform (ePO) later

Endpoint Application 10.2 ASP ePO - SQL 10.0 -

Security Threat and
Prevention (ePO) later

Endpoint Application 10.2 ASP ePO - SQL 10.0 -

Security Web and
Control (ePO) later

Enterprise Log - - - - - -
Manager

Enterprise - - - - - -
Security
Manager

ePO Audit Log Other All ASP ePO - SQL 10.0 -

(ePO) and
later

ePolicy Other All ASP ePO - SQL 10.0 -

Orchestrator and
later

ePolicy Applications / 3.x ASP ePO - SQL 10.0 -

Orchestrator Security and
Agent (ePO) Management / later
Host / Server /

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 57

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Operating
Systems

Event Receiver - - - - - -
(ERC)

Event - - - - - -
Receiver/ELM

EWS v5 / Email Web Content / 5.x ASP Syslog 10.0 -

Gateway Filtering / and
Original Format - Proxies later
Legacy

Firewall Firewall / IDS / 8.x ASP Syslog 10.0 -

Enterprise IPS and
later

Firewall for Firewall 8.x ASP Syslog 10.0 -

Linux (ePO) and
later

Host Data Loss DLP All ASP ePO - SQL 10.0 -

Prevention (ePO) and
later

Host Intrusion IDS / IPS 6.x ASP ePO - SQL 10.0 -

Prevention (ePO) and
later

Informant IDS / IPS All ASP Syslog 10.0 -

and
later

58 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

IronMail - Legacy Web Content / All ASP Syslog 10.0 -

Filtering / and
Proxies later

MOVE Antivirus Antivirus All ASP ePO - SQL 10.0 -

(ePO) and
later

MVISION Cloud DLP All ASP Syslog 10.0 -

and
later

MVISION EDR Generic n/a ASP NGC 11.3.2 -

and
later

MVISION ePO All ASP GWAPI 11.2.0 -

and
later

MVISION Mobile Mobile Device All ASP GWAPI 11.1.1 -

Management and
later

Network Access Other All ASP ePO - SQL 10.0 -

Control (ePO) and
later

Network IDS / IPS 6.x ASP Syslog 10.0 -

Security and
Manager later

Network IDS / IPS 6.x ASP SQL 10.0 -

Security and
Manager - SQL later
Pull

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 59

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Network Threat IDS / IPS 4.0.0.5, ASP Code- 10.0 -

Response 4.1 Based API and
later

Nitro IPS IDS / IPS All ASP Syslog 10.0 -

and
later

One Time Authentication 3.1 ASP Syslog 10.0 -

Password and
later

Policy Auditor Policy Server All ASP ePO - SQL 10.0 -

(ePO) and
later

SaaS Email Email Security All ASP File Pull 10.0 -

Protection and
later

Security for Web Content / All ASP ePO - SQL 10.0 -

Domino Filtering / and
Windows (ePO) Proxies later

Security for Web Content / All ASP ePO - SQL 10.0 -

Microsoft Filtering / and
Exchange (ePO) Proxies later

SiteAdvisor Other All ASP ePO - SQL 10.0 -

(ePO) and
later

Threat Reputation 1.0.0 ASP ePO - DXL 10.0 -

Intelligence Server and
Exchange later

60 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

UTM Firewall Firewall All ASP Syslog 10.0 -

and
later

VirusScan (ePO) Antivirus All ASP ePO - SQL 10.0 -

and
later

Vulnerability Vulnerability All N/A N/A 10.0 -

Manager Systems and
later

Web Gateway Web Content / All ASP Syslog 10.0 -

Filtering / and
Proxies later

Web Gateway Web Content / All ASP Syslog 10.0 -

Cloud Service Filtering / and
Proxies later

WebShield Web Content / All ASP Syslog 10.0 -

Filtering / and
Proxies later

MEDITECH Caretaker HealthCare All ASP Syslog 10.0 -

Application and
later

Microsoft ACS - SQL Pull Applications / All ASP SQL 10.0 -

Host / Server / and
Operating later
Systems

Adiscon Applications / All Code Syslog 10.0 -

Windows Events Host / Server / Based and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 61

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Operating
Systems

Advanced Threat Security All ASP API Pull 11.3.2 -

Protection (ATP) Management and
later

Assets via Active Asset All 10.0 -

Directory and
later

Advanced Threat UEBA All ASP Syslog 10.0 -

Analytics and
later

Azure Other All ASP GWAPI 11.2.0 -

and
later

Event Applications / 2008 WMI MEF - 10.0 -

Forwarding Host / Server / McAfee and
Operating SIEM later
Systems Agent

Exchange Applications / 2007, ASP File pull / 10.0 Message

Host / Server / 2010, McAfee and Tracking
Operating 2013 SIEM later Logs
Systems Agent

Forefront Client HIPS 2010 ASP SQL 10.0 -

Security and
later

Forefront HIPS 2010 ASP SQL 10.0 See System

EndPoint and Center 2012
Protection later

62 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Endpoint
Protection.

Forefront Threat Firewall / All ASP File pull 10.0 -

Management Host / Server / and
Gateway / Operating later
Internet Security Systems / Web
and Acceleration Content /
- W3C Filtering /
Proxies /
Virtual Private
Networks

Forefront Threat IDS / IPS 2010 ASP SQL 10.0 -

Management and
Gateway - SQL later
Pull

Forefront IDS / IPS 2010 ASP Syslog 10.0 -

Unified Access and
Gateway later

Internet Web Content / 2008, ASP File Pull 10.0 Database-

Authentication Filtering / 2008 R2, and Compatible
Service - Proxies 2012 later Format
Database
Compatible
Format

Internet Web Content / 2000, ASP File Pull 10.0 IAS Legacy
Authentication Filtering / 2003, and Format
Service - Proxies 2008 later
Formatted

Internet Web Content / 2008 R2, ASP File Pull 10.0 DTS
Authentication Filtering / 2012 and Compliant
Service - XML Proxies later Format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 63

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Internet Host / Server / All ASP File pull / 10.0 -

Information Operating McAfee and
Services - FTP Systems / Web SIEM later
Content / Agent
Filtering /
Proxies

Internet Host / Server / All ASP File pull / 10.0 -

Information Operating McAfee and
Services - SMTP Systems / Web SIEM later
Content / Agent
Filtering /
Proxies

Internet Host / Server / All ASP File pull / 10.0 -

Information Operating McAfee and
Services Systems / Web SIEM later
Content / Agent
Filtering /
Proxies

Microsoft Active Other All WMI WMI 10.0 -

Directory and
later

Microsoft Other 2007, WMI WMI 10.0 -

Exchange Server 2010 and
later

Microsoft SQL Database All WMI WMI 10.0 -

Server and
later

MSSQL Database 2000 - - 10.0 Supported

and through
later McAfee
Data Center

64 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Security
Suite for
Databases

MSSQL Error Log Database All ASP SQL C2 10.0 -

and
later

MSSQL Server Database 2000, Code MEF - 10.0 -

C2 Audit 2005, Based McAfee and
2008 SIEM later
Agent

Network Policy Policy Server All ASP Syslog 10.0 -

Server and
later

Office 365 Applications ASP API 10.1.0 Premium

and Azure AD
later Account
Required

PhoneFactor Application All ASP Syslog 10.0 -

and
later

SharePoint Host / Server / 2007, ASP Syslog 10.0 -

File 2010 and
Management later

System Center HIPS 2012 ASP SQL 10.0 Supported

2012 EndPoint and through the
Protection later Endpoint
Protection -
SQL Pull
data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 65

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

System Center Security 2007 Code MEF - 10.0 -

Operations Management Based McAfee and
Manager SIEM later
Agent

Windows DHCP Debug DHCP 2003, ASP File pull / 10.0 -

Logs 2008 McAfee and
SIEM later
Agent

Windows DNS Debug DNS 2003, ASP File pull / 10.0 -

Logs 2008 McAfee and
SIEM later
Agent

Windows Event Applications / All ASP Syslog 10.0 -

Log - CEF Host / Server / and
Operating later
Systems

Windows Event Applications / XP, WMI WMI 10.0 Windows 8

Log - WMI Host / Server / Windows and is supported
Operating 7, later in ESM
Systems Windows version 10.0
8, and later.
Windows
10, Server
2003,
Server
2008,
Server
2012,
Server
2016,
Server
2019

66 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Mimecast Mimecast Email 2017 ASP NGC 11.3.0 -

Mimecast and
M3R later

Motorola AirDefense Wireless All ASP Syslog 10.0 -

Switch and
later

NetApp Data ONTAP Storage 7.x ASP Syslog 10.0 -

and
later

DataFort Storage Switch All ASP Syslog 10.0 -

and
later

FAS Storage All 10.0 Use NetApp

and Data OnTap
later data source.

NetFlow Generic NetFlow Flow 5, 7, 9 NetFlow NetFlow 10.0 -

and
later

NetFort LANGuardian Applications / All ASP Syslog 10.0 -

Technologies Security and
Management / later
Host / Server /
Operating
Systems

NetIQ Security Network 5.1 ASP Syslog 10.0 -

Manager Switches and and
Routers / later
Security
Management

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 67

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Sentinel Log Network All ASP Syslog 10.0 -

Manager Switches and and
Routers / later
Security
Management

NetWitness Informer - CEF Application All ASP Syslog 10.0 -

and
later

Spectrum - CEF Malware All ASP Syslog 10.0 URL

and Integration
later

NGS NGS SQuirreL Vulnerability All N/A N/A 10.0 -

Systems and
later

Niara Niara UEBA 1.5 ASP Syslog 10.0 -

and
later

Niksun NetDetector Other All ASP Syslog 10.0 -

and
later

Nortel Contivity VPN Network 7.x ASP Syslog 10.0 -

Networks Switches and and
Routers later

Passport 8000 Network 7.x ASP Syslog 10.0 -

Series Switches Switches and and
Routers later

68 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

VPN Gateway Virtual Private 8.x ASP Syslog 10.0 -

3050 Network and
later

Novell eDirectory Applications / All ASP Syslog 10.0 -

Security and
Management / later
Host / Server /
Operating
Systems

Identity and IAM / IDM All ASP Syslog 10.0 -

Access and
Management - later
IAM

nPulse CPX Flow and Packet All N/A N/A 10.0 URL
Packet Capture Capture and Integration
later

ObserveIT ObserveIT UBA 7.5 ASP File pull / 10.0 -

McAfee and
SIEM later
Agent

Okta Okta Authentication All ASP API 11.3.0 -

and
later

OpenVAS OpenVAS Vulnerability All N/A N/A 10.0 -

Systems and
later

OpenVPN OpenVPN VPN 2.1 ASP Syslog 10.0 -

and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 69

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Oracle Audit Vault and Database / 12.x ASP Syslog 10.0 -

Database Firewall and
Firewall later

Directory Server Authentication 11 ASP Syslog 10.0 Also covers:

Enterprise and Sun ONE
Edition later Server and
Sun Java
Directory
Server
Enterprise
Edition

Identity IAM / IDM 9.1.0.1 ASP SQL 10.0 -

Manager - SQL and
Pull later

Internet Authentication 11 ASP File pull / 10.0 -

Directory McAfee and
SIEM later
Agent

MySQL on Linux Database 5.1, 5.5, - - 10.0 Supported

5.6, and and through
5.7 on later McAfee
Linux Data Center
Security
Suite for
Databases

Oracle Database 8.1.7 and - - 10.0 Supported

later and through
running later McAfee
on Sun Data Center
Solaris, Security
IBM AIX, Suite for
Linux, Databases

70 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

HP-UX,
Microsoft
Windows,
including
Oracle
RAC and
Oracle
Exadata

Oracle Audit - Database 9i, 9i - ASP SQL 10.0 Supports

SQL Pull fine and standard
grained later and fine
audit, grain audits
10g, 11g, as well as
12c, 12c - Unified
Unified Audits
Audit introduced
Table in 12c.

Oracle Audit - Database 10g, 11g, ASP SQL 10.0 -

XML File Pull 12c and
later

Oracle Audit Database 9i, 10g, ASP Syslog 10.0 -

11g, 12c and
later

Real Application Database 11g ASP File Pull 10.0 Parses the
Clusters - RAC and Event
later Manager
Log
(evmd.log)

Solaris Basic Host / Server / 9.x, 10.x ASP Syslog 10.0 -

Security Module Operating and
- BSM Systems later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 71

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

WebLogic Other 8.1.x ASP Syslog 10.0 -

and
later

Oracle Cloud Application All ASP API Pull 11.3.2 -

Infrastructure Server and
later

Osiris Host Integrity Host / Server / ASP Syslog 10.0 ISAKMP,

Monitor Operating and RADIUS,
Systems / later SECURITY,
IDS / IPS Accounting,
RIP, VR
messages
only

Palo Alto Palo Alto Firewall All ASP Syslog 10.0 -

Networks Firewalls and
later

Postfix Postfix Application All ASP Syslog 10.0 -

and
later

PostgreSQL PostgreSQL Database 10.0 10.0 Supported

running and through
on Linux later McAfee
Data Center
Security
Suite for
Databases

PostgreSQL Database All ASP Syslog 10.0 -

and
later

72 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

PowerTech Interact - CEF Host All ASP Syslog 10.0 -

and
later

Prevoty Prevoty Application 3.2.1 ASP Syslog 10.0 Requires

Security and Log4j on
later Prevoty

Proofpoint Messaging Application 7.2 and ASP Syslog 10.0 -

Security below and
Gateway later

Targeted Attack Security current ASP API 11.3 -

Protection Management (web and
application) later

Qualys Qualys Vulnerability All N/A N/A 10.0 -

QualysGuard Systems and
later

Quest ChangeAuditor Applications All WMI WMI 10.0 -

for Active and
Directory later

Radware AppDirector Network All ASP Syslog 10.0 -

Switches and and
Routers later

AppWall Firewall All ASP Syslog 10.0 -

and
later

DefensePro IDS / IPS 2.4.3 ASP Syslog 10.0 -

and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 73

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

LinkProof/ Network All ASP Syslog 10.0 -

FireProof Switches and and
Routers later

Rapid7 Rapid7 Vulnerability 3.x N/A N/A 10.0 -

Metasploit Pro Systems and
later

Rapid7 Nexpose Vulnerability All N/A N/A 10.0 -

Systems and
later

Raytheon SureView Application All ASP Syslog 10.0 -

and
later

Raz-Lee iSecurity Suite Application All ASP Syslog 10.0 -

Security and
later

Red Hat JBoss / WildFly Application Jboss 7.x ASP Syslog 10.0 -
v8 Server WildFly and
v8.x later

RedSeal RedSeal 6 Risk All ASP Syslog 10.0 -

Networks Compliance and
later

ReversingLabs N1000 Network IDS / IPS 3.2.1.2 ASP Syslog 10.0 -

Security and
Appliance later

RioRey DDoS Protection Firewall / DoS RIOS 5.0, ASP Syslog 10.0 -
5.1, 5.2 and
later

74 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Riverbed Steelhead Security 5.x ASP Syslog 10.0 -

Appliances / and
UTMs later

RSA Authentication Authentication 7.x ASP Syslog 10.0 -

Manager and
later

SafeNet Hardware Application All ASP Syslog 10.0 -

Security Security and
Modules later

Saint Saint Vulnerability All N/A N/A 10.0 -

Systems and
later

SAP Enterprise IPS-IDS 2.0 ASP NGC 10.4 -

Threat Detection and
later

SAP Applications / 5.x and ABAP Syslog 10.0 -

Security 6.x Module and
Management / and later
Host / Server / ASP
Operating
Systems

Sybase Database 12.5 - - 10.0 Supported

and through
later McAfee
Data Center
Security
Suite for
Databases

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 75

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Savant Savant - CEF Anti-Malware 3.x ASP Syslog 10.0 -

Protection and
later

Secure Zenwall Applications / All ASP Syslog 10.0 -

Crossing Security and
Management / later
Host / Server /
Operating
Systems

SecureAuth IEP - Single Sign Authentication 5.x ASP Syslog 10.0 -

On and
later

Securonix Risk and Threat UEBA Code McAfee 10.0 -

Intelligence Based Event and
Format later

SendMail Sentrion Messaging All Use Unix -

Linux data
source.

Sentrigo Hedgehog - CEF Database All ASP Syslog 10.0 -

and
later

sFlow Generic sFlow Network Flow All sFlow sFlow 10.0 -

Collection and
later

Silver Spring Network Smart Grid All ASP File pull / 10.0 -
Networks Infrastructure McAfee and
SIEM later
Agent

76 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Skycure Skycure Mobile All ASP Syslog 10.0 -

Enterprise Security and
later

Skyhigh Cloud Security DLP 2.2 ASP Syslog 10.0 CEF format
Networks Platform and is
later supported.

SnapLogic SnapLogic Cloud All ASP Syslog 10.0 -

Integration and
later

Software DB2 Access Database All ASP Syslog 10.0 -

Product Recording and
Research Services DBARS later

Sonus GSX VOIP All ASP Syslog 10.0 -

and
later

Sophos Email Security Email Security All ASP Syslog 10.0 -

and Data and
Protection later

Sophos Antivirus Antivirus All Code SQL 10.0 -

Based and
later

UTM & Next-Gen UTM / Firewall 9.1 ASP Syslog 10.0 -

Firewall and
later

Web Security Web Content / All ASP Syslog 10.0 -

and Control Filtering / and
Proxies later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 77

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

SourceFire 3D Defense IDS / IPS 4.10 - - - Use Cisco

Center Firepower
Management
Center -
eStreamer

Snort NIDS IDS / IPS All - - - Use

SourceFire
NS/RNA
data source.

FireSIGHT IDS / IPS 5.x, 6.x Code eStreamer 10.0 Use Cisco
Management Based and Firepower
Console - later Management
eStreamer Center -
estreamer

SourceFire IDS / IPS All ASP Syslog 10.0 Includes

NS/RNA and Snort IDS
later

Squid Squid Web Content / 2.5 ASP Syslog 10.0 -

Filtering / and
Proxies later

SS8 BreachDetect Correlation 3.7 ASP File pull 10.0 -

and
later

SSH CryptoAuditor Auditing 1.5 ASP Syslog 10.0 -

Communications and
Security later

STEALTHbits StealthINTERCEPT HIDS 3.1.262.1 ASP Syslog 10.0 CEF format

and is
later supported.

78 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

StillSecure Strata Guard Firewall / 5.x, 6.x ASP Syslog 10.0 -

Security and
Management / later
IDS / IPS /
Virtual Private
Networks

Stonesoft Next Generation IDS / IPS All - - - Use

Corporation Firewall Forcepoint
Next
Generation
Firewall

Symantec Altiris Asset 7.x - - 10.0 -

Management and
Console later

Antivirus Antivirus 8.x, 9.x Code SQL 10.0 -

Corporate Based and
Edition Server later

Critical System IDS / IPS 5.2 ASP SQL 10.0 -

Protection and
later

Endpoint Antivirus 11.x, 12.x ASP Syslog 10.0 -

Protection and
later

PGP Universal Host / Server / All ASP Syslog 10.0 -

Server Operating and
Systems later

Symantec Data DLP All ASP Syslog 10.0 -

Loss Prevention and
later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 79

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Symantec Messaging 2.x ASP Syslog 10.0 -

Messaging and
Gateway later

Symantec Web Web Content / All ASP Syslog 10.0 -

Gateway Filtering / and
Proxies later

Synology DiskStation Application All ASP Syslog 10.0 -

Manager and
later

Tenable Tenable Nessus Vulnerability 3.x, 4.x, ASP Syslog 10.1.0 -

Systems 5.x, 6.x and
later

Teradata Teradata Database 12, 13, - - 10.0 Supported

13.10, 14, and through
15, and later McAfee
15.1 on Data Center
Linux Security
Suite for
Databases

ThreatConnect Threat UEBA 3.x ASP Syslog 10.0 -

Intelligence and
Platform later

Thycotic Secret Server Authentication 8 ASP Syslog 10.0 -

and
later

TippingPoint SMS Security 2.x ASP Syslog 10.0 -

Management and
later

80 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

UnityOne IDS / IPS All ASP Syslog 10.0 -

and
later

TITUS Message Application All WMI WMI 10.0 Supported

Classification and through
later Microsoft
Windows
Event Log

Tofino Tofino Firewall Firewall All ASP Syslog 10.0 -

Security LSM and
later

Topia Skoot Application All ASP Syslog 10.0 -

Technology and
later

Townsend AS/400 - CEF Host / Server / All ASP Syslog 10.0 -

Security Operating and
Systems later

Trapezoid Trust Control Application All ASP Syslog 10.0 -

Suite and
later

TrapX DeceptionGrid Generic 5.x ASP Syslog 10.0 -

Security and
later

Trend Micro Control Manager Antivirus / 5.x ASP SQL 10.0 -

- SQL Pull Vulnerability and
Systems later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 81

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Deep Discovery - Antivirus / All ASP Syslog 10.0 -

CEF Vulnerability and
Systems later

Deep Security - HIDS 6.x ASP Syslog 10.0 -

CEF and
later

Deep Security HIDS 6.x ASP Syslog 10.0 -

Manager - CEF and
later

InterScan Web Web Content / All ASP Syslog 10.0 -

Security Suite Filtering / and
Proxies later

OfficeScan Antivirus / All ASP File pull 10.0 -

Vulnerability and
Systems later

OSSEC FIM / HIDS 1.x, 2.x ASP Syslog 10.0 -

and
later

Tripwire Tripwire / nCircle Vulnerability 8.x and N/A N/A 10.0 -

IP360 Systems earlier and
later

Tripwire Database / 4.x ASP Syslog 10.0 -

Enterprise Security and
Management later

Tripwire For Database / 4.x ASP Syslog 10.0 -

Server Security and
Management later

82 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Trustwave Data Loss DLP 8.x ASP Syslog 10.0 -

Prevention and
later

Network Access NAC 3.x ASP Syslog 10.0 -

Control and
later

WebDefend Web Content / 4.x ASP Syslog 10.0 -

Filtering / and
Proxies later

Tufin SecureTrack Firewall / All ASP Syslog 10.0 -

Auditing and
later

Tychon Tychon Authentication n/a ASP GSQL 10.3 -

and
later

Type80 SMA_RT Host / Server / All ASP Syslog 10.0 -

Security Operating and
Software Systems later

UNIX Linux Host / Server / All ASP Syslog 10.0 -

Operating and
Systems later

VanDyke VShell Application 2.x, 3.x ASP Syslog 10.0 -

Software and
later

Vericept Content 360 DLP 8.x ASP Syslog 10.0 Supported

and through
later Trustwave
DLP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 83

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

VMware AirWatch Mobile Device 7.3, 8.0 ASP Syslog 10.0 -

Management and
later

Horizon Application 7.x ASP Syslog 10.0 -

Server and
later

vCenter Server Application All ASP Code 10.0 -

Based API and
later

VMware Application 1.x-5.x ASP Syslog 10.0 -

and
later

Voltage SecureData DLP 5.7 ASP Syslog 10.0 -

Security Enterprise and
later

Vormetric Data Security Application 4.x ASP Syslog 10.0 -

and
later

WatchGuard Firebox and X Firewall 8.x-11.x ASP Syslog 10.0 -

Technologies Series and
later

Wave Safend Protector DLP All ASP Syslog 10.0 -

Systems and
Corp later

Websense Cloud Web HIDS All ASP File pull / 10.0 -

Security McAfee and
SIEM later
Agent

84 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

1| ESM data source overview

Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes

Websense - CEF, Web Content / 7.7 ASP Syslog 10.0 -

Key Value Pair Filtering / and
Proxies later

Websense Web Content / 6.x, 7.x ASP SQL 10.0 -

Enterprise - SQL Filtering / and
Pull Proxies later

Wurldtech OpShield Control 1.7.1 ASP Syslog 10.0 -

Systems / and
Firewall later

Xirrus 802.11abgn Wi- Switches and All ASP Syslog 10.0 -

Fi Arrays Routers and
later

Yubico YubiKey Authentication 5 ASP Syslog 10.1.0 -

and
later

Zenprise Secure Mobile Security 5.x ASP Syslog 10.0 -

Gateway Mobile and
Gateway later

ZeroFOX ZeroFOX Application All ASP Syslog 10.0 -

and
later

Zscaler Nanolog Web Content / All ASP Syslog 10.0 -

Streaming Filtering / and
Service (NSS) Proxies later

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 85

2| Adding data sources

Adding data sources

Add data sources
Add a data source to a receiver.

Note

This is the basic process for adding a data source. Instructions specific to individual data sources are given separately.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
5. Configure the data source using the configuration instructions.
6. (Optional) Click Advanced and configure the settings.
7. Click OK.

Configure receivers to create data sources automatically

Set up receivers to create data sources automatically using pre-defined rules that come with the receiver or rules that you create.

Task

1. Click the Get Events and Flows icon on the actions toolbar to pull events or flows.

2. From the McAfee ESM dashboard, click and select More Settings.

3. On the system navigation tree, select the receiver, then click the Properties icon.
4. On the Receiver Properties page, click Data Sources → Auto Learn.
5. On the Auto Learn page, click Configure.
6. On the Auto Add Rule Editor page, select Enable auto creation of data sources.
7. Click Add, then select the auto add rules you want the receiver to use to create data sources automatically.
8. To apply selected rules to the existing auto learned data, click Run Now.

Configure auto create rules

Create, edit, and arrange custom rules that the Receiver uses to automatically create data sources.

86 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

2| Adding data sources

Task

1. From the McAfee ESM dashboard, click and select More Settings.

2. On the system navigation tree, select the receiver, then click .

3. On the Receiver Properties page, click Data SourcesAuto Learn → Configure .
4. Select Enable to turn on auto creation of data sources.
5. If you want to create or change a rule, click Add or select a rule and click Edit.
a. On the Configure auto add rule page, configure the settings.

Category Option Definition

Top pane Description A text label that helps users identify what the rule
accomplishes.

Type The type of rule you want to create.

Enabled Toggles the rule on or off.

Auto Learn Matching IP/CIDR and The network location and host name from which traffic must
Criteria Host Name originate to trigger the rule.

Port The port that traffic must come through to trigger the rule.

Vendor and The rule triggers only when traffic originates from this vendor
Model and model of device.

Data Source/Client Name The name for the data source. This field supports variables to
Creation Parameters represent IP address, model, and host name. For example,
you can type Data source - {MODEL}_{HOST}_{IP}.

Data source Sets the new data source as a Data Source or a Client.
type

Parent Assigns a device to act as the parent of the new data source.

Client Type Assigns a client type to the new data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 87

2| Adding data sources

Category Option Definition

Vendor and The new data source appears in the system with this vendor
Model and model.

Time Zone The time zone to assign to the data source.

Zone (Optional) The zone where the new data source appears.

Storage Pool If you want the data generated by the data source (not
clients) to be stored on the ELM, click Storage Pool and
select the storage pool.

b. Click OK.
6. On the Auto Add Rule Editor page, use the arrows to arrange the rules in the order you want.
7. Click Run Now to apply the rules to the current auto learn results.

Results

Auto creation happens when alerts are pulled from the Receiver, either manually or automatically by McAfee ESM.

Add child data sources

Add child data sources to organize your data sources.

Task

1. On the system navigation tree, select Receiver Properties, then click Data Sources.
2. On the data sources table, select the primary data source to which you want to add a data source.
3. Click Add Child, then fill out the fields as you would for a parent data source.
4. Click OK.

Add client data sources

To increase the number of data sources allowed on the Receiver, add a client to an existing data source.

Before you begin

Add data sources to the Receiver.

88 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

2| Adding data sources

Task

1. From the McAfee ESM dashboard, click and select More Settings.

2. On the system navigation tree, select the receiver, then click .

3. Click Data Sources.
4. Select the data source that you want to add the client to, then click Clients.
5. Click Add on the Data source clients page.
The Add data source clients page opens.
6. Configure the data source.
a. Enter a name for the client.
b. Set the time zone for non-WMI clients.
c. Select a Date Order.
d. Enter an IP address or host name. Clients can have duplicate IP addresses because the port differentiates them.

Note

Don't use _ (underscore) in a host name field.

e. Select Require syslog TLS to apply Transport Layer Security (TLS) encryption for syslog.
f. Set the port.
g. Select Match by type to match clients by type, then select the vendor and model of this client.
h. Click OK.

Results

Events go to the data source (parent or client) that is more specific. For example, you have two client data sources, one with an IP
address of 1.1.1.1 and the second with an IP address of 1.1.1.0/24, which covers a range. Both are the same type. If an event
matches 1.1.1.1, it goes to the first client because it is more specific.

Add ASP data sources with different encoding

McAfee ESM reads UTF-8 encoded data. Format ASP data sources that generate data with different encoding to ensure the
Receiver can read that data.

Task

1. On the system navigation tree, click a Receiver, then click the Add Data Source icon .
2. Select Generic in the Data Source Vendor field, then Advanced Syslog Parser in the Data Source Model field.
3. Enter the information requested, and select the correct encoding in the Encoding field.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 89

3| Managing data sources

Managing data sources

Set date formats for data sources
Select the format for dates included in data sources.

Task

1. On the system navigation tree, select a Receiver, then click the Add data source icon .
2. Click Advanced, then make a selection in the Date Order field:

• Default - Uses the default date order (month before day). When using client data sources, clients using this setting
will inherit the date order of the parent data source.
• Month before day - The month goes before the day (04/23/2014).
• Day before month - The day goes before the month (23/04/2014).

3. Click OK.

Select Tail File data source collection method

When adding data sources, you must choose a collection method if you select NFS File Source or CIFS File Source for data
retrieval.

Collection methods are:

• Copy files — The system copies whole logs from the remote share to the Receiver to be processed. If log files are large
and updated with new information infrequently, copying the whole log file can be inefficient and time consuming.
• Tail files — Logs are read remotely and only new events are read. Each time the log is read, it reads from the position
where it stopped previously. If the file changes significantly, this is detected and the whole file is reread from the beginning.

Task

1. From the McAfee ESM dashboard, click and select More Settings.

2. On the system navigation tree, select the receiver, then click .

3. Click the Add data source icon on the actions toolbar.

4. Provide the information requested, selecting CIFS File Source or NFS File Source in the Data Retrieval field.
5. In the Collection Method field, select Tail File(s), then fill in these fields:

• Delimited Multiline Events — Select to specify if the events have dynamic length.
• Event Delimiter — Enter a string of characters that signal the end of an event and the beginning of another. These
delimiters vary greatly and depend on the type of log file.

90 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

3| Managing data sources

• Delimiter is regex — Select if the value in the Event Delimiter field is to be parsed as a regular expression rather
than a static value.
• Tail Mode — Select Beginning to parse files completely that are encountered on the first run, or End to note the
file size and collect only new events.
• Recurse subdirectories — Select to read collection from child directories (subdirectories), looking for matches with
the wildcard expression field. If not selected, it searches only the parent directory files.

6. Fill in remaining fields, then click OK.

Locate data source clients

You can have more than 65,000 clients. Use search to locate a specific data source client.

Task

1. From the McAfee ESM dashboard, click and select More Settings.

2. On the system navigation tree, select the receiver, then click .

3. Click Data Sources → Clients.
4. In the Search field, enter the information you want to search for, then click Search.

Migrate data sources to Receivers

Reallocate or redistribute data sources between Receivers on the same system.

Migrate data sources to new Receivers and balance data sources between Receivers. Or, if you replace your Receiver, you can
transfer your data sources from your current Receiver to the new one.

Task

1. From the McAfee ESM dashboard, click and select More Settings.

2. On the system navigation tree, select the receiver, then click .

3. Click Data Sources.
4. Select the data sources to be migrated, then click Migrate.
5. Select the new Receiver in the Destination Receiver field, then click OK.

Move data sources to another system

Move data sources from secured Receivers to Receivers on unsecured locations on different systems. Select data sources to be
moved, save them and their raw data to a remote location, then you can import the data sources to another Receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 91

3| Managing data sources

Before you begin

Verify that you have device management rights on both Receivers.

There are limitations when exporting data source information:

• You can't transport flow data sources (for example, IPFIX, NetFlow, or sFlow).
• The source events of correlated events do not display.
• If you change correlation rules on the second Receiver, the correlation engine doesn't process those rules. When you
transport correlation data, they system inserts those events from the file.

Task

1. On the system navigation tree, select Receiver Properties.

2. To select the data sources and remote location, do the following:
a. Select the data source, then click Edit.
b. Click Advanced, then select Export in NitroFile.

Note

The data is exported to a remote location and is configured using profile. The system now copies raw data
generated by this data source to the remote share location.

3. To create raw data file, do the following:

a. Access the remote share location where the raw data is saved.
b. Save the raw data that has been generated in a location that allows you to move the file to the second Receiver (such
as a jump drive that you can carry to the unsecured location).
4. To create a file that describes data sources, do the following:
a. Select the data source, then click Import.
b. Locate the file of data sources you moved and click Upload.
c. On the Remote share profile list, select the location where you saved the raw data files. If the profile isn't listed, click
Remote share profile and add the profile.

Note

The data sources are added to the second Receiver and accesses the raw data through the remote share profile.

5. To import raw data and data source files, do the following:

a. On the second Receiver system navigation tree, access Data Sources, then click Import.
b. Locate the file of data sources you moved and click Upload.
c. On the Remote share profile list, select the location where you saved the raw data files. If the profile is not listed,
click Remote share profile and add the profile.
6. Click OK.

92 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

3| Managing data sources

Import data sources from a .csv file

Import a list of data sources, which eliminates the need to add, edit, or remove them manually.

You use this option:

• To import raw data source data copied from a Receiver in a secured location to a Receiver in an unsecured location.
• To edit the data sources on a Receiver by adding data sources to the existing list, editing existing data sources, or
removing existing data sources.

Task

1. Export a list of data sources currently on the Receiver.

a. On the system navigation tree, select Receiver Properties, then click Data Sources.
b. Click Export, then click Yes to confirm the download.
c. Select the location for the download, change the file name if needed, then click Save.
d. Access and open this file.
2. Add, edit, or remove data sources on the list.
a. In column A, specify whether to add, edit, or remove the data source.
b. If adding or editing data sources, enter the information in the spreadsheet columns.

Note

You can't edit the policy or the name of the data source.

c. For added data sources, change the rec_id to the ipsid of the Receiver you are importing to.
d. Save the changes made to the spreadsheet.

Note

You can't edit a data source to make it a data source from a client data source or the other way around.

3. Import the list to the Receiver.

a. On the system navigation tree, select Receiver Properties, then click Data Sources.
b. Click Import, then select the file and click Upload.

Note

You can't change the policy or the name of the data source.

c. To import the changes, click OK.

d. If there are errors in the formatting of the changes, a Message Log describes the errors.
e. Click Download Entire File, then click Yes.
f. Select the location for the download to be saved, change the name of the file if needed, then click Save.
g. Open the file that downloaded.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 93

3| Managing data sources

h. Correct the errors, then save and close the file.

i. Close Message Log and Import Data Sources, then click Import and select the file that you saved.
j. Click OK.

File format

If you are working with an exported .csv file, the first row shows the ESM version that the data was exported from.If you are
creating a new .csv file to provision data sources, enter the target ESM version.

Data source .csv fields

Column Field Description

A op The operation to be performed (add, edit, remove, enable, disable).

B rec_id The IPSID of the ERC this DS gets added to.

C dsname The name of the data source.

D ip IP address configured for this data source.

E model Model of the data source ( Windows WMI vs Windows DHCP).

F vendor The company that produces the model.

G parent_id If the data source is a child, this indicates the data source’s parent.

H child_type 0 = not a child; 1 = child/agent; 2 = client

I matching_type Defines a type of matching for data coming into this data source.

J aruba_version If the new data source is Aruba, this indicates it’s version. Otherwise, it's empty.

K autolearn Defines whether the parser should autolearn events. T=true, F=false. Default is
false.

L elm_logging "T" turns ELM logging on. "F" turns it off.

M exportNitroFile Default is "F".

94 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

3| Managing data sources

Column Field Description

N linked_ipsid Original IPSID from the export. The new IPSID is likely different after the data
source is added to a new receiver.

O mask The netmask that applies to syslog data sources.

P nitro_formated_file Used for forwarded client data sources. Upon export, this contains the original
IPSID.

Q nitro_formated_file_xsum Related to nitro_formated_file. Default is "no".

R parsing Sets whether the data collected by this data source should be parsed. Default
‘yes’, otherwise ‘no’.

S policy_name If policy is included in the export, this will reference that policy by name.

T require_tls For syslog data sources, sets TLS enabled (T) or disabled (F).

U snmp_trap_id The ID of the SNMP trap if this is an SNMP data source.

V syslog_port The port configured to listen to for this syslog data source (otherwise empty).

W type The DSID (data source ID) of the data source. Default is 49190.

X tz_id ID of the time zone for this data source.

Y url The URL for this datasource. Default is empty.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 95

4| Configuring McAfee data sources

Configuring McAfee data sources

Configure data sources made by McAfee.

McAfee Active Response

Configure McAfee Active Response

Set McAfee Active Response (MAR) permissions for SIEM in McAfee ePolicy Orchestrator.

Before you begin

Make sure that the McAfee ePO device is configured and the McAfee ESM user account have rights to use enhanced integration
features. For more information see Configure the application server user account topic.

Task

1. Log on to McAfee ePO as an Administrator.

2. Select Server Settings → DXL Topic Authorizations .
3. Under Active Response Server API group, click Edit and set the following:

Note

Make sure that the Send Restrictions and Receive Restrictions column has All Systems or a Tag that is specific to the
selected McAfee Event Receiver (ERC).

a. Select the Active Response Server API checkbox.

b. SelectActions → Restrict Receive Tags.
c. Use a Tag specific to the ERC or deselect all to allow systems to get notifications.

Note

Make sure that Send Restrictions and Receiver Restrictions are configured correctly.

4. Select Server Tasks and run the Manage DXL Brokers task.
5. Perform the Wake Up Agent task on the ERC from the McAfee ePO console.
6. With an SSH session on the SIEM Event Receiver, restart the Receiver services by running NitroStop and NitroStart.
The McAfee Active Response events in the SIEM GUI are displayed after 10-15 minutes.

96 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

4| Configuring McAfee data sources

McAfee Advanced Threat Defense

Configure McAfee Advanced Threat Defense

Enable the Advanced Threat Defense off-box syslog and send it to the ESM.

Task

1. Log on to Advanced Threat Defense.

2. Click the Manage icon and select Syslog Setting from the left menu.

Option Definition

Off Box System Log Enabled

IP Address IP address of the receiver

Port 514

Transport TCP

3. Test the connection.

4. Set Security Level to Medium or higher.
Using a lower setting may result in too many events being sent to the receiver.
5. Click Submit.
6. If you want to test the data source, manually upload a file in the Analysis section of Advanced Threat Defense, wait a few
minutes, and then check McAfee ESM.
Troubleshooting help is found on the Knowledge Center.

Add McAfee Advanced Threat Defense

The Advanced Threat Defense can generate Indicators of Compromises (IOCs) and pass that information to McAfee ESM. Use the
Cyber Threat Manager to view IOC details. This can help you detect future attacks and assist in incident response or forensics.

Task

1. From McAfee ESM, select a receiver and click the Add Data Source icon.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 97

4| Configuring McAfee data sources

Option Definition

Data Source Vendor McAfee

Data Source Model Advanced Threat Defense

Name A name to identify the device.

IP Address The IP address of the Advanced Threat Defense device.

Mask 32

Time Zone The time zone where the Advanced Threat Defense device is located.

2. Click OK and click Yes when prompted to add Advanced Threat Defense as a cyber threat feed source.
A cyber threat feed source is an automatic way to provide McAfee ESM with IOCs. You can view and manage IOCs with the
Cyber Threat Manager dashboard.
The Cyber Threat Feed Wizard opens.
3. On the Main tab, type a name for the feed and click Next.
4. Type your Advanced Threat Defense credentials and click Connect to test your settings.
5. If you want to populate watchlists, select the Watchlist tab and configure the watchlists.
6. If you want to detect past occurrences of this IOC, select the Backtrace tab and run a backtrace.
7. Click Finish and then click Yes to apply the settings.

McAfee Advanced Threat Defense log format and field

mapping
Log sample
A sample log from Advanced Threat Defense device:

{"Type":"Audit","MsgId":"M-TR-12-0","Result":"Success","User":"admin","Category":"Admin",
"Client":"10.10.10.10","Action":"Troubleshooting Log-Files Download","Description":"Successfully downloaded
Log binary. "}
{"Type":"Audit","MsgId":"M-
TR-13-1","Result":"Failure","User":"admin","Category":"Admin","Client":"10.10.10.10",
"Action":"Troubleshooting Diagnostic-File Download","Description":"Failed to download Diagnostic binary
file .
No Diagnostic binary file available"}

98 McAfee Enterprise Security Manager Data Source Configuration Reference Guide

4| Configuring McAfee data sources

{"Summary": {"Event_Type": "ATD File Report", "MISversion": "3.4.2.31.43018", "fileId":

"5f01_0df7_1ef275fe_09b4_4c6c_b03a_de1fc8afe2d5", "JobId": "1162", "TaskId": "-1", "ATD IP": "10.10.10.10",
"Subject": {"Name": "filename.zip", "md5": "FFFFE4DE4B8A0103C53802FFFF123726", "Timestamp": "2021-07-07
14:38:32",
"size": "582591"}, "Verdict": {"Severity": "2"}}}

Field mapping
The mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Link Interface

Result action

Category Category

Description Description

Result Device_Action

Summary.ATD IP Device_IP

Summary.Dst IP Destination IP

Summary.SubmitterName Destination User

Summary.SubmitterType Event_Class

Summary.Subject.md5 File_Hash

Summary.fileId File_ID

Summary.Subject.size File_Size

Summary.Subject.Type File_Type

Summary.Subject.Name Filename

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 99

4| Configuring McAfee data sources

Log fields McAfee ESM fields

Summary.TaskId Job_Name

Action Event Message

Summary.Verdict.Description Event Message

CPU Alert.CPU Usage New_Value

Disk Alert.Data Disk Usage New_Value

Disk Alert.System Disk Usage New_Value

LB Alert.New State New_Value

Memory Alert.Memory Usage New_Value

CPU Alert.CPU Threshold Old_Value

Disk Alert.Disk Usage Threshold Old_Value

LB Alert.Old State Old_Value

Memory Alert.Memory Threshold Old_Value

Summary.Parent_MD5 Parent_File_Hash

Summary.Subject.md5 Parent_File_Hash

Summary.Verdict.Severity Severity, Action

Summary.Subject.sha-1 SHA1

UserID Source_UserID

Client, LB Alert.ATD IP, Summary.Src IP Source IP

100 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Log fields McAfee ESM fields

User Source Username

HTTPAgent User_Agent

McAfee Correlation Engine

Add McAfee Correlation Engine

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model Correlation Engine

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 101
4| Configuring McAfee data sources

Option Definition

Time Order Tolerance The maximum time that events can be logged out of chronologic order.

Use Local Data Not available if the receiver is connected to a Data Streaming Bus.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

102 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Data Loss Prevention Monitor

Configure McAfee Data Loss Prevention Monitor (McAfee

DLP Monitor)
Configure McAfee DLP Monitor to forward logs.

Task

1. In the navigation pane, expand Application Security, point to Options, then click Logging Profiles.
2. Above the Logging Profiles area, click Create.
3. For Configuration, select Advanced.
4. For Profile Name, type a unique name for the logging profile.
5. Select Remote Storage, then select Reporting Server for the Type.
6. If you do not want data to be logged locally while it is being logged remotely, deselect Local Storage.
7. For Protocol, select UDP.
8. For Server IP, type the IP address of the McAfee Event Receiver.
9. For Server Port, type 514 (the default port used for Syslog).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 103
4| Configuring McAfee data sources

10. (Optional) To ensure that system logging takes place, even when the logging utility is competing for system resources, select
Guarantee Logging.
11. (Optional) To log details about brute force attacks, DoS attacks, IP enforcer attacks, or web scraping attacks, select Report
Detected Anomalies. Examples of log details can include start and end time, number of dropped requests, and attacking
IP addresses.
12. Click Create.

Add McAfee Data Loss Prevention Monitor (McAfee DLP

Monitor)
Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model Network DLP Monitor

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

104 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 105
4| Configuring McAfee data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Map McAfee DLP Monitor fields to McAfee ESM fields

Expected log format

CEF:Version|DeviceVendor|DeviceProduct|DeviceVersion|deviceEventClassId|Name|Severity|Extension

Log sample

<13>RTS: CEF:0|McAfee|iGuard|9.2|CNN wget|CNN wget|Medium|cs1=Policy for prevenct cs1Label=policies cn1=2

cn1Label=MatchCount src=172.3.2.1 dst=172.1.2.3 spt=54399 dpt=1344 app=HTTP_Request cs3=HTTP_Header
cs3Label=Content cs4=etl.1 cs4Label=partition_name cn2=13291520 cn2Label=partition_offset cs5=2147484161
cs5Label=instance fsize=187 end=Jul 23 2012 13:47:13 suser= duser= cs2="" cs2Label=Subject fname=Unknown

106 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Field mapping

Log fields McAfee ESM fields

request URL

cs2 Subject

cs1 Object

fname Filename

cs3 Object_Type

cn1 Message_Text

Name Message

duser Destination_Username

suser Source User

cnt Event Count

shost Hostname

proto Protocol

src

spt Source Port

smac Source MAC

dst Destination IP address

dpt Destination Port

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 107
4| Configuring McAfee data sources

Log fields McAfee ESM fields

dmac Destination MAC

app Application

start, end, rt, tstamp, collection First Time, Last Time

McAfee Database Security

Configure McAfee Database Security

Task

1. Log on to McAfee® Database Security console.

2. Select System → Interfaces → Syslog.
3. Select Use syslog.
4. Configure the correct syslog host/port (IP address and port of the McAfee Event Receiver).
5. Select transport protocol.
6. Set syslog format to CEF.
7. Click Save.

Configure Database Activity Monitoring

Configure system setting to enable McAfee Application Data Monitor as a data source.

Before you begin

Communication to McAfee ESM may be over TCP or UDP through a specific port. The IP address and port designated in the
Database Activity Monitoring server settings must be opened on the firewall for out-bound communication to the ESM. Port 514
is the default port for syslog communication - however it may be configured.

You must have administrative credentials to perform the integration setup of the McAfee Application Data Monitor connector.

Task

1. Log on to the McAfee ePO server.

2. Click Menu → Server Settings → Database Activity Monitoring → Syslog → Edit.
3. Configure the Syslog parameters.

108 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Value

Status Selected (enabled)

Host IP address of the designated ESM receiver

Port Communication port designated for ESM Syslog (default = 514)

Transport TCP or UDP (default = UDP)

Maximum Packet Length (default = 1)

Facilities (default = user)

Format CEF

4. Enable syslog rules.

a. Click Menu and select Policy Catalog.
b. Click the policy in scope of the syslog relay.
c. Select the rules to enable the syslog relay.
d. From the Actions menu, click Apply Actions.
e. Select Syslog and then select a log level (default is Trace).
5. Add McAfee Application Data Monitor as an ESM data source.
a. From McAfee ESM dashboard, select a receiver and click Add Data Source.
b. Configure the data source.

Option Value

Data Source Vendor McAfee

Data Source Model McAfee Database Security - CEF (ASP)

Data Format Default

Data Retrieval Default

Enabled Parsing

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 109
4| Configuring McAfee data sources

Option Value

Name <desired naming convention>

IP Address <IP address of DAM server>

Host Name <optional>

Syslog Relay None

Mask 0

Required syslog TSLS <not selected>

Port 514

Support Generic Syslogs Do nothing

Generic Rule Assignment <N/A>

Time Zone GMT, 00:00 Greenwich Mean Time: Dublin, Edinburgh

Add McAfee Database Security

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model Database Security - CEF

110 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device

Syslog Relay Leave Default

Mask Leave Default

Require Syslog TLS Deselected

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 111
4| Configuring McAfee data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

112 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Map McAfee Database Security events to McAfee ESM fields

Expected log format

computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID

Log sample

SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999

Field mapping

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

McAfee Email and Web Security

Configure McAfee Email and Web Security 6.x.x or later (CEF)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 113
4| Configuring McAfee data sources

Task

1. Open and log on to the Appliance Management Console.

2. Select System → Logging → Alerting and SNMP → System Log Settings.
3. Click Enable system log events.
4. To enable CEF format, select the Logging format ArcSight.
5. Select Off-box system log and click Add Server.
6. Add the McAfee Event Receiver IP address and port (default is 514).

Configure McAfee Email and Web Security 5.x.x (syslog)

Task

1. Open and log on to the Appliance Management Console.

2. Select System → Logging → Alerting and SNMP → System Log Settings.
3. Click Enable system log events.
4. To enable standard non-formatted syslog messages, select the Logging format Syslog.
5. Select Off-box system log and click Add Server.
6. Add the McAfee Event Receiver IP address and port (default is 514).

Add McAfee Email and Web Security

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model For Syslog, select EWS v5 / Email Gateway Original Format - Legacy (ASP).

For CEF, select Email Gateway - CEF (ASP).

Data Format Default

114 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the McAfee Event Receiver to communicate over TLS

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 115
4| Configuring McAfee data sources

Option Definition

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

116 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Map McAfee Email and Web Security 6.x.x fields to McAfee

ESM fields
Expected log format (CEF)

|Device Vendor|Device Product|Signature ID|Name|Severtiy| act=<action> app=<application> msg=<message>

dst=<destination IP> dhost=<destination host> src=<source IP> dpt=<destination port> spt=<source port>
dmac=<destination MAC> smac=<source MAC> suser=<source user> duser=<destination user>
deviceDirection=<direction> sourceServiceName=<name> fsize=<file size> rt=<reception time> cs1Label=virus-
names cs1=<virus name> cs4Label=email-attachments cs4=<attachment name> cs6Label=email-subject cs6=<email
subject> cn3Label= number-email-recipients cn3=<number of recipients> cn2Label=num-email-attachments
cn2=<number of attachments> cnt=<count>

Log sample (CEF)

Jan 1 01:23:45 bridge : CEF:0|McAfee|Email Gateway|7.0|12345|Email Status|5|act=service app=smtp msg=Email

blocked with SMTP Code 550 dvc= dst= dhost= src=1.2.3.4 shost=ext-server.std.dom suser=<sender@domain.com>
duser=<recipient@domain.com> deviceDirection=0 sourceServiceName= filePath=
fileId=a0b1_c2d3_e4f5a6b7_c8d9_e0f1_a2b3_c4d5e6f7a8b9 fsize=123 rt=1234567891011 flexNumber1=123
flexNumber1Label=reason-id cs4Label=email-attachments cs4= cs5Label=master-scan-type cs5= cs6Label=email-
subject cs6=WSTest mail McafeeEmailgatewayOriginalSubject= McafeeEmailgatewayOriginalSender=
McafeeEmailgatewayOriginalMessageId= McafeeEmailgatewayEmailEncryptionType= cn1Label=is-primary-action cn1=
cn2Label=num-email-attachments cn2=0 cn3Label=number-email-recipients cn3=1

Field mapping (CEF)

Log fields McAfee ESM fields

Signature ID Sid

Name Message

Severity Severity

sourceServiceName Policy Name

email-subject Message Text

virus-names Threat Name

Device Vendor and Device Product Category

email-attachments, dlpfile, imagefile Filename

deviceDirection Direction

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 117
4| Configuring McAfee data sources

Log fields McAfee ESM fields

fsize Bytes Sent

number-email-recipients Recipient Count

suser From

duser To

act Device Action

app Application

act Command Name

dst Destination IP

src Source IP

dhost Hostname

rt First Time, Last Time

dpt Destination Port

spt Source Port

dmac Destination MAC

smac Source MAC

cnt Event Count

msg Reason

118 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

McAfee Email and Web Security 5.x.x events to McAfee ESM

fields
Log format (syslog)
The expected format for this device is:

timestamp Application=<app> Event=<event> status=<status> User=<username> source=<source ip>

virusname=<Virus.Name> filename=http://example.com/example.exe from=<from> size=<size> nrcpts=<number of
recipients> to=<to> relay=<destination ip> subject=<email subject> spamrules=<signature name>
attachment(s)=<name of attachment>

Log sample (syslog)

This is a sample log from a McAfee Email and Web Security device:

<22>Jan 1 01:23:45 mx1 Application=http, Event='Anti-virus engine detection', status='The content was
categorized as a Potentially Unwanted Program', User=user1@DOMAIN.LOCAL, source=(192.0.2.10),
msgid=1234_5678_a0b1c23_d4e5_f7a8_b9c0_d1e2f3a4b5v6, virusname=Cookie-Adserver (Abc\123\123abc Element),
filename= http://example.com/homepage;

Mappings (syslog)
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

timestamp First Time, Last Time

Application Application

Event Message

status Reason

from From

to To

User Source User

source Source IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 119
4| Configuring McAfee data sources

Log fields McAfee ESM fields

relay Destination IP

virusname Threat Name

filename, attachment Filename

spamrules Signature Name

size Bytes Sent

subject Subject

McAfee ePolicy Orchestrator

Configure the Database Server user account

This task applies to device options and data source configuration options. Both require a McAfee ePO database user account,
which enables the McAfee Event Receiver to collect the data from the McAfee ePO database.

Task

1. Log on to the McAfee ePO database server.

2. Start SQL Server Management Studio → Enterprise Manager.
3. Expand the Console Root node several times to view the items under the Security folder.
4. Right-click the Logins icon, then select New Login.
5. On the General page, do the following:
a. InLogin name, enter a user name (such as, epo) that the McAfee Event Receiver uses to connect to the McAfee ePO
database.
b. Select SQL Server Authentication, then enter and confirm a password.
c. From the Default database menu, select the McAfee ePO database from the Database drop-down list.

Caution

If you leave the Default database as master, the McAfee Event Receiver fails to pull events.

6. Select the User Mapping page.

a. Select the database where the user’s logon is mapped.
b. For Database role membership, select db_datareader.

120 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

7. Click OK to save.
8. Log off from the SQL Server Management Studio/Enterprise Manager.

Configure the application server user account

This task applies only to the device configuration option. The McAfee ESM user account must have rights that allow ESM to use
enhanced integration features such as McAfee ePO tagging and actions, McAfee® Risk Advisor, and Threat Intelligence Exchange.

Task

1. Log on to the McAfee ePO console using an account with the appropriate rights.
2. Select Menu → Permission Sets → User Management.
3. Click Actions → New.
4. Name the group McAfee SIEM.
5. Add rights so that the McAfee ESM account works properly. With the new group selected, scroll down to Systems, then
select Edit.
6. In Systems , select these options, then click Save.
a. For Actions, select Wake up agents, view Agent Activity Log.
b. For Tag use, select Apply, exclude, and clear tags.
7. To assign users to the group, in the User Management section, select Menu → Users.
8. Select New User and define these options:
a. Enter the New User name.
b. Set the Logon status to Enabled.
c. Set the Authentication type to ePO authentication and enter the password.
d. Set the Manually assigned permission sets to Selected permission sets and McAfee SIEM, then click Save.

Differences in configuration options for ePolicy

Orchestrator
Additional McAfee ESM features are available when McAfee ePO is configured as a device in McAfee ESM. This table lists most of
the difference in features available for each configuration.

McAfee ePO connected as a

McAfee ePO connected as a device data source

McAfee ePO listed in the ESM device tree as a device McAfee ePO listed in the ESM
device tree as a data source

Associated McAfee ePO applications listed as child data sources under the device N/A

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 121
4| Configuring McAfee data sources

McAfee ePO connected as a

McAfee ePO connected as a device data source

Assign tags in McAfee ePO from ESM for source or destination IP addresses and events N/A
generated by alarms

Automatic enablement of Threat Intelligence Exchange reporting in McAfee ESM over N/A
McAfee® Data Exchange Layer (DXL), if a Threat Intelligence Exchange server is
connected to McAfee ePO

Enablement of McAfee® Risk Advisor data acquisition N/A

Automatic enablement of McAfee ACE correlation rules for Threat Intelligence N/A
Exchange and Risk Advisor

Automatic enablement of Alarms and Watchlists for TIE N/A

Ability to query multiple McAfee ePO devices for custom reports or views in McAfee N/A
ESM

Add McAfee ePolicy Orchestrator as a data source

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model ePolicy Orchestrator (ASP)

Data Format Default

122 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Data Retrieval SQL (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

User ID The McAfee ePO database user name

Password The McAfee ePO database password

Port The McAfee ePO database port (default is 1433)

Database Name The McAfee ePO database name

Database Instance The database instance, if any

5. (Optional) If the receiver doesn't connect to the data source, test the connection manually.
a. SSH to the receiver.
b. At the command prompt, enter:

curl -L -k -XPOST 'https://iam.mcafee-cloud.com/iam/v1.0/token' --data "username=<admin_username>"

--data "password=<admin_password>" --data "client_id=0oawz1wagXnxG7lUr2p6" --data
"grant_type=password" --data "scope=epo.evt.r" -H "accept: application/json" -H "content-type:
application/x-www-form-urlencoded" -H "cache-control: no-cache"

If the password contains special characters, it might need to be URL encoded. URL encoders are available on the
Internet.

6. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 123
4| Configuring McAfee data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

124 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Add McAfee ePolicy Orchestrator as a device

Before you begin
You must have the user names and passwords, created previously, for the McAfee ePO Application Server and the McAfee ePO
database server.

After successfully logging on to the McAfee ESM console, you can add a McAfee ePO device using the Device wizard.

Task

1. From the device tree, select Physical Display, then click the Add Device icon from the Action toolbar.
2. In the Add Device Wizard, select McAfee ePolicy Orchestrator (v4.6 or newer), then click Next.
3. Enter a name for the McAfee ePO device, then click Next.
a. Select the McAfee Event Receiver that connects to the McAfee ePO device.
b. Enter the application IP address of the McAfee ePO Application Server.
c. Enter the application port (default is 8443).
d. Enter the application user name for the McAfee ePO web interface.
e. Enter the application password for the McAfee ePO web interface.
f. When McAfee ePO is added on the ESM, the ESM can check for the presence of a Threat Intelligence Exchange server.
If one is present, the ESM begins listening and retrieving events from the Data Exchange Layer (DXL). To use this
feature, select Enable DXL.
4. Test the McAfee Event Receiver’s ability to connect to McAfee ePO by clicking Connect. When the connection is successful,
click Next.

If the connection fails, verify the user credentials and that no firewall policies are blocking the connection between the
McAfee Event Receiver and McAfee ePO.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 125
4| Configuring McAfee data sources

Caution

Select Require user authentication only if each McAfee ePO user has a separate account for each device.

a. Enter the database IP address of the McAfee ePO database server.

b. Enter the database port (default is 1433).
c. Enter the database user name.
d. Enter the database password.
e. Enter the database name.
f. If using database instances, enter the database instance name.
5. Test the McAfee Event Receiver’s ability to connect to the McAfee ePO database by clicking Connect. When the connection
is successful, click Next.

If the connection fails, make sure that you are using the correct user credentials, and that no firewall policies are blocking
the connection between the McAfee Event Receiver and McAfee ePO.

A status window appears while McAfee ePO is added as a device in ESM.

6. When McAfee ePO is successfully added, click Finish.

7. In the ESM device tree, expand the new McAfee ePO device.
a. Confirm the connection to the McAfee ePO host
b. Identify the McAfee products discovered by ESM as installed extensions in McAfee ePO.

McAfee ePolicy Orchestrator log format and field mapping

Log sample
A sample log from a McAfee ePO device:

126 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

AutoID="17443183" AutoGUID="01234567-ABCD-ABCD-ABCD-ABCD01234567" ServerID="SERVER1234"

ReceivedUTC="2021-05-03 06:27:04.753" DetectedUTC="2021-05-03 06:26:21.0" AgentGUID="01234567-ABCD-ABCD-ABCD-
ABCD01234567"
SourceHostName="HOST1234" SourceIPv4="10.10.10.10" SourceIPv6="::ffff:10.10.10.10" SourceMAC=""
SourceUserName=""
SourceProcessName="On-Demand Scan" SourceURL="" Analyzer="ENDP_AM_1120" AnalyzerName="McAfee Endpoint
Security"
AnalyzerVersion="10.10.10.10" AnalyzerHostName="HOST1234" AnalyzerIPv6="::ffff:10.10.10.10"
AnalyzerIPv4="10.10.10.10"
AnalyzerMAC="010a010a010a" AnalyzerDATVersion="2967.0" AnalyzerEngineVersion="5800.7501"
AnalyzerDetectionMethod="On-Demand Scan"
TargetHostName="HOST1234" TargetIPv4="10.10.10.10" TargetIPv6="::ffff:10.10.10.10" TargetMAC=""
TargetUserName="DOMAIN\USER1"
TargetPort="0" TargetProtocol="" TargetProcessName="" TargetFileName="eicar.com" ThreatCategory="av.detect"
ThreatSeverity="2"
ThreatName="EICAR test file" ThreatEventID="1278" ThreatType="test"
ThreatActionTaken="IDS_ALERT_ACT_TAK_DEL" ThreatHandled="1"
ProductFamily="THREATPREVENTION" IPv6="::ffff:10.10.10.10" IPv4x="10.10.10.10" Direction="" UserName=""
URL="" ListID="0"
ReasonID="0" Count="0" DomainName="" ActionID="0" wpRating="0" CatName="" ContentRiskGroup=""
ContentFuncGroup=""
PhishingRatingID="0" DownloadRatingID="0" SpamRatingID="0" PopupRatingID="0" BadLinkRatingID="0"
ExploitRatingID="0"
ObserverMode="0" Vendor="" Subject="" Hash="" BladeName="IDS_BLADE_NAME_SPB" AnalyzerRuleID=""
AnalyzerRuleName=""
AnalyzerGTIQuery="0" ThreatDetectedOnCreation="0" SourcePort="0" SourceFilePath="" SourceFileSize="0"
TargetName="eicar.com"
TargetPath="C:\Users\user1\Downloads" TargetFileSize="68" Cleanable="0" TaskName="Full Scan due to a malware
is detected"
APIName="" FirstAttemptedAction="IDS_ALERT_THACT_ATT_CLE" FirstActionStatus="0"
SecondAttemptedAction="IDS_ALERT_THACT_ATT_DEL"
SecondActionStatus="1" AttackVectorType="4" AccessRequested=" "

Field mapping
The mapping between the data source and McAfee ESM fields.

McAfee ePO - HIPS Event

Log fields McAfee ESM fields

ProductFamily Application

TargetProcessName Target_Process_Name

TargetFileName Destination_Filename

ThreatType Object_Type

Files Filesname

SourceProcessName Process_Name

SignatureName Signature_Name

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 127
4| Configuring McAfee data sources

Log fields McAfee ESM fields

ThreatCategory Threat_Category

AnalyzerVersion Version

ThreatActionTaken Device_Action

ThreatHandled Threat_Handled (0=No,1=Yes)

AgentGUID Source GUID

RegistryKey Registry.Key

RegistryValue Registry.Value

siem_last_time, ReceivedUTC firsttime, lasttime

SourceIPv4, AnalyzerIPv4, SourceIPv6, AnalyzerIPv6 Source IP

SourceMAC Source MAC

SourceUserName Source User

HostName, TargetHostName Host

TargetIPv4, TargetIPv6 Destination IP

TargetMAC Destination MAC

TargetUserName Destination User

TargetProtocol Protocol

ThreatActionTaken Action

AnalyzerEngineVersion Version

128 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Log fields McAfee ESM fields

LocalPort, RemotePort Source Port or Destination Port (depending on direction of traffic)

ThreatSeverity Severity

McAfee ePO - Site Advisor Event

Log fields McAfee ESM fields

ProductFamily Application

ContentName Event Message

AgentGUID Source GUID, Agent_GUID

UserName Source User

EventType Event_Class

URL URL

ListType, ReasonType Category

DomainName Domain

siem_last_time firsttime, lasttime

ContentRiskGroup Object

Action Action

Rating Status, Severity

ContentFuncGroup URL_Category

HostName Host

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 129
4| Configuring McAfee data sources

Log fields McAfee ESM fields

HostIP Source IP

McAfee ePO - DLP Event

Log fields McAfee ESM fields

ProductFamily Application

SourceIPv4, AnalyzerIPv4, SourceIPv6, AnalyzerIPv6 Source IP

TargetIPv4, TargetIPv6 Destination IP

TargetPort Destination Port

SourceMAC Source MAC

TargetMAC Destination MAC

TargetProcessName Target_Process_Name

TargetFileName Destination_Filename

ThreatType Object_Type

SourceProcessName Process_Name

AnalyzerDATVersion Analyzer_DAT_Version

ThreatCategory Threat_Category

DetectionMethod Detection_Method

ThreatActionTaken Device_Action

ThreatHandled Threat_Handled (0=No,1=Yes)

130 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Log fields McAfee ESM fields

ThreatName Threat_Name, Event Message

ThreatEventID Signature ID

AgentGUID Source GUID

siem_last_time, ReceivedUTC firsttime, lasttime

SourceUserName Source User

TargetUserName Destination User

HostName, TargetHostName Host

AnalyzerEngineVersion Version

ThreatSeverity Severity

USBSerialNumber Object

McAfee ePO - VirusScan Event

Log fields McAfee ESM fields

ProductFamily Application

SourceIPv4, AnalyzerIPv4, SourceIPv6, AnalyzerIPv6 Source IP

TargetIPv4, TargetIPv6 Destination IP

TargetPort Destination Port

TargetProtocol Protocol

SourceMAC,AnalyzerMAC Source MAC

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 131
4| Configuring McAfee data sources

Log fields McAfee ESM fields

TargetMAC Destination MAC

TargetProcessName Target_Process_Name

TargetFileName Destination_Filename

ThreatType Object_Type

SourceProcessName Process_Name

AnalyzerDATVersion Analyzer_DAT_Version

ThreatCategory Threat_Category

DetectionMethod Detection_Method

ThreatActionTaken Device_Action

ThreatHandled Threat_Handled (0=No,1=Yes)

ThreatEventID Signature ID

ThreatName Threat_Name

AgentGUID Source GUID

siem_last_time, ReceivedUTC firsttime, lasttime

SourceUserName Source User

TargetUserName Destination User

HostName, TargetHostName Host

AnalyzerEngineVersion Version

132 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

McAfee ePO - Threat Prevention Event

Log fields McAfee ESM fields

ProductFamily Application

SourceIPv4, AnalyzerIPv4, SourceIPv6, AnalyzerIPv6 Source IP

TargetIPv4, TargetIPv6 Destination IP

TargetPort Destination Port

TargetProtocol Protocol

SourceMAC,AnalyzerMAC Source MAC

TargetMAC Destination MAC

TargetProcessName Target_Process_Name

TargetFileName Destination_Filename

ThreatType Object_Type

SourceProcessName Process_Name

AnalyzerRuleName Signature_Name

ThreatCategory Threat_Category

DetectionMethod Detection_Method

ThreatActionTaken Device_Action

ThreatHandled Threat_Handled (0=No,1=Yes)

ThreatEventID Signature ID

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 133
4| Configuring McAfee data sources

Log fields McAfee ESM fields

ThreatName Threat_Name

AgentGUID Source GUID

siem_last_time, ReceivedUTC firsttime, lasttime

SourceUserName Source User

TargetUserName Destination User

AnalyzerRuleID Response_Code

FirstActionStatus + SecondActionStatus Object

DurationBeforeDetection Elapsed_Time

Hostname, TargetHostName, AnalyzerHostName Host

ThreatActionTaken Action

McAfee ePO - Web Control

Log fields McAfee ESM fields

ProductFamily Application

CatName Event Message

ThreatEventID Signature ID

AgentGUID Source GUID

ThreatName Threat_Name

UserName, SourceUserName Source User

134 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Log fields McAfee ESM fields

URL URL

ListID, ReasonID Category

DomainName Domain

ContentRiskGroup Object

ContentFuncGroup URL_Category

ActionID Action

wpRating Severity, Subcategory

AnalyzerHostName, TargetHostName Host

SourceIPv4, AnalyzerIPv4, SourceIPv6, AnalyzerIPv6 Source IP

SourceMAC,AnalyzerMAC Source MAC

TargetIPv4, TargetIPv6 Destination IP

TargetMAC Destination MAC

TargetUserName Destination User

SourceProcessName Process_Name

TargetPort Destination Port

TargetProtocol Protocol

TargetFileName Destination_Filename

DetectionMethod Object_Type

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 135
4| Configuring McAfee data sources

Log fields McAfee ESM fields

ThreatActionTaken Device_Action

ThreatHandled Threat_Handled

siem_last_time, ReceivedUTC firsttime, lasttime

McAfee ePO - ATP

Log fields McAfee ESM fields

ProductFamily Application

SourceIPv4, AnalyzerIPv4, SourceIPv6, AnalyzerIPv6 Source IP

SourceMAC,AnalyzerMAC Source MAC

SourceUserName Source User

HostName, TargetHostName Host

TargetIPv4, TargetIPv6 Destination IP

TargetMAC Destination MAC

TargetUserName Destination User

TargetPort Destination Port

TargetProtocol Protocol

TargetProcessName Target_Process_Name

TargetFileName Destination_Filename

TargetPath Filename

136 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Log fields McAfee ESM fields

ThreatType Object_Type

SourceProcessName Process_Name

ThreatCategory Threat_Category

DetectionMethod Detection_Method

ThreatHandled Threat_Handled (0=No,1=Yes)

ThreatEventID Signature ID

ThreatSeverity Severity

AgentGUID Source GUID

siem_last_time, ReceivedUTC firsttime, lasttime

AnalyzerEngineVersion Version

AttackVectorType Method

jtiFileHash SHA1

jtiObjectType File_Type

jtiReputation Reputation_Name

McAfee ePO - Events

Log fields McAfee ESM fields

SourceIPv4, AnalyzerIPv4, SourceIPv6, AnalyzerIPv6 Source IP

SourceMAC, AnalyzerMAC Source MAC

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 137
4| Configuring McAfee data sources

Log fields McAfee ESM fields

SourceUserName Source User

Hostname, TargetHostName, AnalyzerHostName Host

TargetIPv4, TargetIPv6 Destination IP

TargetMAC Destination MAC

TargetUserName Destination User

TargetPort Destination Port

TargetProtocol Protocol

TargetProcessName Target_Process_Name

TargetFileName Destination_Filename

ThreatType Object_Type

SourceProcessName Process_Name

AnalyzerDATVersion Analyzer_DAT_Version

ThreatCategory Threat_Category

DetectionMethod Detection_Method

ThreatActionTaken Device_Action

ThreatHandled Threat_Handled (0=No,1=Yes)

ProductFamily Application

ThreatEventID Signature ID

138 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Log fields McAfee ESM fields

ThreatName Threat_Name

AgentGUID Source GUID

siem_last_time, ReceivedUTC firsttime, lasttime

AnalyzerEngineVersion Version

FirstActionStatus + SecondActionStatus Object

DurationBeforeDetection Elapsed_Time

McAfee ePO - Product Events

Log fields McAfee ESM fields

TVDEventID Signature ID

ProductFamily Application

IPv6 Source IP

TVDSeverity Severity

AgentGUID Source GUID, Agent_GUID

SourceProcessName Process_Name

UserName Source User

HostName Host

SiteName Domain

siem_last_time, ReceivedUTC firsttime, lasttime

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 139
4| Configuring McAfee data sources

Log fields McAfee ESM fields

Version Version

DAT_Version Analyzer_DAT_Version

McAfee ePO - Orion Event

Log fields McAfee ESM fields

CmdName Event Message

Message Message_Text

UserName Source User

Priority Severity

Success Action

StartTime firsttime, lasttime

RemoteAddress Source IP

McAfee ePOTIE Certificate Reputation Change

Log fields McAfee ESM fields

md5 File_Hash

sha1 SHA1

sha256 SHA256

oldReputations trustLevel Old_Reputation.(GTI_File, GTI_Cert, TIE_File, TIE_Cert, or ATD_File)

140 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Log fields McAfee ESM fields

newReputations trustLevel New_Reputation.(GTI_File, GTI_Cert, TIE_File, TIE_Cert, or ATD_File)

McAfee ePO TIE File Detection

Log fields McAfee ESM fields

md5 File_Hash

sha1 SHA1

sha256 SHA256

agentGuid Source GUID

remediationAction Device_Action, Action

localReputation New_Reputation.TIE_File

detectionTime firsttime, lasttime

filename Filename

McAfee ePO TIE File First Instance

Log fields McAfee ESM fields

md5 File_Hash

sha1 SHA1

sha256 SHA256

agentGuid Source GUID

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 141
4| Configuring McAfee data sources

Log fields McAfee ESM fields

filename Filename

McAfee ePO TIE File Reputation Change

Log fields McAfee ESM fields

md5 File_Hash

sha1 SHA1

sha256 SHA256

oldReputations trustLevel Old_Reputation.(GTI_File, GTI_Cert, TIE_File, TIE_Cert, or ATD_File)

newReputations trustLevel New_Reputation.(GTI_File, GTI_Cert, TIE_File, TIE_Cert, or ATD_File)

Integrate McAfee ePolicy Orchestrator

McAfee Enterprise Security Manager can start McAfee ePO directly from its interface, allowing the user to view endpoint details
stored in McAfee ePO.

This advanced integration assumes that McAfee ePO has been added as a device, and that the local network settings have been
properly configured in Asset Manager. If the local network settings have already been configured, skip to section 6.2.

Note

This configuration example assumes one McAfee ePO server with a local SQL database. In configurations where the McAfee
ePO server is connected to a secondary SQL database server, contact McAfee support for assistance.

Enable the ability to start ePolicy Orchestrator from McAfee

ESM
Task

1. From ESM System Properties, select ESM Management.

2. Click Local Network.

142 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

3. Enter the IP addresses and optional subnets that make up the Local Network, then click OK.

McAfee ESM now allows the user to start McAfee ePO and view details specific to a managed endpoint.

Start ePolicy Orchestrator from McAfee ESM to view details

about Managed Assets
Task

1. Select an event from the McAfee ESM views that contain source or destination IP addresses associated with a managed
asset in McAfee ePO.
2. In the upper left of the component window, click the menu icon.
3. Select Actions → View in ePOfrom the expanded menu.
4. Select a McAfee ePO device (if applicable), then click OK.

• If only one McAfee ePO device or data source appears on the system, the McAfee ePO interface starts.
• If more than one McAfee ePO devices or data sources appear on the system, select the one you want to access. The
McAfee ePO interface starts for that device.
• If an event or flow is selected from a table component in McAfee ESM, with both a source IP address and
destination IP address from the local network, the user must also select which IP address is used in the lookup. Once
the IP address is identified, the McAfee ePO interface starts.

5. When prompted for authentication with McAfee ePO, enter the appropriate McAfee ePO credentials to log on.

Once authenticated, the asset information window for McAfee ePO displays details related to the endpoint that you
selected from the event in McAfee ESM.

Assign ePolicy Orchestrator tags from McAfee ESM

With viewing managed endpoints on the McAfee ePO server, McAfee ESM supports assigning ESM tags to assets and alarms
directly from the console.

Task

1. Select an event from the ESM views that contain source or destination IP addresses associated with a managed asset in
ESM.
2. In the upper left of the component window, click the menu icon.
3. From the expanded menu, select Actions → ePO Tagging.
4. Select a policy tag from the list, then click Assign.
5. (Optional) Once you assign an ESM tag to the endpoint, select Wake up client.
6. When finished, click Close.
7. (Optional) To access the ESM tagging options:
a. Select an ESM device in the ESM device tree, then click the Properties icon above the device tree.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 143
4| Configuring McAfee data sources

b. To display the tagging options, select ePO Tagging from the left side of the ePO Properties window.

McAfee ePO device authentication problems

McAfee ePO authentication credentials must be added to ESM before using McAfee ePO tags or actions.

There are two types of authentication:

• Single global account — If the user belongs to a group that has access to a McAfee ePO device, the integration features
can be used after entering the global credentials.
• Separate account for each device per user — The user must have permission to view the device in the ESM device tree.

Select a method of authentication to employ when using tags or actions. If the credentials are not found or are invalid, the user is
prompted to enter valid credentials, which must be saved to allow future communication with the device.

Configure separate account authentication

Global account authentication is the default setting in ESM. You must configure separate account authentication.

1. Verify that Require user authentication is selected when adding the McAfee ePO device on the ESM, or when configuring
its connection settings.
2. Enter the credentials on the ESM options page.
a. On the system navigation bar of the ESM console, click options, then click ePO Credentials.
b. Select a McAfee ePO device and click Edit.
c. Provide the user name and password for the selected device, then click Test Connection.
d. Click OK when the test passes.

McAfee Firewall Enterprise

Configure McAfee Firewall Enterprise

Task

1. From the McAfee Firewall Enterprise Admin Console, select Monitor → Audit Management, then click the Firewall
Reporter/Syslog tab.
2. In the Export audit to syslog servers section, click New on the toolbar.
3. Enter the IP address of the McAfee Event Receiver where the logs are sent.
4. From the Remote Facility drop‐down list, select a syslog facility to help identify the audit export.
5. (Optional) Click in the Description cell and type a description of the audit export entry.
6. Verify these settings from the advanced options, then press OK.

• Port: 514

144 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

• Format: SEF

7. Save the changes.

Add McAfee Firewall Enterprise

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model Firewall Enterprise (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Mask Default

Require Syslog TLS Leave unchecked

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 145
4| Configuring McAfee data sources

Option Definition

Support Generic Syslogs Default

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

146 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Firewall Enterprise log format and field mapping

Log format
The expected format for this device is:

computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID

Log sample
This is a sample log from a McAfee Firewall Enterprise device:

SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 147
4| Configuring McAfee data sources

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

McAfee MVISION Cloud

MVISION Cloud (Syslog)

Configure MVISION Cloud

Task

1. From the Enterprise Connector interface, go to Enterprise Integration → SIEM Integration.

2. Change the value of SIEM Server to ON.
3. Select Common Event Format (CEF).
4. Set the Syslog Protocol value to UDP.
5. For the Syslog Server value, enter the IP address of the McAfee Event Receiver.
6. For the Syslog Port value, type 514.
7. Change the value for Send Shadow service Anomalies to SIEM to All Anomalies.
8. Change the value for Send Sanctioned service Incidents to SIEM to All Incidents.
9. Click SAVE.

Add MVISION Cloud

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.

148 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model MVISION Cloud

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to Communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 149
4| Configuring McAfee data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

150 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

MVISION Cloud log format and field mapping

Log format
The expected format for this device is:

<PRIORITY>DATE TIME HOSTNAME CEF:0|DEVICE VENDOR|DEVICE PRODUCT|DEVICE VERSION|SIGNATURE ID|NAME|SEVERITY|

KEY=VALUE KEY=VALUE KEY=VALUE…

Log sample
This is a sample log from MVISION Cloud:

<14>Feb 14 14:18:36 MHLABAP50 CEF:0|McAfee MVISION Cloud|Anomalies|4.1.0.1|CloudAccess|Alert.Policy|10|

start=2001-01-01 01:01:01.0 suser=exampleUser dst=example riskLevel=Low anomalyType=Service Category

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

severity Severity

start First Time, Last Time

destinationHost Destination Hostname

suser (if IP address) Source IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 151
4| Configuring McAfee data sources

Log fields McAfee ESM fields

suser Source Username

Direction Direction

serviceName Service_Name

response Subtype

riscValue Reputation_Score

DeviceValue Operating_System

MVISION Cloud (API)

Add MVISION Cloud (API)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model MVISION Cloud (API)

Data Format Default

Data Retrieval API (Default)

152 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname Enter host name associated with the data source device, www.myshn.net and click
Look up beside Hostname to automatically fill the IP Address field.

Username/Password The Username and Password credentials entered to extract MVISION Cloud data.

Authentication Hostname iam.mcafee-cloud.com

Field 1 shndlpapi

Use Proxy Enable to use proxy details for Proxy IP Address, Proxy Port, Proxy Username and
Proxy Password

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 153
4| Configuring McAfee data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

154 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee MVISION EDR

Add McAfee MVISION EDR

Add the data source to a receiver.

The types of topics collected are: 'BusinessEvents', 'case-mgmt-events', and 'threatEvents'.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model MVISION EDR

Data Format Default

Data Retrieval API

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 155
4| Configuring McAfee data sources

Option Definition

• SNMP Trap - if your environment requires it (this is rare).

Name Name of the data source.

IP Address/ Type the hostname of the MVISION EDR server that you want to collect data from, then
Hostname click Look up to automatically fill the IP Address field.

Consumer Group A string used to create a consumer to pull the data from EDR. This can be whatever you
want, for example ("mvision_edr_siem" or "siem_edr").

Client ID/Client The Client ID and Client Secret Key are obtained by following the onboarding for MVISION
Secret Key EDR Activity Feed. For more details on generating these credentials, refer MVISION EDR
Integrations.

Use Proxy If you select this, enter the proxy IP, port, and credentials.

Support Generic Do nothing.

Syslogs

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

156 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitroFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee MVISION EDR field mapping

This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 157
4| Configuring McAfee data sources

Log fields McAfee ESM fields

user UserIDDst

threat.threatType Threat_Category

threat.threatAttrs.path File_Path

threat.threatAttrs.name Threat_Name

threat.severity severity

threat.maGuid Object_GUID

threat.interpreterFileAttrs.name AppID

threat.eventType Event_Class

tenant-id src_guid

message.payload.user UserIDSrc

message.payload.case.url URL

message.payload.case.status Status

McAfee MVISION ePolicy Orchestrator

Configure McAfee MVISION ePO

Prepare MVISION ePO to send data to McAfee SIEM.

Task

1. In MVISION ePO, create a role for the SIEM. For more information on adding and assigning a role see, MVISION ePO product
documentation.

158 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Note

Make sure the scope in Field 1 matches the permissions set for the user on the MVISION ePO. For more information
see, Add MVISION ePO topic.

2. Name the role as api user.

Add MVISION ePO

Add MVISION ePO as a data source.

Task

1. Configure the data source according to the instructions on the Knowledge Center.
2. Select a receiver.
3. Click the Properties icon.
4. From the Receiver Properties window, select Data Sources.
5. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model MVISION ePO

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 159
4| Configuring McAfee data sources

Option Definition

Data Format Default

Data Retrieval API (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address Automatically populated when you enter the Hostname and click Look up.

Hostname Region-based URL

Region URL

United States arevents.mvision.mcafee.com

Singapore areventssgp.mvision.mcafee.com

Frankfurt areventsfrk.mvision.mcafee.com

Sydney areventssyd.mvision.mcafee.com

Authentication iam.mcafee-cloud.com
Hostname

Username and Credentials you use to log on to mvision.mcafee.com

Password

160 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Note: Multi-factor authentication enabled accounts can't retrieve access tokens.

System Token
0oawz1wagXnxG7lUr2p6

Field 1 Corresponds to permissions granted to the user account used to access the events API in
MVISION ePO. Make sure the permissions you assign here match the permissions of the
MVISION ePO user.

• epo.evt.r maps to MVISION ePolicy Orchestrator: Reporting. Gives the user

permissions to view Threat events.
• dp.im.r maps to Data Protection: Data Loss Prevention: View incident reports.
Gives the user permissions to view DLP incidents.
• ePO.admin maps to MVISION ePolicy Orchestrator: MVISION ePO Administrator.
Gives the user permissions to view both threat events and DLP incidents.
• epo.evt.r dp.im.r maps to MVISION ePolicy Orchestrator: Reporting and Data
Protection: Data Loss Prevention: View incident reports. Gives the user permissions
to view both Threat events and DLP incidents.

Use proxy Selected

Proxy IP Address IP address of the proxy server

Proxy Port 8080

Proxy Username and Credentials for logging on to the proxy server

Proxy Password

Support Generic Default

Syslogs

Generic Rule Default

Assignment

Time Zone Time zone where the data originates

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 161
4| Configuring McAfee data sources

6. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list. See Configure zones in the ESM
Product Guide.

External data
Automatically selected when you import events from another receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format

162 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

MVISION ePO log format and field mapping

Log format
The expected format for the log is:

{"detectedutc":{"name":"","type":"","value":""},"analyzermac":
{"name":"","type":"","value":""},"sourceprocessname":{"name":"","type":"","value":""},"eventtimelocal":
{"name":"","type":"","value":""},"sourceipv6":{"name":"","type":"","value":""},"sourceipv4":
{"name":"","type":"","value":""},"analyzerdetectionmethod":{"name":"","type":"","value":""},"targetusername":
{"name":"","type":"","value":""},"sourcehostname":{"name":"","type":"","value":""},"threatseverity":
{"name":"","type":"","value":""},"analyzer":{"name":"","type":"","value":""},"tenantid":
{"name":"","type":"","value":""},"nodepath":{"name":"","type":"","value":""},"threattype":
{"name":"","type":"","value":""},"threateventid":{"name":"","type":"","value":""},"targethostname":
{"name":"","type":"","value":""},"analyzerversion":{"name":"","type":"","value":""},"analyzerengineversion":
{"name":"","type":"","value":""},"agentguid":{"name":"","type":"","value":""},"targetfilename":
{"name":"","type":"","value":""},"threatactiontaken":{"name":"","type":"","value":""},"threatname":
{"name":"","type":"","value":""},"analyzerdatversion":{"name":"","type":"","value":""},"analyzername":
{"name":"","type":"","value":""},"threatcategory":{"name":"","type":"","value":""},"autoguid":
{"name":"","type":"","value":""},"targetipv6":{"name":"","type":"","value":""},"analyzeripv6":
{"name":"","type":"","value":""},"analyzeripv4":{"name":"","type":"","value":""},"analyzerhostname":
{"name":"","type":"","value":""},"targetipv4":{"name":"","type":"","value":""},"tenantguid":
{"name":"","type":"","value":""},"threathandled":{"name":"","type":"","value":""}}

Log sample

SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 163
4| Configuring McAfee data sources

Field mapping

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

McAfee MVISION Mobile

Configure McAfee MVISION Mobile

Prepare MVISION Mobile to send data to McAfee SIEM.

Task

Configure the data source according the instructions on the Knowledge Center and the MVISION Mobile documentation.

Add McAfee MVISION Mobile

Add the data source to a receiver.

Before you begin

Get the system token, client key, and client secret token from McAfee Support.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

164 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Data Source Vendor McAfee

Data Source Model MVISION Mobile

Data Format

Data Retrieval API

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address Automatically populated when you enter the Hostname and click Look up.

Hostname Region-based URL

Region URL

United States arevents.mvision.mcafee.com

Singapore areventssgp.mvision.mcafee.com

Frankfurt areventsfrk.mvision.mcafee.com

Sydney areventssyd.mvision.mcafee.com

Authentication token.mcafee-mvision-mobile.com
Hostname

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 165
4| Configuring McAfee data sources

Option Definition

System Token Contact McAfee Support

Client Key Contact McAfee Support

Client Secret Key Contact McAfee Support

Use proxy Proxy, if required by installation. Enter the IP, port, and credentials for the proxy server.

Support Generic Parse as generic syslog

Syslogs

Generic Rule MVISION Mobile

Assignment

Time Zone Time zone of the data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

166 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

External data
Automatically selected when you import events from another receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee MVISION Mobile log format and field mapping

Log format
The expected format for this device is:

computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 167
4| Configuring McAfee data sources

Log sample
This is a sample log from McAfee MVISION Mobile:

<14>1 07 22 2018 15:37:56 UTC zconsole {"system_token":"system_token-Value","severity":

3,"event_id":"event_id-Value","mitigated":true,"location":null,"eventtimestamp":"eventtimestamp-
Value","user_info":{"employee_name":"employee_name-Value","user_id":"user_id-Value","user_role":"user_role-
Value","user_email":"user_email-Value","user_group":"user_group-Value"},"device_info":
{"device_time":"device_time-Value","tag1":null,"tag2":null,"app":"app-Value","operator":null,"imei":"imei-
Value","zdid":"zdid-Value","app_version":"app_version-Value","zapp_instance_id":"zapp_instance_id-
Value","os":"os-Value","jailbroken":true,"os_version":"os_version-Value","model":"model-
Value","device_id":"device_id-Value","type":"type-Value"},"threat":{"story":"story-Value","name":"name-
Value","general":{"time_interval":"time_interval-Value","device_time":"device_time-
Value","attacker_ip":"attacker_ip-Value","network":"network-Value","external_ip":"external_ip-
Value","threat_type":"threat_type-Value","device_ip":"device_ip-Value","network_bssid":"network_bssid-
Value","action_triggered":"action_triggered-Value","attacker_mac":"attacker_mac-
Value","device_mac":"device_mac-Value"}}}

Field mapping
This table shows the mapping between the data source and McAfee ESM fields .

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

McAfee Network Security Manager

Add McAfee Network Security Manager (syslog delivery)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

168 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Data Source Vendor McAfee

Data Source Model McAfee Network Security

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 169
4| Configuring McAfee data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

170 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Network Security Manager (syslog) log format and

field mapping
Log format
The expected format for this device is:

<SyslogForarderType>:|SENSOR_ALERT_UUID|ALERT_TYPE|ATTACK_TIME|ATTACK_NAME|ATTACK_ID|ATTACK_SEVERITY|
ATTACK_SIGNATURE|
ATTACK_CONFIDENCE|ADMIN_DOMAIN|SENSOR_NAME|INTERFACE|SOURCE_IP|SOURCE_PORT|DESTINATION_IP|DESTINATION_PORT|
CATEGORY|SUB_CATEGORY|
DIRECTION|RESULT_STATUS|DETECTION_MECHANISM|APPLICATION_PROTOCOL|NETWORK_PROTOCOL|RELEVANCE|
QUARANTINE_END_TIME|
MCAFEE_NAC_FORWARDED_STATUS|MCAFEE_NAC_MANAGED_STATUS|MCAFEE_NAC_ERROR_STATUS|MCAFEE_NAC_ACTION_STATUS|
SENSOR_CLUSTER_MEMBER|ALERT_ID|
ATTACK_COUNT|VLAN_ID|LAYER_7_DATA|VLAN_ID|PROTECTION_CATEGORY|SOURCE_VM_NAME|TARGET_VM_NAME|
SOURCE_VM_ESX_NAME|TARGET_VM_ESX_NAME|
PROXY_SERVER_IP|

Log sample
This is a sample log from a McAfee Network Security Manager device:

Oct 14 10:24:36 SyslogAlertForwarder: |1234567891234567891|Signature|2014-10-14 10:24:32 EST|"P2P:

BitTorrent Meta-Info
Retrieving"|0x32c020a0|Medium|catch-most|Low|Exmaple|SENSR600A|3A-3B|123.234.128.64|24680|64.65.66.67|42356|
PolicyViolation|
restricted-application|Inbound|Blocked|signature|N/A|udp|

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 171
4| Configuring McAfee data sources

Log fields McAfee ESM fields

ATTACK_TIME firsttime, lasttime

ATTACK_NAME Message

ATTACK_ID Signature ID

ATTACK_SEVERITY Severity

ADMIN_DOMAIN Domain

SENSOR_NAME Hostname

INTERFACE Interface

SOURCE_IP Source IP

SOURCE_PORT Source Port

DESTINATION_IP Destination IP

DESTINATION_PORT Destination Port

CATEGORY Category

SUB_CATEGORY Application

DIRECTION Direction

RESULT_STATUS Action

NETWORK_PROTOCOL Protocol

172 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Add McAfee Network Security Manager as a device (SQL

pull)
Before you begin
Set up a McAfee Network Security Manager user account with access the INFORMATION_SCHEMA.TABLE.

Task

1. In the System Navigation Tree, select the Local ESM node or a group where you want to add the device.
2. Click the Add Device icon.
3. Select Network Security Manager (v7.1.3 or newer), then click Next.
4. Enter a name that is unique in this group for the NSM device in the Device Name field, then click Next.
5. In the Add Device Wizard, select the McAfee Event Receiver to associate this device with.
6. Enter the credentials to log on to the NSM device's web interface/API, then click Next.
7. Enter the target IP address or URL.
8. Enter the target SSH port number. Ensure that it is valid to be used with the specified IP address.
9. Add the user name, password, and an optional database name for the device.
10. Click Next. The ESM tests device communication and reports on the status of the connection. You can open System
Properties after successfully keying the device.

Add McAfee Network Security Manager as a data source

(SQL pull)
Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model Network Security Manager – SQL Pull (ASP)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 173
4| Configuring McAfee data sources

Option Definition

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

User Name < User name set up on NSM for pulling from the database >

Password < Password set up on NSM for pulling from the database>

Port <Default is 3306>

Database Name <The name assigned when the database was set up>

Version <Version of NSM>

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

174 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 175
4| Configuring McAfee data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Network Security Manager (SQL pull) log format

and field mapping
Log format
The expected format for this device is:

creationTime=" date time " alertType="…" category="…" subCategory="…" detectionMethod="…" attackId=" # "
attackName="…" severity=" # " alertCount=" # " sourceIPAddr="…" sourcePort=" # " targetIPAddr="…"
targetPort=" # " sourceUserId="…" destinationUserId="…"

Log sample
This is a sample of a log from the McAfee Network Security Manager device after SQL pull.

creationTime="2012-06-22 19:37:01" alertType="Signature" category="Exploit" subCategory="Buffer Overflow"

detectionMethod="Signature" attackId="4255775" attackName="IRC: mIRC Userhost Buffer Overflow" severity="7"
alertCount="1" sourceIPAddr="6FA2A653" sourcePort="6667" targetIPAddr="550D1EC1" targetPort="1041"
sourceUserId="0" destinationUserId="0"

Mappings
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

creationTime firsttime, lasttime

alerttype Object Type

category + subcategory Subject

detectionMethod Method

176 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Log fields McAfee ESM fields

attackId Signature ID

attackName Message (smart learned if unknown)

severity severity plus a zero appended

alertCount Event Count

sourceIPAddr Source IP

sourcePort Source Port

targetIPAddr Destination IP

targetPort Destination Port

sourceUserId Source Username

destinationUserId Destination Username

result Action

appName Application

McAfee Network Threat Response

Configure McAfee Network Threat Response

Task

A McAfee Network Threat Response API user name and password must be generated on the Network Threat Response Device.
See the Network Threat Response documentation for instructions about how to set up the user name and password.

Add McAfee Network Threat Response

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 177
4| Configuring McAfee data sources

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model Network Threat Response (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/ The IP address and host name associated with the data source device.
Hostname

User ID This is the user name generated in step 3.1.

Password Password that was generated in step 3.1.

Sensor Groups Click Retrieve to get a list of sensor groups from NTR. Select at least one sensor group to
write out the data source.

Port Leave as default of 8443.

178 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Connect Tests connection to data source.

Time Zone Time zone of data being collected.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 179
4| Configuring McAfee data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Associate sensor groups with McAfee Network Threat

Response
After adding an NTR data source, you can add, edit, or remove sensor groups.

Task

1. Navigate to Receiver Properties.

2. Select the NTR data source.
3. Click Clients.
From this screen you can see the sensor groups associated with the NTR data source as well as add, edit, or remove them.

McAfee Network Threat Response field mapping

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

180 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

NTR log fields McAfee ESM fields

Eventtime Firsttime

Eventtime Lasttime

Sip Source IP

Dip Destination IP

Dport Destination Port

Protocol Application_Protocol

incidentId Incident_ID

Filename Filename

Size File_Size

Host Hostname

Behavior Object

victimIP Victim_IP

attackerIP Attacker_IP

url URL

incidentNTRURL Device_URL

Reputation Reputation_Name

Urlcategory URL_Category

Enginelist Engine_List

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 181
4| Configuring McAfee data sources

NTR log fields McAfee ESM fields

Dirtiness Reputation_Name

fileType File_Type

Sigcategory Category

Sha1 Sha1

Md5 File_Hash

Incidentid Incident_ID

Hostname hostname

Sport Source Port

McAfee Risk Advisor

Enable McAfee Risk Advisor data acquisition

Task

1. From the ESM device tree, select the McAfee ePO device, then click the Properties icon just above the device tree.
2. Select Device Management from the left side of the ePO Properties window, then click Enable for Enable MRA.

A window shows that the MRA configuration process started, which means that MRA acquisition is enabled.

3. Click OK.

Integrate McAfee Risk Advisor

You can get McAfee Risk Advisor data from multiple McAfee ePO servers.

The data comes via a database query from the McAfee ePO SQL Server database. The database query returns an IP address
reputation score list. Constant values for the low reputation and high reputation values are provided. All returned McAfee ePO
and McAfee Risk Advisor reputation lists are merged in ESM, with duplicate IP addresses retaining the highest score. The merged
reputation list is sent to McAfee ACE devices and used in scoring risk for Source IP and Destination IP fields.

182 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

When you add McAfee ePO to ESM, you are prompted to configure McAfee Risk Advisor data. When you click Yes, a data
enrichment source and two McAfee ACE scoring rules (if applicable) are created and added to the policy.

For more information about data enrichment and risk correlation scoring, see the McAfee Enterprise Security Manager Product
Guide.

Note

A risk correlation manager must be created to use the McAfee ACE scoring rules.

McAfee Threat Intelligence Exchange

Configure McAfee Threat Intelligence Exchange

Set McAfee Threat Intelligence Exchange (TIE) permissions for SIEM in McAfee ePolicy Orchestrator.

The TIE data is collected when an McAfee ePO is added as a device with selected Enable DXL. For more information see Add
McAfee ePolicy Orchestrator as a device topic.

Task

1. Log on to McAfee ePO as an Administrator.

2. Select Server Settings → DXL Topic Authorizations .
3. Under TIE Server Reputation Notification group, click Edit and set the following:

Note

Make sure that the Receive column has All Systems or a Tag that is specific to the selected McAfee Event Receiver
(ERC).

a. Select the TIE Server Reputation Notification checkbox.

b. SelectActions → Restrict Receive Tags.
c. Use a Tag specific to the ERC or deselect all to allow systems to get notifications.
4. Select Server Tasks and run the Manage DXL Brokers task.
5. Perform the Wake Up Agent task on the ERC from the McAfee ePO console.
6. With an SSH session on the SIEM Event Receiver, restart the Receiver services by running NitroStop and NitroStart.
The TIE events in the SIEM GUI are displayed after 10-15 minutes.

McAfee Threat Intelligence Exchange log format and field

mapping

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 183
4| Configuring McAfee data sources

Log sample
A sample log from McAfee TIE device:

{"detectionTime":1626974834,"remediationAction":2,"localReputation":0,"hashes":[{"type":"sha1",
"value":"ABCDMFzOXXIUIHpOl4i3WWg1234="},{"type":"md5","value":"abcdveqbRAUWAfzzV81234=="}]}

Field mapping
The mapping between the data source and McAfee ESM fields.

McAfee ePOTIE Certificate Reputation Change

Log fields McAfee ESM fields

md5 File_Hash

sha1 SHA1

sha256 SHA256

oldReputations trustLevel Old_Reputation.(GTI_File, GTI_Cert, TIE_File, TIE_Cert, or ATD_File)

newReputations trustLevel New_Reputation.(GTI_File, GTI_Cert, TIE_File, TIE_Cert, or ATD_File)

McAfee ePO TIE File Detection

Log fields McAfee ESM fields

md5 File_Hash

sha1 SHA1

sha256 SHA256

agentGuid Source GUID

remediationAction Device_Action, Action

localReputation New_Reputation.TIE_File

184 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Log fields McAfee ESM fields

detectionTime firsttime, lasttime

filename Filename

McAfee ePO TIE File First Instance

Log fields McAfee ESM fields

md5 File_Hash

sha1 SHA1

sha256 SHA256

agentGuid Source GUID

filename Filename

McAfee ePO TIE File Reputation Change

Log fields McAfee ESM fields

md5 File_Hash

sha1 SHA1

sha256 SHA256

oldReputations trustLevel Old_Reputation.(GTI_File, GTI_Cert, TIE_File, TIE_Cert, or ATD_File)

newReputations trustLevel New_Reputation.(GTI_File, GTI_Cert, TIE_File, TIE_Cert, or ATD_File)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 185
4| Configuring McAfee data sources

McAfee UTM Firewall

Configure McAfee UTM Firewall

Task

1. From the System menu, select Diagnostics | System Log tab | Remote Syslog tab.
2. Select Enable Remote Logging.
3. Enter the IP address or DNS host name for the McAfee Event Receiver in the Remote Host field.
4. Enter the Remote Port where the McAfee Event Receiver is listening for syslog messages. Typically, the default is correct.
5. Set the Filter Level to only send syslog messages at this level or higher.
6. (Optional) To force a more precise and standardized time stamp with every message, select Include extended ISO date.
The date is prepended to syslog messages before being sent.
7. Click Submit.

Add McAfee UTM Firewall

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model UTM Firewall (ASP)

Data Format Default

Data Retrieval Default

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

186 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Syslog Relay None

Mask Default

Require Syslog TLS Leave unchecked

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 187
4| Configuring McAfee data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee UTM Firewall log format and field mapping

Log format
The expected format for this device is:

computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID

Log sample
This is a sample log from a McAfee UTM Firewall device:

188 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

McAfee Web Gateway

Configure McAfee Web Gateway

Prepare the data source to send events to McAfee ESM.

Task

1. Configure the syslog daemon.

a. In File Editor, open the syslog daemon configuration file.
b. Locate the line similar to: *.info;mail.none;authpriv.none;cron.none /var/log/messages and replace it with
*.info;daemon.!=info;mail.none;authpriv.none;cron.none -/var/log/messages.
This prevents messages from being written to the /var/log/messages file, which could fill the /var partition.
c. At the end of the file, add a line: daemon.info;auth.=info @<syslog server IP address>:514.
2. Create a rule to send all access log data to the syslog server.
3. Create a rule to send the logline to syslog.
4. Download and install the McAfee SIEM (Nitro) logging ruleset and the CEF syslog format ruleset.
5. If you want to send audit logs to syslog, click Configuration → Alloiances → Log File Manager → Settings for the Audit
Log and select Write audit log to syslog.
Audit events are sent using the auth facility at the informational severity (6). So your rsyslog configuration would specify
auth.=info.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 189
4| Configuring McAfee data sources

Add McAfee Web Gateway

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Format Default

Data Retrieval Default

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device

Syslog Relay None

Mask Default

Require Syslog TLS Leave unchecked

Support Generic Syslogs Do nothing

Time Zone The time zone where the data source device is located

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

190 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 191
4| Configuring McAfee data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee SaaS Web Protection log format and field mapping

Log sample

:{"application_type": "", "block_reason": "", "category": "Business", "client_ip": "10.0.0.240",

"client_to_server_bytes": "730", "destination_ip": "13.43.90.74", "destination_port": "443", "http_action":
"GET", "http_status_code": "200", "last_rule": "Block If Virus was Found", "location": "", "media_type":
"text/plain", "process_name": "microsoftedgecp.exe", "reputation": "Minimal Risk", "request_timestamp":
"2020-03-27 00:00:00", "request_timestamp_epoch": "1585267200", "requested_host": "support.frescologic.com",
"requested_path": "/portal/api/products/search", "result": "OBSERVED", "server_to_client_bytes": "414",
"source_ip": "73.42.8.13", "uri_scheme": "https", "user_agent_comment": "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134",
"user_agent_product": "Edge", "user_agent_version": "17.17134", "user_id": "peastre", "username": "grn\
\rmitche", "virus": ""}

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

uri_scheme Application_Protocol

client_to_server_bytes Bytes_from_Client

server_to_client_bytes Bytes_from_Server

http_action CommandID

source_ip src_ip

destination_ip dst_ip

requested_host Destination_Hostname

192 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Log fields McAfee ESM fields

Username Destination_UserID

application_type External_Application

request_timestamp_epoch firsttime,lasttime

process_name Process_Name

http_status_code Response_Code

user_id UserIDSrc

Virus Threat_Name

requested_path URL

Category URL_Category

Result action

result severity

request_timestamp_epoch firstime

request_timestamp_epoch lasttime

McAfee Web Gateway Cloud Service

Configure McAfee Web Gateway Cloud Service

Prepare McAfee Web Gateway Cloud Service to send data to McAfee SIEM.

Task

See the McAfee Web Gateway Cloud Service Installation Guide for instructions.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 193
4| Configuring McAfee data sources

Add a McAfee Web Gateway Cloud Service data source

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor McAfee

Data Source Model SaaS Web Protection

Data Format Default

Data Retrieval API

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of the data source.

IP Address/Hostname The IP address and host name associated with the data source device.

Username/Password The user credentials for McAfee ePO Cloud.

Customer ID Your McAfee ePO Cloud customer ID. You can find it under Web Protection → Getting
Started.

Use Proxy If selected, enter the IP address, port, and user credentials for the proxy.

194 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Option Definition

Time Zone The time zone where the host device is located.

Support Generic Syslog Do Nothing

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 195
4| Configuring McAfee data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Web Gateway Cloud Service field mapping

This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

uri_scheme Application_Protocol

client_to_server_bytes Bytes_from_Client

server_to_client_bytes Bytes_from_Server

http_action CommandID

source_ip src_ip

destination_ip dst_ip

196 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources

Log fields McAfee ESM fields

requested_host Destination_Hostname

Username Destination_UserID

application_type External_Application

request_timestamp_epoch firsttime,lasttime

process_name Process_Name

http_status_code Response_Code

user_id UserIDSrc

Virus Threat_Name

requested_path URL

Category URL_Category

Result action

result severity

request_timestamp_epoch firstime

request_timestamp_epoch lasttime

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 197
5| Configuring 3rd-party data sources

Configuring 3rd-party data sources

Configure data sources that are not made by McAfee.

A10 Networks Load Balancer

Configure A10 Networks Load Balancer

Task

1. Log on to the A10 Networks Load Balancer user interface (UI), then select Config → System → Settings.
2. In the menu bar, select Log, then, in the Log Server field, enter the IP address of your McAfee Event Receiver.
3. Ensure that Log Server Port is set to 514, and leave all other settings at their default values.
4. Click OK.

Configure A10 Networks Load Balancer from the command

line
Task

1. Log on to the command-line interface (CLI).

2. Type:

logging syslog 5
logging host IP address of McAfee Receiver port 514

Add A10 Networks Load Balancer

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

198 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor A10 Networks

Data Source Model Load Balancer

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source.

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Default>

Mask <Enable>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 199
5| Configuring 3rd-party data sources

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

200 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

A10 Networks Load Balancer log format and field mapping

Log format
The expected format for this device is:

SYSLOG Header [log source] message

Note

McAfee ESM supports only standard logs from this device. Custom logs generated by the AFLEX engine are not supported,
but custom rules for this product can be created in the ESM.

Log sample
System log:

Oct 24 2014 01:02:03 Error [SYSTEM]NTP server us.pool.ntp.org is not

reachable

AX log:

Oct 24 2014 04:05:06 Error [AX] Unknown gzip error while decompressing
packet

Logging log:

Oct 24 2014 07:08:09 Error [LOGGING]Send log email to

test.user@example.com failed.

Alternate delivery method:

<13>a10logd: [SYSTEM]<6> User "admin" with session ID 1 successfully saved the running configuration

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 201
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields ESM fields

Log Source Application

Server Name Domain

SLB server, NTP Server Hostname

Error Type, change Object Name

Email "To" address Destination Username

User Source Username

Group Name Group Name

A10 Networks Load Balancer troubleshooting

Standard logs from this device are supported by this data source, but custom logs generated by the AFLEX engine are not
supported. Custom rules for this product can be created in the ESM, but that is outside of the scope of this documentation.

Accellion Secure File Transfer

Configure Accellion Secure File Transfer

Task

1. From the Home menu, select Appliance, then click Configure.

2. In the Syslog Server field, enter the IP address of the McAfee ESM, then click Submit to save and exit.

Add Accellion Secure File Transfer

Add the data source to a receiver.

202 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Accellion

Data Source Model Secure File Transfer (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the McAfee Event Receiver to communicate over TLS

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 203
5| Configuring 3rd-party data sources

Option Definition

Support Generic <Default>

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

204 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Accellion Secure File Transfer log format and field mapping

Log format
The expected format for this device is:

<date time> <device name> <application> <IP address> <user> <message> <destination user>

Log sample
This is a sample log from an Accellion Secure File Transfer device:

<123>1 2001-01-01T01:01:01-01:00 name0001 httpd - - - [12345]: (1.2.3.4) (User:username) [Web] Sent password
reset request to ldap user, user_id:example@example.com

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Device Name Hostname

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 205
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Application Application

IP Address Source IP

User Source Username

Destination User Destination Username

Filename Filename

From email From

To email To

Email subject Subject

Access Layers Portnox

Configure Access Layers Portnox

See the Portnox documentation provided by Access Layers for information about how to set up the remote syslog service to send
data to the ESM.

Add Access Layers Portnox

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

206 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Access Layers

Data Source Model Portnox

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 207
5| Configuring 3rd-party data sources

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

208 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Access Layers Portnox log format and field mapping

Log format
The expected format for this device is:

date time,message

Log sample
This is a sample log from an Access Layers Portnox device:

01/01/2001 00:00:00,recieved trap from unauthorized source 192.0.2.1

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Date, Time First Time, Last Time

device IP, switch IP, trap device Source IP

device mac, duplicate mac Source MAC

received IP Destination IP

device Hostname

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 209
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

device action, port action Command

port name Object

Adiscon Rsyslog

Configure Adiscon Rsyslog

Configure Rsyslog to send data to McAfee ESM.

Task

1. Create an event log monitoring service with Emulate %Param% properties from old EventLog Monitor and Include
optional Event Parameters as properties enabled.
2. Create or modify a rule set.
3. On the Syslog Target Options tab, configure the forwarding method, protocol, server (your McAfee Event Receiver), and
port.
4. On the Syslog message Options tab, select Use legacy RFC3164 processing.
5. In the Message Format field, enter:

%sourceproc%,%id%,%timereported:::uxTimeStamp%,%user%,%category%,%Param0%;%Param1%;%Param2%;%Param3%;
%Param4%;%Param5%;%Param6%;%Param7%;%Param8%;%Param9%;%Param10%;%Param11%;%Param12%;%Param13%;%Param14%;
%Param15%

6. In Event Channels (Services → Event Log Monitor V2 → Event Channels tab) select the rule set you created, then select
other events you want to send to McAfee ESM.

Add Adiscon Rsyslog

Add an Rsyslog data source to a McAfee Event Receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

210 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Microsoft

Data Source Model Adiscon Windows Events

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source.

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Mask 32

Syslog Relay <None>

Require syslog TLS Enable to require the Receiver to communicate over TLS

Port 514

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 211
5| Configuring 3rd-party data sources

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

212 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Adtran Bluesocket

Configure Adtran Bluesocket

Task

1. Click Logging, select Event History, then click Syslog Forwarding.

2. Select the box next to Syslog Forwarding, then select the Syslog Forwarding Priority Level.
3. In the Syslog Receiver IP Address field, enter the IP address of your McAfee Event Receiver.
4. Pick a Logging Facility number between 0 and 9 (your preference), click Apply, then click Save.

Add Adtran Bluesocket

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Adtran

Data Source Model Bluesocket (ASP)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 213
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

214 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 215
5| Configuring 3rd-party data sources

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

AdTran Bluesocket log format and field mapping

Log format
The expected format for this device is:

<pri>log_source: event=event_type&loglevel=severity&obj=object&ipaddr=source_ip&name=name&msg=message&

Log sample
This is a sample log for an Adtran Bluesocket device:

<133>user_tracking:
event=user_logout_successful&loglevel=notice&obj=user&ipaddr=192.0.2.0&name=NAME3215&msg=user: NAME213, role
id: #, role name: Public-Access, vlan id: #, vlan name: Managed, mac: FF:FF:FF:FF:FF:FF, ip: 192.0.2.1,
hostname: , login time: 2015-01-01 00:00:00, session duration: # hour, # minutes, ## seconds, sessionID:
00:11:22:33:44:FF:0000001111112222, tl. bytes in:9999999, tl. bytes out: 99999999, tl. pkts in: 99999, tl.
pkts out: 99999&

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

event Event Subtype, Messsage

loglevel Severity

obj Object

ipaddr Source IP

mac Source MAC

session duration Message_Text

216 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

log_source Application

role id Command

role name Domain

login time First Time, Last Time

name Source Username

hostname Hostname

Adtran NetVanta

Configure Adtran NetVanta

Task

1. Log on to your Adtran NetVanta device through a web browser, then click Logging.
2. Select the Event History checkbox, click the Syslog Forwarding tab, then select the Syslog Forwarding checkbox.
3. Select a Syslog Forwarding Priority Level between 0 and 5, with 0 reporting the most and 5 reporting only the most
important events.
4. Enter the McAfee Receiver IP address in the Syslog Receiver IP Address section.
5. For the Logging Facility, enter a number between 0 and 9, then click Save.

Add Adtran NetVanta

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 217
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Adtran

Data Source Model NetVanta

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

218 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 219
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Adtran NetVanta log format and field mapping

Log format
The expected format for this device is:

Date Time Device-Type Event-Source:Message

Log sample
This is a sample log from an Adtran NetVanta device:

<13>Dec 02 14:03:35 Switch OPERATING_SYSTEM:SESSION User password-only login OK on portal TELNET 1

(10.19.243.125:2230)

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

portal, proto Application

Portal IP, src Source IP

Portal Port, Src Source Port

dst Destination IP

220 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Dst Destination Port

Device-Type Hostname

Session ID Session ID

Interface Object

User Source Username

AirTight Networks SpectraGuard

Configure AirTight Networks SpectraGuard

See the AirTight Networks SpectraGuard documentation for Remote Syslog setup using the IP address of your McAfee Event
Receiver as the destination IP address.

Add AirTight Networks SpectraGuard

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor AirTight Networks

Data Source Model SpectraGuard

Data Format Default

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 221
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

222 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 223
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

AirTight Networks SpectraGuard log format and field

mapping
Log format

<Source Mac Address>SpectraGuard Version : Start/Stop: Source [SourceName] Source Status. : Source IP://
Domain/SubDomain : Date/Time : Severity : Message

Log sample
This is a sample log from an AirTight Networks SpectraGuard device:

<00:00:00:FF:FF:FF>SpectraGuard Enterprise v6.5 : Start: Client [Username] is active. : 192.0.2.1://AAAA/

BBBBB: 2001-01-01T00:00:00+00:00 : High : 100 : 1 : 11 : 111: Closest Sensor [AP1.5 Sensor-Examination &
Certification-207]

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Severity Severity

Source Mac Address Source MAC

Start/Stop Event Sub Type

SourceName Hostname

Domain Domain

Source IP Source IP

224 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Date/Time First Time, Last Time

SubDomain Object

Alcatel-Lucent NGN Switch

Configure Alcatel-Lucent NGN Switch

Task

To configure a syslog file, enter these commands on the command line:

• syslog <syslog-id>
• description <description-string>
• address <ip-address>
• log-prefix log-prefix-string
• port <port #>
• level {emergency|alert|critical|error|warning|notice|inf|debug}
• facility <syslog-facility>

The following is a syslog configuration example:

syslog 1

description "This is a syslog file."

address x.x.x.x

facility user

level warning

exit

Add Alcatel-Lucent NGN Switch

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 225
5| Configuring 3rd-party data sources

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Alcatel-Lucent

Data Source Model NGN Switch (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do Nothing

226 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 227
5| Configuring 3rd-party data sources

Option Definition

Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Alcatel-Lucent NGN Switch log format and field mapping

Log format
Thu Jun 13 03:39:36 MNT 2013::AUTHENTICATION::JohnSmith::1371074976970::10.10.10.15(10.10.10.15:64575):::Attempt to log
in:::Failed, no such user.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Category AUTHENTICATION

Source User JohnSmith

Source IP 10.10.10.15

Destination 64575

228 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Alcatel-Lucent VitalQIP

Configure Alcatel-Lucent VitalQIP

Task

1. Log on to your Alcatel-Lucent VitalQIP device.

2. In the system configuration, set the IP address of your McAfee Event Receiver as a Syslog Redirect Host, then save your
changes.

Add Alcatel-Lucent VitalQIP

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Alcatel-Lucent

Data Source Model VitalQIP

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 229
5| Configuring 3rd-party data sources

Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

230 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Alcatel-Lucent VitalQIP log format and field mapping

Log format
The expected format for this device is:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 231
5| Configuring 3rd-party data sources

<pri>application[pid]: message

Log sample
This is a sample log from an Alcatel-Lucent VitalQIP device:

<14>/opt/qip/usr/bin/dhcpd[12345]: DHCP_RenewLease: Host=EXAMPLEHOST IP=10.11.12.13 MAC=0011223344AA

Domain=example.com

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Subnet, IP Source IP

MAC Source MAC

Host Hostname

Domain Domain

Amazon SQS Collector

Configure Amazon SQS Collector data sources

To receive notifications in ESM for new SQS Collector logs, configure an SQS queue on AWS that contains Simple Notification
Service (SNS) push notifications when new log bundles are created in S3.

Important

These instructions refer to third-party products. Changes in those products can cause the instructions to be out of sync. You
might need to adapt.

Configure AWS CloudTrail

Amazon Web Services (AWS) CloudTrail can send a notification each time a log file is written to the Amazon S3 bucket. AWS
recommends using Amazon Simple Queue Service (SQS) to subscribe to event notifications for programmatically processing
notifications. To receive timely notifications in ESM for new AWS CloudTrail logs, configure an SQS queue on AWS that contains
Simple Notification Service (SNS) push notifications when new log bundles are created in S3.

232 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

See Amazon documentation for details.

Important

Make sure you disable raw logs when you configure AWS CloudTrail.

Configure CloudWatch
Amazon Web Services (AWS) CloudWatch delivers three types of messages: alarms, events, and logs. These messages can be
delivered to an SQS, but the methods for each type of message differ. For specific details about how to configure a CloudWatch
service, see the AWS documentation. SQS Collector sends a notification each time a log file is written to the Amazon S3 bucket.

You need to set up resources to support your AWS CloudWatch service: an SQS queue (required), an SNS topic if you are
collecting alarms, a Lambda function if you are collecting logs. Use AWS documentation to set up these resources.

Each CloudWatch message type (alarm, event, and log) has a different format and different field mapping.

CloudWatch alarms - AWS CloudWatch Alarms delivers its logs through SNS topics. To see those logs on the ESM, add the SQS
used on the data source configuration as an endpoint for the SNS. Note that AWS CloudWatch Alarms are independent from ESM
Alarms.

CloudWatch events - CloudWatch Events delivers its logs through several AWS services. To see those logs on the ESM, select the
SQS used on the data source as the target of the events you want to deliver to the ESM. For more information, see AWS
documentation.

CloudWatch Logs - Streaming CloudWatch logs can consume significant resources. To avoid performance impact, stream only
critical data.

Important

There are no parsing rules for CloudWatch Logs. Instead, the field "message" is passed onto the parser. When you configure
the data source, make sure that you enable the parsing rules needed to parse these messages. For example, for messages
from "auth.log", you would enable the Linux rules.

AWS CloudWatch Logs (CWL) compile logs from several AWS services but, these logs aren't automatically streamed to another
service. If you want to stream CloudWatch Logs without manually copying the logs, stream the CWL Log Stream to the SQS using
a Lambda function with this code:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 233
5| Configuring 3rd-party data sources

import boto3
import json
import gzip
import os
from base64 import b64decode

def lambda_handler(event, context):

sqs = boto3.resource('sqs')
queue = sqs.Queue(url=os.environ["SQS_URL"])
msg = event["awslogs"]["data"]
msg = gzip.decompress(b64decode(msg)).decode("utf-8")

response = queue.send_message(MessageBody=msg)

return {
'statusCode': 200,
'body': "Messages pushed successfully into SQS."
}

On "Environment Variables" put "SQS_URL" (without quotes) under "Key", then on "Value" put the URL of the SQS queue used in
the data source configuration. Next, give the IAM role used on the Lambda function permissions to write on the SQS by adding
the sqs:SendMessage and sqs:SendMessageBatch permissions. For more information, see AWS documentation.

Go to the CloudWatch Logs console, select the logstream that you want to stream, then click Actions > Stream to AWS Lambda
and follow the instructions.

Configure GuardDuty
Amazon Web Services (AWS) GuardDuty delivers its findings through Amazon CloudWatch events. You must have a CloudWatch
Events service configured before configuring it to send events to your SIEM. For more information, see AWS documentation.

Configure AWS for S3 File Collection

To configure AWS (so that the files uploaded to S3 can be collected by the McAfee ESM), make sure that you have an SQS queue,
SNS topic, and S3 bucket.

The SQS collector pulls the Simple Notification Service (SNS) files from a S3 bucket and places it in the SQS queue, and then the
McAfee ESM (McAfee Event Receiver) pulls the SNS files from the SQS queue.

You must configure Event notification on the S3 bucket to point the SNS topic and to have a destination type of SNS topic. The
SQS queue then subscribes to the SNS topic. By configuring in this manner, anytime the files are added to the S3 bucket, they are
retrieved by the McAfee ESM (McAfee Event Receiver).

The SQS collector supports XML, JSON, and single line (new line separated) events. If logs are not XML and JSON, and are multiline
events, the events are collected as one event per line. Currently multiline events are not supported. For more information, see
AWS documentation.

Add Amazon SQS Collector

Add the data source to a receiver.

234 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Before you begin

• Make sure you have the Access Key ID and Secret Access Key for the AWS server.
• You need the URL of the SQS Queue.
• The user account you use to create the data source must have these permissions:

• sqs:DeleteMessage
• sqs:GetQueueUrl
• sqs:ListDeadLetterSourceQueues
• sqs:ReceiveMessage
• sqs:GetQueueAttributes
• sqs:ListQueueTags
• s3:GetObject
• s3:ListBucket
• sqs:SetQueueAttributes

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Amazon

Vendor

Data Source SQS Collector (CloudTrail/CloudWatch/GuardDuty)

Model

Data Format Default

Data Retrieval API (Default)

Enabled Select options for processing events. Some options may not be available for your data source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 235
5| Configuring 3rd-party data sources

Option Definition

Name Name of data source

IP Address The IP address of the data source device. Automatically populated when you clear the content
in this field, enter the Hostname, and click Look up.

Hostname The host name of the data source device. The host name is part of the URL of the SQS that
you are pulling data from. For example, if the URL for the SQS is https://sqs.us-
east-2.amazonaws.com/498939148594/CloudWatch-Logs, the host name is sqs.us-
east-2.amazonaws.com.

AWS Access Key

AWS Secret Key

SQS URL The URL that points to the SQS queue provided by AWS.

SQS Visibility The time that a message (log) stays hidden after it is requested. If the collector doesn't delete
the message, the message is restored after the timeout (default is 300 seconds).

SQS Poll Interval The interval between collection requests (default is 300 seconds).

Connect Performs a test connection to the AWS services. Make sure that this test runs successfully
before moving on. If errors exist, collection might not work properly.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

236 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 237
5| Configuring 3rd-party data sources

6. Roll out policy to the new data source.

7. Click Get events and flows .

8. Wait a few minutes and then verify that data appears on your dashboards and that it is parsed correctly.

Amazon SQS Collector log format and field mapping

Amazon SQS Collector collects data from three sources: CloudWatch, CloudTrail, and GuardDuty. CloudWatch sends three types
of data: alarms, events, and logs.

CloudWatch alarms
This is a sample log from an Amazon CloudWatch alarm:

{"MessageId": "d1fd4812-b77e-5a33-a32a-1e425839ef6a", "UnsubscribeURL": "https://sns.us-

east-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-2:498939148594:CW-Alarm-kcruz:
0df41bd3-9097-4fe9-835c-424b5920d4aa", "SignatureVersion": "1", "Timestamp": "2019-11-21T20:01:11.149Z",
"Subject": "ALARM: \"NetworkPacketsIn-Alarm\" in US East (Ohio)", "Signature":
"Rx0FpgMotIlyCak2ZaSkWb1dNsn736wfrIEfGi0xmlVz31PQ0FzNaAG0uP2LIqYfzET2pAesJ29Ixk0Wm5+dhlaWCC2xbJBuFYP1Ez8bLXVj
qRQbMh9bcXmSNAIluDvaUPa+4YnaLVqdez59QilmVGW/gu8OVR2yqjyoR2Bs9See1C1xX
+AnkBNjwTyZECvTSU8jHab2DLPEVE0liM39o9efQ7THrdCJMFs47/QRCFFapDeIr5nTXNwmxRBmvJxF8OOAeXXf08iU9eOpGaRT0d7w8T/
H02EUoe/BtOr46fFLWYUhkoA/AJbEUgbeR2UE36DOi9i1yti2aNVvc28TLA==", "Type": "Notification", "Message":
{"AWSAccountId": "498939148594", "Trigger": {"EvaluationPeriods": 1, "TreatMissingData": "-
TreatMissingData: missing", "Namespace": "AWS/EC2", "ComparisonOperator":
"LessThanOrEqualToThreshold", "Statistic": "AVERAGE", "Unit": null, "StatisticType": "Statistic", "Period":
300, "EvaluateLowSampleCountPercentile": "", "Dimensions": [{"name": "InstanceId", "value":
"i-08e470e665f9732c3"}], "MetricName": "NetworkPacketsIn", "Threshold": 1000.0}, "NewStateReason":
"Threshold Crossed: 1 out of the last 1 datapoints [33.0 (21/11/19 19:56:00)] was less than or equal to the
threshold (1000.0) (minimum 1 datapoint for OK -> ALARM transition).", "AlarmName": "NetworkPacketsIn-
Alarm", "NewStateValue": "ALARM", "AlarmDescription": null, "StateChangeTime":
"2019-11-21T20:01:11.110+0000", "OldStateValue": "OK", "Region": "US East (Ohio)"}, "TopicArn":
"arn:aws:sns:us-east-2:498939148594:CW-Alarm-kcruz", "SigningCertURL": "https://sns.us-east-2.amazonaws.com/
SimpleNotificationService-6aad65c2f9911b05cd53efda11f913f9.pem"}

Log fields McAfee ESM fields

alarmname Message

SignatureVersion Version

Subject Message_Text

MessageID UUID

Message.Region Source_Zone

Message.Trigger.Namespace Source_Context

Message.AWSAccountId src_username

238 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Message.Trigger.MetricName Sensor_Name

Message.NewStateReason Status

Message.AlarmDescription Description

Message.StateChangeTime First Time

Message.StateChangeTime Last Time

Message.TopicArn From

Type Object_Type

CloudWatch events
This is a sample log from an Amazon CloudWatch alarm:

{"version":"0","id":"a3a88473-f06a-1f5f-22d9-0543074d98c2","detail-type":"EC2 Instance State-change

Notification","source":"aws.ec2","account":"498939148594","time":"2019-11-21T20:05:46Z","region":"us-
east-2","resources":["arn:aws:ec2:us-east-2:498939148594:instance/i-08e470e665f9732c3"],"detail":{"instance-
id":"i-08e470e665f9732c3","state":"stopping"}}

Log fields McAfee ESM fields

signature Message

time First Time

time Last Time

version Version

source Source_Context

region Source_Zone

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 239
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

detail.instance-id HostID

detail.state Status

detail.userIdentity.accountId src_username

CloudWatch logs
This is a sample log from an Amazon CloudWatch alarm:

{"logEvents": [{"id": "35109572752796196185454633355438466663363330114255454208", "timestamp":

1574367692211, "message": "Nov 21 20:21:26 ip-172-31-37-244 systemd-logind[774]: New session 10 of user
ubuntu."}], "messageType": "DATA_MESSAGE", "owner": "498939148594", "subscriptionFilters":
["LambdaStream_CloudWatch2SQS"], "logStream": "i-08e470e665f9732c3", "logGroup": "auth.log"}

There are no parsing rules for CloudWatch Logs. Instead, the field "message" is passed to the parser. Make sure you enable the
associated parsing rules. Because this sample log is an auth.log message, you would need to enable the Linux rules.

GuardDuty
Amazon Web Services (AWS) GuardDuty delivers its findings through Amazon CloudWatch Events. Make sure to have a
CloudWatch Events service configured before sending GuardDuty data. Refer to AWS documentation for specifics.

Ansible

Configure Ansible
Set up the data source to send events and flows to ESM.

Task

See Ansible product documentation for instructions on configuring it to send data to ESM.

Add Ansible
Add an Ansible data source to ESM.

Task

1. Select a receiver.

240 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

2. Click the Properties icon.

3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Ansible

Data Source Model Ansible

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Enter a name for the data source.

IP Address/Hostname Enter the IP address and host name.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 0

Require syslog TLS Select to require TLS.

Port Select the port number.

Support Generic Syslogs Do nothing

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 241
5| Configuring 3rd-party data sources

Option Definition

Generic Rule Assignment Accept default.

Time Zone Select the time zone offset applicable to the data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

242 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Apple Mac OS X

Configure Apple Mac OS X

The syslog configuration is done on the command line. See your Apple Mac OS X product documentation for instructions on how
to access and use the Terminal program.

Task

1. Open the Terminal program, then make a backup of the syslog.conf file:

$ cp /etc/syslog.conf /tmp/syslog.conf.bkp

2. Open the configuration file in a text editor, for example, vi:

$ sudo vi /etc/syslog.conf

3. Insert this line at the end of the syslog.conf file:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 243
5| Configuring 3rd-party data sources

*.* @x.x.x.x

where x.x.x.x is the IP address of your McAfee Event Receiver.

Note

A port can also be specified by adding :x to the end of the IP address, where x is the port number. If no port is specified,
default port 514 is used.
The line consists of a wildcard statement (*.*) and an action (@x.x.x.x) separated by tabs. It tells the syslog daemon to
forward a copy of all (*.*) events to the specified IP address.

4. Click Save, click Exit, then restart the syslogd service with these two commands:

$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist

$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

5. Verify that the service is running:

$ ps -e | grep syslogd

Add Apple Mac OS X

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Apple Inc.

Data Source Model Mac OS X (ASP)

Data Format Default

244 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic <Default>

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 245
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

246 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Apple Mac OS X log format and field mapping

Log format
The expected format for this device is:

<date time> <hostname> <service> <message>

Log sample
Here is a sample log from an Apple Mac OS X device:

Jan 01 01:01:01 Example-Mac-mini.local com.apple.backupd[1234]: Backup completed successfully.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Username Source Username

“Run as” username (usually root) Destination Username

IP Address Source IP

Remote IP Address Destination IP

Port Source Port

Service / Daemon Application

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 247
5| Configuring 3rd-party data sources

Arbor Networks Pravail

Configure Arbor Networks Pravail

Refer to the Arbor Networks Pravail product documentation for instructions on sending syslog logs to a remote server. Use the
McAfee Event Receiver IP address for the address of the remote server.

Add Arbor Networks Pravail

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Arbor Networks

Data Source Model Pravail

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

248 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 249
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Arbor Networks Pravail log format and field mapping

Log format
The expected format for this device is:

Date Time Application: action Source IP Detection Type protocol/port (application) destination IP URL: url

Log sample
This is a sample log from an Arbor Networks Pravail device:

250 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

<13>Oct 22 09:49:32 HTX-ARBOR-00 pravail: Blocked Host: Blocked host 192.0.2.1 at 09:49 by TCP SYN Flood
Detection using TCP/445 (MICROSOFT-DS) destination 192.0.2.2,URL: https://example.com/folder/

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Date Time First Time, Last Time

Action Event Subtype

Source Source IP

Destination Destination IP

Detection Type Message

Protocol Protocol

Port Source Port

ArcSight Common Event Format

Configure ArcSight Common Event Format

This data source can be used with devices that generate ArcSight Common Event Format (CEF)-formatted events. If McAfee Event
Receiver doesn't support a specific vendor and model, this is a useful alternative.

Follow the directions for your vendor to enable ArcSight CEF-formatted events to be delivered to the McAfee Event Receiver. You
might need administrative rights.

Add ArcSight Common Event Format

Add the data source to a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 251
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor ArcSight

Data Source Model Common Event Format (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

252 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Support Generic Do nothing.

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 253
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

ArcSight Common Event Format log format and field

mapping
Log format
The expected format for this device is:

CEF:Version|Device Vendor|Device Product|Device Version|Signature

ID|Name|Severity|Extension

The format of the event is consistent, until Extension. At this point, there is no specific order of fields in CEF. The various key
value pairs that follow can be arranged in any order based on the decisions of the vendor.

Log sample
This is a sample log from an ArcSight Common Event Format device:

254 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

2014-04-21T18:35:15.546Z 192.168.2.5 CEF:0|McAfee|ESM|9.4.0|277-2121969963|TCP_NC_MISS|2|start=1398105379000

end=1398105379000 rt=1398105308000 cnt=1 eventId=4246692 nitroUniqueId=4246692 deviceExternalId=Live
BlueCoat ProxySG deviceTranslatedAddress=192.168.2.22 externalId=202857 cat=Web Policy nitroNormID=941621248
act=success proto=hopopt deviceDirection=0 dst=192.168.2.114 dpt=80 src=192.168.2.16 nitroTrust=2
nitroAppID=nFMAIN nitroObject_Type=Web_Advertisements sntdom=domain.com.tw nitroMethod=GET duser=Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR
3.0.04506.30; .NET CLR 3.0.04506.648) suser=johnsmith nitroURL=http://domain.com/somepath/index.html
nitroQuery_Response=OBSERVED nitroResponse_Code=200 nitroDevice_IP=192.168.2.11 nitroDevice_Port=8080

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Signature ID Signature ID

Name Message

act Event Subtype

dpt Dest Port

dst Dest IP

dmac Dest Mac

cnt Event Count

proto Protocol

spt Source Port

src Source IP

smac Source MAC

start Firsttime

end Lasttime

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 255
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

severity Severity

dproc Application

nitroCommandID Command

sntdom Domain

shost Host

fname, spriv, nitroObjectID Object

duser Dest User

suser Source User

Aruba ClearPass

Configure Aruba ClearPass

Task

1. Log on to the ClearPass Policy Manager, then navigate to Administration Menu → External Servers → Syslog Export
Filters.
2. Copy the XML from the Syslog export file template, paste it into a blank file, and save it as an XML file, for example,
McAfee_SIEM_SyslogExportData.xml.

Note

Copying and pasting from a PDF may not work. Copy the XML from docs.mcafee.com or try pasting the content into a
plain text processor first. Some manipulation of the XML may be needed.

3. Change all instances of the text change.me.receiver.ip in the XML file to the IP address of the McAfee Event Receiver.
4. On the Syslog Export Filters page, select the Import link in the top right area of the page.
5. Click Browse to navigate to the XML file that you created.

256 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Note

This file sets up the needed syslog export filters and populates the syslog target IP address.

6. Navigate to the Syslog Targets page and verify that the IP address of the McAfee Event Receiver is in the host Address
field.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 257
5| Configuring 3rd-party data sources

Syslog export file template

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader exportTime="Mon Aug 29 15:58:17 MDT 2016" version="6.6"/>
<DataFilter>
<DataFilter description="All Endpoints" name="[Endpoints]" qType="INSIGHT" conditionSetJoinType="AND">
<conditionSets conditionJoinType="AND">
<conditions value="" operator="EXISTS" columnName="MAC-Address" scope="Endpoint"/>
</conditionSets>
</DataFilter>
<DataFilter description="All ClearPass Guest" name="[ClearPass Guest]" qType="INSIGHT"
conditionSetJoinType="OR">
<conditionSets conditionJoinType="OR">
<conditions value="" operator="EXISTS" columnName="Username" scope="Guest"/>
<conditions value="" operator="EXISTS" columnName="MAC-Address" scope="Guest"/>
</conditionSets>
</DataFilter>
<DataFilter description="All ClearPass System Events" name="[ClearPass System Events]" qType="INSIGHT"
conditionSetJoinType="AND">
<conditionSets conditionJoinType="AND">
<conditions value="" operator="EXISTS" columnName="Source" scope="CppmSystemEvent"/>
</conditionSets>
</DataFilter>
<DataFilter description="All ClearPass Configuration Audit" name="[ClearPass Configuration Audit]"
qType="INSIGHT" conditionSetJoinType="AND">
<conditionSets conditionJoinType="AND">
<conditions value="" operator="EXISTS" columnName="Action" scope="CppmConfigAudit"/>
</conditionSets>
</DataFilter>
<DataFilter description="All RADIUS Authentications " name="[RADIUS Authentications]" qType="INSIGHT"
conditionSetJoinType="AND">
<conditionSets conditionJoinType="AND">
<conditions value="RADIUS" operator="EQUALS" columnName="Protocol" scope="Auth"/>
</conditionSets>
</DataFilter>
<DataFilter description="All RADIUS Failed Authentications" name="[RADIUS Failed Authentications]"
qType="INSIGHT" conditionSetJoinType="AND">
<conditionSets conditionJoinType="AND">
<conditions value="RADIUS" operator="EQUALS" columnName="Protocol" scope="Auth"/>
</conditionSets>
<conditionSets conditionJoinType="AND">
<conditions value="0" operator="NOT_EQUALS" columnName="Error-Code" scope="Auth"/>
</conditionSets>
</DataFilter>
<DataFilter description="All session log requests" name="[All Requests]" qType="SESSION"
conditionSetJoinType="OR">
<conditionSets conditionJoinType="OR">
<conditions value="0" operator="NOT_EQUALS" columnName="Request-Id" scope="Common"/>
</conditionSets>
</DataFilter>
<DataFilter description="All TACACS Authentication " name="[TACACS Authentication]" qType="INSIGHT"
conditionSetJoinType="AND">
<conditionSets conditionJoinType="AND">
<conditions value="" operator="EXISTS" columnName="Username" scope="Tacacs"/>
</conditionSets>
</DataFilter>
<DataFilter description="All TACACS Failed Authentication" name="[TACACS Failed Authentication]"
qType="INSIGHT" conditionSetJoinType="AND">
<conditionSets conditionJoinType="AND">
<conditions value="0" operator="NOT_EQUALS" columnName="Error-Code" scope="Tacacs"/>
</conditionSets>
</DataFilter>
<DataFilter description="All WEBAUTH Authentication " name="[WEBAUTH Authentication]" qType="INSIGHT"
conditionSetJoinType="AND">
<conditionSets conditionJoinType="AND">
<conditions value="WEBAUTH" operator="EQUALS" columnName="Protocol" scope="Auth"/>
</conditionSets>
</DataFilter>
<DataFilter description="All WEBAUTH Failed Authentications " name="[WEBAUTH Failed Authentications]"
qType="INSIGHT" conditionSetJoinType="AND">
<conditionSets conditionJoinType="AND">
<conditions value="WEBAUTH" operator="EQUALS" columnName="Protocol" scope="Auth"/>
</conditionSets>
<conditionSets conditionJoinType="AND">
<conditions value="0" operator="NOT_EQUALS" columnName="Error-Code" scope="Auth"/>
</conditionSets>
</DataFilter>
<DataFilter description="All Application Authentications" name="[Application Authentication]"
qType="INSIGHT" conditionSetJoinType="AND">
<conditionSets conditionJoinType="AND">
<conditions value="Application" operator="EQUALS" columnName="Protocol" scope="Auth"/>
258</conditionSets> McAfee Enterprise Security Manager Data Source Configuration Reference Guide
</DataFilter>
</DataFilter>
<SyslogTargets>
5| Configuring 3rd-party data sources

Add Aruba ClearPass

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Aruba

Data Source Model ClearPass

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 259
5| Configuring 3rd-party data sources

Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

260 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Aruba ClearPass log format and field mapping

Log format
The expected format for this device is:

Session Log:

CEF.SignatureID CEF.EventName Severity duser dmac dpriv cs2 outcome rt dvc cat

Insight Log:

CEF.SignatureID CEF.EventName Severity dmac cs6 dst duser cs4 cs5 rt dvc cat

Audit Log:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 261
5| Configuring 3rd-party data sources

CEF.SignatureID CEF.EventName Severity rt cat duser dvc act

System Log:

CEF.SignatureID CEF.EventName Severity dvc deviceProcessName outcome rt cat

Log sample
This is a sample log from an Aruba ClearPass device:

Session Log:

<143>Aug 10 2016 15:18:04 172.20.21.100 CEF:0|Aruba Networks|ClearPass|6.6.1.84176|2006|Guest Access|1|

duser=bob dmac=784b877a4155 dpriv=[User Authenticated] cs2=UNKNOWN cs2Label=System Posture Token
outcome=[Allow Access Profile] rt=Aug 10 2016 15:16:51 dvc=172.20.21.100 cat=Session Logs

Insight Log:

<143>Aug 11 2016 14:59:50 172.20.21.100 CEF:0|Aruba Networks|ClearPass|6.6.1.84176|1009|Endpoints|1|

dmac=784b877a4155 cs6=Murata Manufacturing Co., Ltd. cs6Label=Endpoint.MAC-Vendor dst=172.20.21.7 duser=bob
cs3=Computer cs3Label=Endpoint.Device-Category cs4=Linux cs4Label=Endpoint.Device-Family cs5=Linux Computer
cs5Label=Endpoint.Device-Name ArubaClearpassEndpointConflict=f ArubaClearpassEndpointStatus=Known
deviceCustomDate1=Aug 03 2016 14:31:54 deviceCustomDate1Label=Endpoint.Added-At rt=Aug 11 2016 14:56:52
dvc=172.20.21.100 cat=Insight Logs

Audit Log:

<143>Aug 01 2016 11:16:42 172.20.21.100 CEF:0|Aruba Networks|ClearPass|6.6.1.84176|3002|Syslog Export Data|2|

rt=Aug 01 2016 11:16:32 fname=Intel Radius Authenication cat=Audit Records duser=admin dvc=172.20.21.100
act=REMOVE

System Log:

<

143>Aug 23 2016 16:57:39 172.20.21.100 CEF:0|Aruba Networks|ClearPass|6.6.1.84176|4009|restart|1|

dvc=172.20.21.100 deviceProcessName=Policy server outcome=Success rt=Aug 23 2016 16:55:23 cat=ClearPass
System Events

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

262 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

deviceProcessName, destinationServiceName Application

Cleint IP Address, dst, dvc Source IP

Rt, start First Time, Last Time

CEF.Severity Severity

Dmac Source Mac

Endpoint.MAC-Vendor Object_Type

ArubaClearpassGuestVistorCompany Domain

Dvchost Hostname

requestMethod Method

Duser Source User

ArubaClearpassGuestVisitorName Contact_Nickname

Outcome, reason Message_Text

Endpoint.Device-Name External_Device_Name

CEF.SignatureID External_EventID

Endpoint.Device-Family External_Device_Type

Cat Subcategory

Src Device_IP

Msg, CEF.EventName Message

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 263
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

CEF.SignarureID SID

Act, outcome Action

ArubaClearpassOnbardEnrollmentDeviceVersion Version

dpriv Privileges

Attivo Networks BOTsink

Configure Attivo Networks BOTsink

Task

1. In the BOTsink console, click the Gear icon, then select Administration → Syslog.
2. To configure a new syslog destination, click the + Server icon, then fill in the required BOTsink fields:

• Name – Type a name that helps you identify the McAfee Event Receiver.
• IP address – Type IP address of the McAfee Event Receiver.
• Port – Type 514 or a server-side port.
• Protocol – Select User Datagram Protocol (UDP) or Transmission Control Protocol (TCP).
• Enable – Select to turn on syslog forwarding from the BOTsink Manager.

3. Click Save.

Add Attivo Networks BOTsink

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

264 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Attivo Networks

Data Source Model BOTsink

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 265
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

266 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Attivo Networks BOTsink log format and field mapping

Log format
The expected format for this device is:

<9>BotSink: Severity:[] Attacker IP:[] Target IP:[] Target OS:[] Description:[] Details:[] Phase:[] Service:
[]

Log samples
This is a sample log from a device:

<9> BotSink: Severity:[Medium] Attacker IP:[192.168.1.79] Target IP:[1.1.1.1] Target OS:[CentOS 7.0]
Description:[Telnet connection started] Details:[16/8/1@19:32:42: START: telnet pid=122 from=1.1.1.1 ] Phase:
[Access] Service:[TELNET]

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Description Message

Severity Severity

Attacker IP Attacker_IP, Hostname

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 267
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Target IP Victim_IP, Destination_Hostname

Target OS Operating_System

Details Message_Text

Phase Threat_Category

Service Service_Name

Details (Access Log timestamp) First Time, Last Time

Device External_Device_Type

VLANID vlan

Axway SecureTransport

Configure Axway SecureTransport

See the Axway Security Transport product documentation for instructions on sending syslog logs to a remote server. Use the
McAfee Event Receiver IP address for the address of the remote server.

Add Axway SecureTransport

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

268 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Axway

Data Source Model SecureTransport

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 269
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

270 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Axway SecureTransport log format and field mapping

Log format
The expected format for this device is:

Weekday Date Time Version IP Filesize FilePath/FileName TransferType(s) Username TransferProtocol

Log sample
This is a sample log from an Axway SecureTransport device:

Mon Jan 01 00:00:00 2001 514 192.0.2.0 100000000 /Folder/Folder/Folder/Folder/Folder/

CompressedFile.part1.rar a n o r oteupp ftp 0 *

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Weekday Date Time First Time, Last Time

Version Version

IP Source IP

Filesize Message_Text

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 271
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

FilePath/FileName Object

Username Source Username

TransferProtocol Application

Barracuda Spam Firewall

Configure Barracuda Spam Firewall

Task

1. In the web interface, go to Advanced → Advanced Networking.

2. In the Syslog Configuration section, enter the IP address of the McAfee Event Receiver in the Mail Syslog field.
3. In the Port field, enter the number where the McAfee Event Receiver is listening (default is 514).
4. Select UDP for the Protocol, then click Add.

Add Barracuda Spam Firewall

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Barracuda Networks

Data Source Model Spam Firewall (ASP)

Data Format Default

272 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the McAfee Event Receiver to communicate over TLS

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 273
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

274 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Barracuda Spam Firewall log format and field mapping

Log format
The expected format for this device is:

<event action> <hostname> <IP address> <time><username> <destination username> <spam score> <event ID>
<subject>

Log sample
This is a sample log from a Barracuda Networks Spam Firewall device:

<123>inbound/pass[1234]: example.com[192.0.2.1] 1234567890-a1b2c3d4e5f6-a7b8c9 978310861 978310861 SCAN -

example@example.com example@example.com 1 2 34 SUBJ:=Email Subject

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Host Hostname

Spam Score Spam_Score

Client IP Source IP

Username Source Username

Destination Username Destination Username

Email Subject Subject

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 275
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Action Event_Class

Event ID External_Event_ID

Queued as ID Queue_ID

Bytes Received Bytes_Received

Barracuda Web Application Firewall

Configure Barracuda Web Application Firewall

Task

1. Open a web browser and log on to your Web Application Firewall (WAF) device.
2. Click the ADVANCED tab and select Export Logs.
3. In the Syslog section, click Add Syslog Server, then fill in these fields:

• Name: A name for reference in the WAF.

• IP Address: The IP address of your McAfee Event Receiver.
• Port: The port number used for syslog on your McAfee Event Receiver (514 by default).
• Connection Type: Most commonly UDP, the default in the McAfee Event Receiver.
• Validate Server Certificate: Select No.
• Client Certificate: Not needed when Validate Server Certificate is set to No.

4. Click Add.

Add Barracuda Web Application Firewall

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

276 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Barracuda Networks

Data Source Model Web Application Firewall (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 277
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

278 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Barracuda Web Application Firewall log format and field

mapping
Log format
The expected format for this device depends on the log type:

System Logs:

Timestamp Module Name Log Level Event ID Message

Web Firewall Logs:

Timestamp Unit Name Log Type Severity Level Attack Description Client IP Client Port Application IP
Application Port Rule ID Rule Type Action Taken Follow-up Action Attack Details Method URL Protocol Session
ID User Agent Proxy IP Proxy Port Authenticated User Referrer Attack ID Attack Group

Access Logs:

Timestamp Unit Name Log Type Application IP Application Port Client IP Client Port Login ID Certificate User
Method Protocol Host Version HTTP Status Bytes Sent Bytes Received Cache Hit Time Taken Server Server Port
Server Time Session ID Response Type Field Profile Matched Field Protected Field WF Matched Field URL Query
Referrer Cookie User Agent Proxy IP Proxy Port Authenticated User Custom Header 1 Custom Header 2 Custom
Header

Audit Logs:

Timestamp Unit Name Log Type Admin Name Client Type Login IP Login Port Transaction Type Transaction ID
Command Name Change Type Object Type Object Name Variable Old Value New Value
Additional Data

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 279
5| Configuring 3rd-party data sources

Network Firewall Logs:

Unit Name Timestamp Log Type Severity Level Protocol Source IP Source Port Destination IP Destination Port
Action ACL Name Interface ACL Details

Log sample
This is a sample log from a device:

System Log:

Feb 3 15:09:02 wsf STM: LB 5 00141 LookupServerCtx = 0xab0bb600

Web Firewall Log:

2016-02-03 01:49:09.077 -0800 wafbox1 WF ALER SQL_INJECTION_IN_PARAM 192.0.2.0 39661 198.51.100.0 80

webapp1:deny_ban_dir GLOBAL LOG NONE [type="sql-injection-medium" pattern="sql-quote" token="' or "
Parameter="address" value="hi' or 1=1--"] POST 192.0.2.0/cgi-bin/process.cgi HTTP REQ-0+RES-0 "Mozilla/5.0
(X11; U; Linux i686 (x86_64); en-US; rv: 1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" 192.0.2.0 39661 User1
http:// 192.0.2.0/cgi-bin/1.pl 11956 ATTACK_CATEGORY_INJECTION

Access Log:

2016-02-02 21:16:59.914 -0800 wafbox1 TR 192.0.2.0 80 198.51.100.0 37754 "-" "-" POST HTTP 192.0.2.0 HTTP/
1.1 200 812 6401 0 198.51.100.0 80 0 SERVER DEFAULT PASSIVE VALID /cgi-bin/process.cgi "-" http:// 192.0.2.0/
cgi-bin/1.pl ys-grid_firewall_log-grid=o%3Acolumns%3Da%253Ao%25253Aid%25253Ds%2525253Aiso_timestamp
%25255Ewidth%25253Dn%2525253A38%255Eo%252 "Mozilla/5.0 (X11; U; Linux i686 (x86_64);en-US; rv:1.8.1.20)
Gecko/20081217 Firefox/2.0.0.20" 198.51.100.0 37754 User2 en-us,or;q=0.5 gzip,deflate
ISO-8859-15,utf-8;q=0.7,*;q=0.7

Audit Logs:

2016-02-02 21:08:53.861 -0800 wafbox1 AUDIT User3 GUI 192.0.2.0 0 CONFIG 17 - SET web_firewall_policy
default url_protection_max_upload_files "5" "6" "[]"

Network Firewall Log:

afbox1 2016-05-21 03:28:23.494 -0700 NF INFO TCP 192.0.2.0 52236 192.0.2.0 8000 DENY testacl MGMT/LAN/WAN
interface traffic:deny policy TCPFeb 3 15:09:02 wsf STM: LB 5 00141 LookupServerCtx = 0xab0bb600

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Timestamp First Time, Last Time

280 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Attack Description Message

Client IP Source IP

Client Port Source Port

Application IP Destination IP

Application Port Destination Port

Rule ID Signature_Name

Rule Type Object

Attack Details Message_Text

Method Application, Method

URL URL

Protocol Protocol, App_Layer_Protocol

User Agent User_Agent

Referrer Referrer

User Source Username

Bytes Sent Bytes_Sent

Bytes Received Bytes_Received

Cmd Command

HTTP status Query_Response

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 281
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Version Application_Protocol

Device Type Object

ACL Name Policy_Name

Interface Interface

Barracuda Web Filter

Configuring Barracuda Web Filter

Task

1. From the admin interface, go to Advanced → Syslog.

2. Enter the IP address of the McAfee Event Receiver.

Add Barracuda Web Filter

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Barracuda Networks

Data Source Model Barracuda Web Filter (ASP)

Data Format Default

282 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the McAfee Event Receiver to communicate over TLS

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 283
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

284 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Barracuda Web Filter log format and field mapping

Log format
The expected format for this device is:

<device IP> <service> <time date> <source IP> <destination IP> <web domain> <action> <service> <command>
<application> <user>

Log sample
This is a sample log from a Barracuda Networks Web Filter device:

[192.0.2.1] <123>http_scan[12345]: 978310861 192.0.2.2 192.0.2.3 text/javascript http://example.com/ 123 ABC

ALLOWED CLEAN 2 1 1 0 1 (ldap0:internet_standardaccess) 1 CUSTOM-6 0 - 0 example.com search-engines-
portals,CUSTOM-5,CUSTOM-6,CUSTOM-12345678901112 [ldap0:user]

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Hostname

Application Application

Source IP Source IP

Destination IP Destination IP

Command Command

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 285
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Web Domain Domain

Service Object

User Source Username

Description Message_Text

Subject Subject

BeyondTrust BeyondInsight

Configure BeyondTrust BeyondInsight

Task

Follow the vendor instructions at https://www.beyondtrust.com/docs/beyondinsight-password-safe/documents/bi/

integrations/bi-ps-third-party-integration-guide.pdf to configure this data source.

Add BeyondTrust BeyondInsight

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor BeyondTrust

Data Source Model BeyondInsight

286 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval SYSLOG

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 0

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Port 514

Support Generic Syslogs Do nothing.

Generic Rule Assignment User Defined 1

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 287
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

288 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

BeyondTrust BeyondInsight log format and field mapping

Log sample
An example log from the data source.

<5>2017-03-02T11:53:51Z 10.101.25.167 Agent Desc: normalized Agent ID: fim Agent Ver: Category:
Source Host: Event Desc: Event Name: OS: Event Severity: 5 Source IP: Event
Subject: Event Type: 0 User: Workgroup Desc: Workgroup ID: Workgroup Location:
AssetName: ATTACK1 FimEventName: Unknown FimEventTypeID: 10000 AssetId: 3 FimDate: 2017-03-02
2:42:37 PM UserIdentifier: UserName: UserType: Alert: No FilePath:
FileSHA1: FileMD5: FileVersion: FileSize: FileAttributes:
FileAccessControlLists: UserName1: UserType1: Alert1: No Action: AccessMask:
CallerProductName: CallerVendor: CallerVersion: CallerDigitalSignature: CallerSHA1:
CallerMD5: CallerPath: Deferred: FimCategory: BLINK-FMP-905 Name: Description: File
Integrity Module in Power Broker EPP has been disabled since a version of PowerBroker for Windo Severity: 5
RuleGuid: RuleName: File Integrity Cannot be Enabled RuleDescription: File Integrity Module in
Power Broker EPP has been disabled since a version of PowerBroker for Windows Desktops was detected. To
avoid this message, disable the File Integrity engine in EPP Central Policy RulePath:

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

actType action

agentID application

target Attribute_Type

category Category

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 289
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

fimCategory Category

systemName Category

Desc Description

fimRuleDesc Description

path Destination_Filename

actType Device_Action

dip dst_ip

assetName External_Device_Name

eventID External_EventID

auditID External_SessionID

callerPath File_Path

path File_Path

roleUsed Group_Name

workGroupDesc Group_Name

hostname hostname

sHost hostname

eventDesc Message_Text

eventName msg

290 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

objectType objectname

osType Operating_System

userType Privileged_User

eventSev1 severity

sha1 SHA1

fimRuleName Signature_Name

ruleName Signature_Name

appUserID Source_UserID

userID Source_UserID

sip src_ip

app Target_Process_Name

username UserIDSrc

Bit9 Parity Suite

Configure Bit9 Parity Suite

Task

1. Navigate to the System Configuration page in the user interface.

2. On the Configuration Options list, select Server Status, click Edit, then select Syslog enabled.
3. In the Syslog address field, enter the IP address of your McAfee Event Receiver, then set the Syslog port to 514.
4. Set Syslog format.

• For standard syslog formatted logs, set to Basic (RFC 3164).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 291
5| Configuring 3rd-party data sources

• For ArcSight CEF formatted logs, set to CEF (ArcSight).

5. Click Update to save changes and exit.

Add Bit9 Parity Suite

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Bit9

Data Source Model Bit9 Parity Suite (ASP) for Basic (RFC 3164) logs

Bit9 Parity Suite – CEF (ASP) for ArcSight CEF formatted logs

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

292 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing.

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 293
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Bit9 Parity Suite Basic (RFC 3164) log format and field
mapping
Log format
The expected format for this device is:

<date time> <device name> <message>

Log sample
This is a sample log from a Bit-9 Parity Suite device:

294 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

<123>1 2001-01-01T01:01:01Z example.name.com Parity - - - Bit9 ParityServer event: text="Computer from

'192.0.2.1' changed its name from 'hostname1' to 'hostname2'." event_type="Computer Management"
event_subtype="Computer modified" hostname="hostname2" username="exampleName" date="1/01/2001 01:01:01 PM"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

hostname Hostname

event_type Application

ip_address Source IP

Destination IP Destination IP

Source MAC Source MAC

Destination MAC Destination MAC

CLI Command

hostname Domain

Name, hash Object

username Source_Username

Destination Username Destination_Username

process Target_Process_Name

file_name Destination_Filename

policy Policy_Name

Description Message_Text

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 295
5| Configuring 3rd-party data sources

Bit9 Parity Suite - CEF (ArcSight) log format and field

mapping
Log format
The expected CEF format for this device is:

<priority> <date> <hostname> CEF:<version>|<device vendor>|<device product>|<device version>|<signature ID>|

<name>|<severity>|<custom field label=label> <custom field value=value>…

Log sample
This is a sample CEF log from a Bit9 Parity Suite device:

<123>Jan 01 01:01:01 hostname CEF:0|Bit9|Parity|x.x.x|1234|New file on network|4|externalId=123456 cat=value

rt=Jan 01 01:01:01 UTC filePath=c:\\example.net fname=example.net fileHash=a1b2c3d4e5f6 fileId=123456
dproc=c:\\example.exe dst=192.0.2.1 dhost=hostname duser=username dvchost=hostname msg=Server discovered new
file example.net cs1Label=rootHash cs1=hash cs2Label=installerFilename cs2=filename cs3Label=Policy
cs3=policy

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

dhost Hostname

installerFilename Application

src Source IP

dst Destination IP

spt Source Port

dpt Destination Port

smac Source MAC

dmac Destination MAC

proto Protocol

296 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

cnt Event Count

fname Filename

Policy Object_Type

spriv Object

suser Source_Username

duser Destination_Username

externalId End_Page

act Event Subtype

Blue Coat Director

Configure Blue Coat Director

See the Blue Coat Director product documentation for instructions on sending syslog logs to a remote server. Use the McAfee
Event Receiver IP address for the address of the remote server.

Add Blue Coat Director

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 297
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Blue Coat

Data Source Model Director (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing.

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

298 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 299
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Blue Coat Director log format and field mapping

Log format
The expected format for this device is:

<date time> <severity> <hostname> <user> <IP address> <message>

Log sample
This is a sample log from a Blue Coat Director device:

Jan 01 01:01:01 <cli.notice_minor> hostname cli[1234]: admin@192.0.2.2: Device exampleName: attempting

connection using ssh.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Device ID Hostname

Destination Hostname Destination_Hostname

IP Protocol Protocol

IP Address Source IP

300 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Destination IP Destination IP

Port Source Port

Application Application

Command Command

Filename Filename

Invalid IP Object

User Source Username

Destination User Destination Username

URL List URL

Blue Coat ProxySG

Create a custom log format

McAfee ESM requires a custom format for the Blue Coat Access Logs.

Task

1. Select Configuration → Access Logging → Formats, then click New.

2. Select a format type.

• W3C Extended Log File Format (ELFF) string

• Custom format string to use log-specific formats

3. Give the format a name, then type the format:

• If you selected W3C Extended Log File Format (ELFF) string, type this custom format:

date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories

cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-
path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 301
5| Configuring 3rd-party data sources

• If you selected Custom format string, enter the format for the supported custom string.

4. Click Test Format to make sure that there are no syntax errors.
5. Select Log all headers from the Multiple-valued header policy list, then click OK.

Associating the custom log format with a custom log

Task

1. Select Configuration → Access Logging → Logs → Logs, then click New.

2. Type a log name, select your custom log format from the drop-down list, then add a meaningful description.
3. Type the maximum size that the remote log file reaches before rolling over to a new file.
4. Enter a size for the Early Upload file, then click OK.

Associating the custom log to the Web Content Policy

Task

1. Select Configuration → Policy → Visual Policy Manager → Launch.

2. Once the Visual Policy Manager (VPM) has started, add a Web Content Layer or edit the existing one. This document
describes adding a Web Content Layer.
3. In the VPM, select Policy → Add Web Content Layer, then enter a name for this new Web Content Layer.
4. Right-click the Action column, select Set, then select New → Modify Access Logging.
5. Select Enable Logging to, then, from the drop-down list, select the custom log you created.
6. Click OK, then click Install Policy.

Enable Access Logging globally

Task

1. Select Configuration → Access Logging → General → Default Logging.

2. Select Enable Access Logging, then click Apply.

Configure Syslog
Task

1. Select Configuration → Access Logging → Logs → Upload Client.

2. In the Log drop-down list, select the custom log that you created.
3. From the Client Type drop-down list, select Custom Client, then click Settings.

302 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

4. Fill in these fields:

• Host – Enter the IP address of the McAfee Event Receiver.

• Port – Enter 514.
• Use Secure Connections (SSL) – Deselect.

5. Click OK.
6. Click Apply to return to the Upload Client tab.
7. For Save the log file as, select text file.
8. Leave the defaults for all other options.
9. Click the Upload Schedule tab.
10. Select Upload Type.
11. For Upload the access log, select continuously to stream the access logs to the McAfee Event Receiver.
12. Leave the default settings for all other options.
13. Click OK, then click Apply.

Add Blue Coat ProxySG (syslog)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Blue Coat Systems

Data Source Model ProxySG Access Log (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 303
5| Configuring 3rd-party data sources

Option Definition

• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

304 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Add Blue Coat ProxySG (FTP)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 305
5| Configuring 3rd-party data sources

3. From the Receiver Properties window, select Data Sources.

4. Click Add.

Option Definition

Data Source Vendor Blue Coat Systems

Data Source Model ProxySG Access Log (ASP)

Data Format Default

Data Retrieval FTP File Source

Enabled Select options for processing events. Some options may not be available for your
data source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a
ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Port 21 (default for FTP)

Number of Lines per <Default>

record

Interval 5 Minutes

File Completion 60 Seconds

Delete processed files Select to have the Receiver delete the files from the FTP Server after they are
processed.

Path Enter “/” (without quotation marks)

306 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Wildcard expression *.log.gz

Username The user name for the FTP client.

Password The password for the FTP client.

Encryption Leave deselected.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 307
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Blue Coat ProxySG log format and field mapping

Log format
The expected format for this device is:

Access log event v6 log example:

date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories

cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-
uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id

Access log event v5.4.6.1 log example:

308 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

date time c-ip c-port r-ip r-port x-cifs-uid x-cifs-tid x-cifs-fid x-cifs-method x-cifs-server x-cifs-share
x-cifs-path x-cifs-orig-path x-cifs-client-bytes-read x-cifs-server-bytes-read x-cifs-bytes-written x-client-
connection-bytes x-server-connection-bytes x-server-adn-connection-bytes x-cifs-client-read-operations x-
cifs-client-write-operations x-cifs-client-other-operations x-cifs-server-operations s-action x-cifs-error-
code cs-username cs-auth-group s-ip

These log formats are supported custom formats:

nFMAIN log example:

nFMAIN Date=|$(date)|, Time=|$(time)|, Time-Taken=|$(time-taken)|, Source=|$(c-ip)|, Status=|$(sc-status)|,

Action=|$(s-action)|, IncomingBytes=|$(sc-bytes)|, OutgoingBytes=|$(cs-bytes)|, Method=|$(cs-method)|,
Scheme=|$(cs-uri-scheme)|, Username=|$(cs-username)|, Supplier=|$(s-supplier-name)|, UserAgent=|$(cs(User-
Agent))|, Result=|$(sc-filter-result)|, Category=|$(sc-filter-category)|, Virus=|$(x-virus-id)|, DeviceIP=|$
(s-ip)|, DevicePort=|$(s-port)|, URL=|$(c-uri)|, DestinationIP=|$(r-ip)|, DestinationPort=|$(cs-uri-port)|

nFIM log example:

nFIM Date=|$(date)|, Time=|$(time)|, Time-Taken=|$(time-taken)|, Source=|$(c-ip)|, Username=|$(cs-

username)|, Protocol=|$(cs-protocol)|, Method=|$(x-im-method)|, User-Id=|$(x-im-user-id)|, Client=|$(x-im-
client-info)|, Buddy=|$(x-im-buddy-id)|, ChatRoom=|$(x-im-chat-room-id)|, Action=|$(s-action)|, File=|$(x-im-
file-path)|, FileSize=|$(x-im-file-size)|, DeviceIP=|$(s-ip)|

nFSSL log example:

nFSSL Date=|$(date)|, Time=|$(time)|, Time-Taken=|$(time-taken)|, Source=|$(c-ip)|, Action=|$(s-action)|,

CertStatus=|$(x-rs-certificate-validate-status)|, Errors=|$(x-rs-certificate-observed-errors)|,
DestinationIP=|$(r-ip)|, DestinationPort=|$(cs-uri-port)|, Supplier=|$(s-supplier-name)|, ClientCipher=|$(x-
rs-connection-negotiated-ssl-version)|, ClientCiphernegotiate=|$(x-rs-connection-negotiated-cipher)|,
CipherSize=|$(x-rs-connection-negotiated-cipher-size)|, Category=|$(x-rs-certificate-hostname-category)|,
ServerCipher=|$(x-cs-connection-negotiated-ssl-version)|, ServernegotiatedCipher=|$(x-cs-connection-
negotiated-cipher)|, ServerCipherSize=|$(x-cs-connection-negotiated-cipher-size)|, Device=|$(s-ip)|,
IncomingBytes=|$(sc-bytes)|, OutgoingBytes=|$(cs-bytes)|, Protocol=|$(cs-protocol)|, URL=|$(c-uri)|

nFSTREAM log example:

nFSTREAM Date=|$(date)|, Time=|$(time)|, Scheme=|$(cs-uri-scheme)|, DestinationPort=|$(cs-uri-port)|,

Status=|$(c-status)|, User-Agent=|$(cs(User-Agent))|, Hostexe=|$(c-hostexe)|, Hostexever=|$(c-hostexever)|,
Filesize=|$(filesize)|, Protocol=|$(transport)|, Bytes1=|$(sc-bytes)|, Bytes2=|$(c-bytes)|, Device=|$(s-
ip)|, Source=|$(x-client-address)|, URL=|$(c-uri)|, Method=|$(cs-method)|

nFP2P log example:

nFP2P Date=|$(date)|, Time=|$(time)|, Source=|$(c-ip)|, Username=|$(cs-username)|, Protocol=|$(cs-

protocol)|, ClientType=|$(x-p2p-client-type)|, Bytes1=|$(x-p2p-client-bytes)|, Bytes2=|$(x-p2p-peer-bytes)|,
Action=|$(s-action)|, DestinationIP=|$(r-ip)|, DestinationPort=|$(cs-uri-port)|, Device=|$(s-ip)|

Field mapping
Access Log

Fields with * indicate compatibility with version 9.2 and later only.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 309
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Date, Time Firsttime, lasttime

c-ip src_ip

cs-username src_username

sc-filter-result Query_Response.Query_Response*

cs-categories Subject.Subject

sc-status Action

s-action Message

cs-method commandname

rs-Content-Type application

cs-host domain

cs-uri-port dst_port

cs-uri-path URL.URL

Job_Name.Job_Name*

cs-User-Agent User_Agent.User_Agent*

s-ip dst_ip

Access Log v5.4.6.1

Fields with * indicate compatibility with version 9.2 and later only.

310 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Date, Time Firsttime, lasttime

c-ip src_ip

s-action Message

cs-bytes Bytes_Sent.Bytes_Sent*

sc-bytes Bytes_Received.Bytes_Received*

cs-method Method.Method

cs-uri-scheme

cs-host domain

cs-uri-port src_port

cs-uri-path URL.URL

cs-username src_username

rs(Content-Type) application

cs(Referer) Referer.Referer*

cs-User-Agent User_Agent.User_Agent*

sc-filter-result Action

cs-categories Object_Type.Object_Type

x-virus-id Object_Type.Object_Type

s-ip dst_ip

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 311
5| Configuring 3rd-party data sources

nFMAIN

Fields with * indicate compatibility with version 9.2 and later only.

Log Fields McAfee ESM Fields

nfMAIN Application

Date, Time Firsttime, lasttime

Source src_ip

Status Response_Code.Response_Code*

Action Action

IncomingBytes Bytes_Received.Bytes_Received*

OutgoingBytes Bytes_Sent.Bytes_Sent*

Method Method.Method

Scheme Protocol

Username src_username

User-Agent User_Agent.User_Agent*

Result Query_Response.Query_Response*

Category Category.Category*

Virus Threat_Name.Threat_Name*

Device_IP Device_IP.Device_IP*

DevicePort src_port

312 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log Fields McAfee ESM Fields

URL URL. URL

DestinationIP dst_ip

DestinationPort dst_port

nFIM

Fields with a * indicate compatibility with version 9.2 and later only.

Log fields McAfee ESM fields

nFIM Application

Date, Time Firsttime, lasttime

Source src_ip

Username src_username

Protocol Protocol

Method Method.Method

Client Client_Version.Client_Version*

Action Action

File Filename.Filename

DeviceIP DeviceIP.DeviceIP*

nFSSL

Fields with * indicate compatibility with version 9.2 and later only.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 313
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

nFSSL Application

Date, Time Firsttime, lasttime

Source src_ip

Action Action

DestinationIP dst_ip

DestinationPort dst_port

Supplier URL.URL

Category Category.Category*

DeviceIP DeviceIP.DeviceIP*

IncomingBytes Bytes_Received.Bytes_Received*

OutgoingBytes Bytes_Sent.Bytes_Sent*

Protocol Protocol

nFSTREAM

Fields with * indicate compatibility with version 9.2 and later only.

Log fields McAfee ESM fields

nFSTREAM Application

Date, Time Firsttime, lasttime

314 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

DestinationPort dst_port

Status Response_Code.Response_Code*

Action Action

User-Agent User_Agent.User_Agent*

Hostexe Client_Version.Client_Version*

Protocol Protocol

Bytes1 Bytes_Received.Bytes_Received*

Bytes2 Bytes_Sent.Bytes_Sent*

Device Device_IP.Device_IP*

Source src_ip

URL URL.URL

Method Method.Method

nFP2P

Fields with * indicate compatibility with version 9.2 and later only.

Log fields McAfee ESM fields

nFP2P Application

Date, Time Firsttime, lasttime

Source src_ip

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 315
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Username src_username

Protocol Protocol

ClientType Message

Bytes1 Bytes_Received.Bytes_Received*

Bytes2 Bytes_Sent.Bytes_Sent*

Action Action

DestinationIP dst_ip

DestinationPort dst_port

Device Device_IP.Device_IP*

Configure FileZilla FTP Server

Before you begin

If you are using FTP, set it up first.

Task

1. Download the FileZilla FTP Server for Windows.

2. Install the FileZilla FTP server on your Windows Server and accept all default options.
3. Create a directory to store the BlueCoat ProxySG Access Logs, for example, D:\BlueCoatLogs.
A Filezilla server page opens.
4. Add users.
a. Select Edit → Users.
b. On the General page, click Add under Users, then type the FTP account name.
c. In the account settings section, make sure that Enable Account is selected.
d. Select Password, then type a password for the newly created proxysg user.

316 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Note

For security purposes, make sure that this password is complex.

e. Click Shared Folders, then click Add.

f. Navigate to the directory created previously, click OK, then give the user all file and all directory rights to the directory.

Note

An H next to the directory indicates that this is the home directory for the user. If H doesn't appear, highlight the
directory and click Set as home dir.

g. Click OK to save the user.

Results

The Filezilla FTP server is up and running and the proxysg user is ready to go.

Configure FTP Upload

Task

1. To configure access logs to upload their data to the FTP server, select Configuration → Access Logging → Logs → Upload
Client.
2. In the Log drop-down list, select the custom log that you created earlier.
3. From the Upload Client Type drop-down list, select FTP Client, then click Settings.
a. Fill in these fields.

• Host: Enter the IP address of the Filezilla FTP server.

• Port: 21 is the default FTP port.
• Path: Enter a slash (/).
• Username: Enter proxysg, the user you created earlier.

b. Click Change Primary Password, enter the password, then click OK.
c. In the Filename field, type a name that contains text or specifiers.

Note

The file name includes the log name, last octet of the proxy sg, month, day, hour, minute, and seconds.

d. Since the Filezilla server is not configured for FTPS or SFTP, deselect Use Secure Connections (SSL).
e. Select Local Time to upload the local time file instead of using UTC.
f. Click OK, then click Apply to return to the Upload Client Configuration page.
4. For Save the log file as, select gzip file to reduce the log file size.
The McAfee Event Receiver decompresses a gzipped log file and parses the logs that are in it.
5. Click the Upload Schedule tab, then, on the Log drop-down list, select the custom log you created.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 317
5| Configuring 3rd-party data sources

6. Under Upload Type, select periodically.

7. Under Rotate the Log File, select Every, and enter 0 hours and 5 minutes.
The Blue Coat ProxySG uploads the access logs to the FTP server every 5 minutes.
8. Click Apply, then verify that the upload is successful.
a. On the Upload Client tab, click Test Upload, and go to the FTP server (Filezilla Server).
b. Verify that the user proxysg logged on and that a file named “main_upload_result” was uploaded to the FTP server.

Blue Coat ProxySG troubleshooting

Use these tips to troubleshoot your configuration if events do not appear in the ESM.

• Log on to the FTP server (FileZilla in this guide) and check the log, verifying the entries that state that the ProxySG has
uploaded the log files.
• Make sure that logs state that the McAfee Event Receiver connected and downloaded the log files.
• Verify that port 514 is open on the McAfee Event Receiver. Your output will be similar.

netstat –an | grep 514

• Use tcpdump on the McAfee Event Receiver to verify receipt of syslog from the server. You can use a command like this
to verify the receipt of data:

tcpdump –i eth0 source <remote host IP>

Blue Coat Reporter

Configure Blue Coat Reporter

Task

1. Click the General Settings tab, then, in the navigation pane, expand Data Settings and select Cloud Download.
2. Select Enable Cloud Download, then specify the directory where the Cloud access logs are being saved.
3. Specify the Cloud API Username and Cloud API Password to grant access, then click Save.

Add Blue Coat Reporter

Add the data source to a receiver.

318 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Blue Coat

Data Source Model Reporter (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 319
5| Configuring 3rd-party data sources

Option Definition

Support Generic Do nothing.

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

320 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Blue Coat Reporter log format and field mapping

Log format
The expected format for this device is:

x-bluecoat-customer-id date time x-bluecoat-appliance-name time-taken c-ip cs-userdn cs-auth-groups x-

exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-
scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-
virus-id x-bluecoat-location-name x-bluecoat-application-name x-bluecoat-application-operation r-ip x-cloud-
drtr x-cloud-rs cs(X-Requested-With)

Log sample
This is a sample log from a device:

5478 2016-01-05 05:03:05 "Device_Name" 30 203.0.113.0 DOMAIN\username "DOMAIN\Permitted, DOMAIN\Domain

Users" - OBSERVED "Unrated" http://www.example.com/webpage/ 200 TCP_NC_MISS GET text/html;charset=UTF-8 http
www.example.com 80 /webpage - - "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
39.0.2171.95 Safari/537.36" 192.0.2.0 1306 1040 - "ABCD" "-" "-" 198.51.100.0 - - -

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 321
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

date, time First Time, Last Time

x-bluecoat-appliance-name External_Device_Name

c-ip Device_IP

cs-userdn Domain, Source User

x-exception-id Reason

sc-filter-result Action

cs-categories URL_Category

cs(Referer) URL

sc-status Response_Code, Action

s-action Rule Message

cs-method Request_Type

cs-uri-scheme Protocol

cs-host Web_Domain

cs-uri-port Destination Port

cs(User-Agent) User_Agent

s-ip Source IP

sc-bytes Bytes_Sent

cs-bytes Bytes_Received

322 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

x-bluecoat-application-name Application

r-ip Destination IP

BlueCat DNS/DHCP Server

Configure BlueCat DNS/DHCP Server using Linux syslog

Task

1. Edit the /etc/syslog.conf file.

2. Add this line to the file:

*.*; @1.2.3.4:514

where 1.2.3.4 is the IP address of your McAfee Event Receiver and 514 is the default port for syslog.

3. Run the command:

service syslog restart

Configure BlueCat DNS/DHCP Server using the vendor

documentation
See the documentation for BlueCat DNS/DHCP Server syslog setup provided by the manufacturer.

Add BlueCat DNS/DHCP Server

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 323
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor BlueCat Networks

Data Source Model BlueCat DNS/DHCP Server

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing.

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

324 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 325
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Blue Ridge Networks BorderGuard

Configure Blue Ridge Networks BorderGuard

See the BorderGuard documentation for instructions about sending syslog events to your McAfee Event Receiver.

Add Blue Ridge Networks BorderGuard

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Blue Ridge Networks

Data Source Model BorderGuard (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

326 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Do nothing.

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 327
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

328 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Blue Ridge Network BorderGuard field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Domain Domain

IPaddr Source IP

External IP Destination IP

Port Source Port

External Port Destination Port

MACaddr Source MAC

CN Source Username

Brocade IronView Network Manager

Configure Brocade IronView Network Manager

Configure Brocade IronView Network Manager wired devices.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 329
5| Configuring 3rd-party data sources

Task

1. Click the Wired tab on the Configuration Wizard panel, then click New on the toolbar.
2. Select the syslog receivers, then click Next.
3. On the Select Action page, click the action that you want to perform.

• Add a syslog receiver to the target devices.

• Delete the specified syslog receivers from the target devices.
• Replace All syslog receiver entries on the target devices with the entries in this payload configuration.
• Clear All syslog receiver entries from the target devices.

4. Click Next, then click New to add the syslog receivers.

5. Enter the IP address of the McAfee Event Receiver (syslog server), set the UDP port to 514, then click Add to add it to the
list of syslog receivers.

Note

Each device can have up to six syslog receivers. All syslog receivers defined for a device receive the same data.

6. To change a syslog receiver, select it and click Edit, then make the changes and click Update.
7. To open the Deployment section of the wizard, click Next.

Add Brocade IronView Network Manager

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Brocade

Data Source Model IronView Network Manager (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

330 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing.

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 331
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

332 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Brocade IronView Network Manager log format and field

mapping
Log format
The expected format for this device is:

DATE:SEVERITY:EVENTSOURCE: MESSAGE

Log sample
This is a sample log:

Jan 20 03:33:52:I:Security: running-config was changed from console

Field mapping
This table shows the mapping between the data source and ESM fields.

Log fields ESM fields

Object Object

Source IP Source IP

MAC Address Source MAC

Destination IP Destination IP

Source Port Source Port

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 333
5| Configuring 3rd-party data sources

Log fields ESM fields

Destination Port Destination Port

Host Host

User Source User

Application Application

Brocade VDX Switch

Configure Brocade VDX Switch

The syslog configuration is done at the command line. See the Brocade VDX Switch product documentation for instructions
about how to access and use the command line.

Task

1. Log on to the command line interface for the switch and enter this command:

> syslogdIpAdd “192.0.2.1”

Replace “192.0.2.1” with the IP address of the McAfee ESM.

2. To verify that the logging setting was added, enter this command:

> syslogdIpShow

Results

This lists all configured remote syslog server IP addresses for the switch.

Add Brocade VDX Switch

Add the data source to a receiver.

334 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Brocade

Data Source Model VDX Switch (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 335
5| Configuring 3rd-party data sources

Option Definition

Support Generic Do nothing.

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

336 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Brocade VDX Switch log format and field mapping

Log format
The expected format for this device is:

<date time> <device name> <log type> <time> <message ID> <severity> <class> <user> <role> <IP> <interface>
<application> <swname> <arg0> <arg1> <arg2>

Log sample
This is a sample log from a Brocade VDX Switch device:

<123>Jan 1 01:01:01 device name: [log@1234 value="AUDIT"][timestamp@1234 value="2001-01-01T01:01:01.123456"]

[tz@1234 value="TimeZone"][msgid@1234 value="msg123"][severity@1234 value="INFO"][class@1234 value="CLASS"]
[user@1234 value="user"][role@1234 value="admin"][ip@1234 value="192.0.2.2"][interface@1234 value="telnet"]
[application@1234 value="app"][swname@1234 value="1234"][arg0@1234 value="command" desc="Event Name"]
[arg1@1234 value="value" desc="Status"][arg2@1234 value=""show"" desc="string"] Event: command, Status:
show, User command: "show running-config interface 01".

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 337
5| Configuring 3rd-party data sources

Log felds McAfee ESMMcAfee ESM fields

Swname Host

Application Application

IP Source IP

log type Object

user Source User

interface Interface

Check Point
You can configure Check Point using:

• Log Exporter (recommended)

• Checkpoint LEA (OPSEC)

Log Exporter (Syslog)

Configure log exporter

Task

1. Install the log exporter on the checkpoint device version that you are using. For more information see, Checkpoint
documentation.
2. Run the following command from the checkpoint device:
cp_log_export add name <name> [domain-server mds] target-server <target-server IP/host name> target-port <target-port>
protocol <(udp|tcp)> format syslog
Where,

name The name you want for this SIEM configuration.

338 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

target-server IP/host name The IP/Hostname of the McAfee Event Receiver configured to receive this data.

target-port The port configured on the receiver to receive this type of syslog.

protocol UDP/TCP depends on the configuration of the McAfee Event Receiver.

Add Checkpoint log exporter

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Check Point

Data Source Model Check Point via Syslog

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 339
5| Configuring 3rd-party data sources

Option Definition

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

340 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Checkpoint LEA (OPSEC)

Check Point best practices

• Create your Check Point Data sources in a parent-child relationship.
• Create your Primary CMA as the parent data source, then add your CLMs, Secondary CMAs, and Firewalls as children to
the Primary CMA data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 341
5| Configuring 3rd-party data sources

Enable the LEA service on the Check Point management

server
Task

1. Use SSH to connect to the Check Point management server, then enter expert mode.
2. Open $FWDIR/conf/fwopsec.conf and edit the file according to the type of authentication you want to use.

• For authenticated and encrypted connection (recommended), specify:

lea_server auth_port 18184

lea_server auth_type sslca (or other supported method)

• For authenticated connection only, specify:

lea_server auth_port 18184

• For no authentication or encryption, specify:

lea_server port 18184

3. Run cprestart.

Configure Check Point (OPSEC)

Task

1. Log on to the Check Point user interface, then expand the OPSEC Applications tree node.
2. Right-click the OPSEC Application category, select New OPSEC Application, then enter a name for the OPSEC Application.

Note

This name is used when creating the data source in the ESM.

3. In the Host field, select a host, then select the network object that represents the McAfee Event Receiver.

Note

If the object does not exist, create one by clicking New and entering the IP address of the McAfee Event Receiver.

4. In the Client Entries section, select LEA, then click Communication near the bottom of the dialog box.
5. Enter and confirm your one-time password, then click Initialize.

342 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

The certificate is initialized and displays the message Initialized but trust not established.
6. Close the Communication dialog box.
7. On the OPSEC Application Process dialog box, click OK.
8. Perform an Install DB on the Check Point server.

Add Check Point data source

Add Check Point parent data source

Add the data source to a receiver.

Before you begin

Port 18210 must be open on the Check Point appliance.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Check Point

Data Source Model Check Point

Data Format Default

Data Retrieval API (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 343
5| Configuring 3rd-party data sources

Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Device Type Select the type of device from SMS / CMA, Security Device, Log Server / CLM, and
Secondary SMS / CMA.

Event Collection Type Select Audit and Log events.

Port 18184 (Default)

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

These settings are needed only if authentication or encryption is being used.

Option Definition

Use Authentication Type of authentication selected when creating the LEA connection.

Application Name Name of the OPSEC Application created during Check Point setup.

344 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Activation Key One-time password created while creating the OPSEC application during Check
Point setup.

Use Encryption Select if using encryption.

Options (authentication only) Advanced settings leave default unless having connection issues.

Connect (authentication only) Tests the connection to the OPSEC LEA service and pulls the certificate.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 345
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Add Check Point child data sources

After the parent is successfully added, create the child data sources CLMs, Firewalls, and Secondary CMAs.

Task

1. Select the parent data source from the Receiver Properties Data Sources window.
2. Select Add Child.
3. If you are sending firewall logs to a CLM instead of the CMA, find the distinguished name for the CLM.
a. Use SSH to connect to the CMA, then enter expert mode.
b. At the command prompt, enter:

grep sic_name $FWDIR/conf/objects_5_0.C

The CMA lists all distinguished names.

346 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

4. Enter the configuration information.

Child Data Source Screen Settings Log server / CLM and Secondary SMS / CMA

Option Definition

Name User-defined name of the CLM

IP Address/Hostname IP address of the CLM

Device Type Log Server / CLM or Secondary SMS / CMA

Event Collection Type Select Audit and Log events.

Parent Report Console User-defined name of the CMA that manages the CLM (preselected if creating a child data
source).

Distinguished Name (If sending to CLM.)

Child Data Source Screen Settings Security Device (Firewall)

Option Definition

Name User-defined name of the Security Device

IP Address IP address of the Security Device

Device Type Security Device

Parent Report Console User-defined name of the CMA that manages the CLM (preselected if creating a child data
source).

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 347
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

348 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Add a Check Point CLM or Secondary CMA

Typically, the DN is required only to add the Check Point CLM as a data source. This task is needed when firewall logs are sent to
a CLM instead of the CMA.

Task

1. Use SSH to connect to the CMA, then enter expert mode.

2. To show all DNs, run this command:

grep sic_name $FWDIR/conf/objects_5_0.C

3. Find the correct DN for the CLM.

Check Point log format and field mapping

Log sample
This is a sample log from a Check Point device:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 349
5| Configuring 3rd-party data sources

time="1625851484" action="accept" orig="155503697" i/f_dir="inbound" i/f_name="eth2" has_accounting="0"

uuid="<55558b98,00000008,00000000,000009b5>" product="VPN-1 & FireWall-1" __policy_id_tag="product=VPN-1 &
FireWall-1[db_tag={11111111-1111-1111-1111-000000000000};mgmt=mgmt2;date=1625851484;policy_name=policy_1234]"

SmartDefense_profile="Default_Protection" service_id="https" src="168430090 10.10.10.10" s_port="10123"

dst="168430091 10.10.10.11" service="https (443)" proto="tcp" xlatesrc="3232235521 192.168.0.1"
xlatesport="17418"
xlatedport="0 (Unknown)" NAT_rulenum="5" NAT_addtnl_rulenum="internal" rule="8" sig_id="2120808926"
norm_sig_id="1216348160"
sig_desc="NAT Rule" packet="fileid=14505; filename=fw.log; position=6005037; time=9Jul2021 24:43:44;
action=accept;
orig=ORIGINFW2; i/f_dir=inbound; i/f_name=eth2; has_accounting=0;
uuid=<55558b98,00000008,00000000,000009b5>;
product=VPN-1 & FireWall-1; __policy_id_tag=product=VPN-1 &
FireWall-1[db_tag={11111111-1111-1111-1111-000000000000};mgmt=mgmt2;
date=1625851484;policy_name=policy_1234]; SmartDefense_profile=Default_Protection; service_id=https;
src=10.10.10.10;
s_port=10123; dst=10.10.10.11; service=https; proto=tcp; xlatesrc=192.168.0.1; xlatesport=17418;
xlatedport=Unknown;
NAT_rulenum=5; NAT_addtnl_rulenum=internal; rule=8;

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

action, status, Audit_Status Action, Device_Action

product Application

received_bytes, client_inbound_bytes Bytes_Received

sent_bytes, client_outbound_bytes Destination Bytes_Sent

Operation, rule Command

description, reason Description

dst_machine_name Destination_Hostname

origin Device_IP

domain_name Domain

i/f_dir Direction

dst, target_ip Destination IP

350 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

d_port, icmp_code, service Destination Port

time Firsttime,Lasttime

host, src_machine_name Host

rule Incident_ID

i/f_name Interface

xlatedst, xlatesrc NAT_Details.NAT_Address

xlatedport, xlatesport NAT_Details.NAT_Port

Objectname, policy_name Object

policy_name Policy_Name

proto Protocol

rule_name, sig_desc Signature_Name

src, client_ip Source IP

s_port, icmp_type, Source Port

user, uname4domain, vpn_user, src_user_name, Administrator Source User

dst_user_name Destination User

attack, spyware_name, virus_name, protection_name Threat_Name

bytes Total_Bytes

layer_uuid UUID

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 351
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

vpn_feature_name VPN_Feature_Name

total_logs Event Count

Check Point troubleshooting

• If connection test fails, verify CMA IP address.
• If connection test fails, verify that the application name and one-time password are correct.
• If using encryption and connection test fails, click Options to change encryption until connection succeeds.
• If connection test fails, reinitialize trust in the Check Point user interface

Cimcor

Add Cimcor CimTrak Management Console

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cimcor

Data Source Model CimTrak Management Console

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

352 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of the data source.

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 0

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Port 514

Support Generic Syslogs Do nothing.

Generic Rule Assignments User Defined 1

Time Zone Time zone where the sending device is located.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 353
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

354 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cimcor CimTrak Management Console log format and filed

mapping
Log format
At Cimcor Cimtrak device configuration, select "Syslog" as a logging method and configure the ERC IP. Do not use NPP collection
and parsing.

<130>CTK:0|Cimcor|CimTrak|4.0.18.0|S_LOGMSG_0000000073|Agent RCHCIMP1->DEV->Linux->rcherpt4 has been

disconnected for more than 5 minutes.|2| eventTime=2020-09-16 18:53:03 objectPath=RCHCIMP1->DEV->Linux-
>rcherpt4 objectDetailID= cimtrakUser= src= sfileUser= filePath= processName= threadID= processID=
forensicData= |<130>CTK:0|Cimcor|CimTrak|4.0.18.0|S_LOGMSG_0000000073|Agent RCHCIMP1->DEV->Linux->rcherpt4
has been disconnected for more than 5 minutes.|2| eventTime=2020-09-16 18:53:03 objectPath=RCHCIMP1->DEV-
>Linux->rcherpt4 objectDetailID= cimtrakUser= src= sfileUser= filePath= processName= threadID= processID=
forensicData= |<131>CTK:0|Cimcor|CimTrak|4.0.18.0|S_LOGMSG_0000000006|Unlocked Object|3|
eventTime=2020-09-16 18:51:04 objectPath=RCHCIMP1->RCHSOCWIP01->Restore objectDetailID= cimtrakUser=admin
src=10.0.1.154 sfileUser= filePath= processName= threadID= processID= forensicData= |<132>CTK:0|Cimcor|
CimTrak|4.0.18.0|S_LOGMSG_0000000015|File Added|4| eventTime=2020-09-16 18:55:58 objectPath=RCHCIMP1-
>RCHSOCWIP01->Restore objectDetailID= cimtrakUser=RCHSOCWIP01 src=10.0.1.154 sfileUser=CORP16\SJ4396
filePath=E:\Major\Restore\restore.txt processName=notepad.exe threadID=5688 processID=168
forensicData=Forensic Data for intrusion:\r\n Connected Sessions for user:\r\n The user has no sessions.\r
\nOpen Connections For Process "notepad.exe"\r\nLocal Address Local Port Remote Address Remote Port State\r
\n |

Field mapping

Log fields McAfee ESM fields

eventTime firsttime,lasttime

src src_ip

cimtrakUser Source_UserID

sfileUser src_username

filePath File_Path

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 355
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

processName application

processID PID

forensicData Description

objectPath Caller_Process

Cisco Content Security Management

Configure Cisco Content Security Management

Task

Configure the appliance according to vendor instructions. See the data sheet for appliance specifications.

Add Cisco Content Security Management (CSM)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model Content Security Management (CSM)

Data Format Default

356 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of the data source.

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Port 514

Support Generic Syslogs Do nothing.

Generic Rule Assignment User Defined 1

Time Zone Time zone where the sending device is located.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 357
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

358 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cisco Content Security Management log format and field

mapping
Log sample
An example log from the data source.

Wed Sep 8 11:17:24 2004 Info: req:10.10.10.14 user:admin id:iaCkEh2h5rZknQarAecg POST /

system_administration/system_setup_wizard HTTP/1.1 303S

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

user Source_UserID

dst_ip dst_ip

severity severity

timestamp firsttime,lasttime

user_id UserIDSrc

method Method

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 359
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

uri URL

protocol Protocol

http_resp_code Response_Code

Cisco Firepower

Configure Cisco Firepower Management Console

Task

1. Log on to the Firepower Management console (Defense Center).

2. Browse to System > Local > Registration.
3. Click Create Client.
4. Enter the IP address or host name of the McAfee Event Receiver and, as needed, a password to secure the certificate.
5. Save the new client settings.
6. Download the new client’s certificate, which is used when creating the data source on McAfee ESM.
7. By default, the McAfee Event Receiver pulls Discovery (RNA) and Intrusion Events. To allow it to collect both event types,
select these options:

• Discovery Events
• Intrusion Events
• Intrusion Event Packet Data
• Intrusion Event Extra Data

8. Click Save.

Configure Cisco Firepower Defense Center

Task

1. Log on to the Defense Center console.

2. Browse to Operations → Configuration → eStreamer.
3. Click Create Client.
4. Enter the IP address or host name of the McAfee Event Receiver and, as needed, a password to secure the Certificate.
5. Save the new Client settings.
6. Download the Certificate by clicking the link.

360 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

7. By default, the McAfee Event Receiver pulls RNA and Intrusion Events. To allow it to collect both event types, select these
options:

• RNA Events
• Intrusion Events
• Intrusion Event Packet Data
• Intrusion Event Extra Data

Add Cisco Firepower Management Console - eStreamer

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model Firepower Management Console - eStreamer

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/ The IP address and host name associated with the data source device.
Hostname

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 361
5| Configuring 3rd-party data sources

Option Definition

Port Default

Collect Flows Checked

Upload This allows the user to upload and validate the certificate that was downloaded in the
previous section.

Connect Test the connection to the data source after the Certificate is downloaded.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

362 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cisco Firepower Management Console - eStreamer log

format and field mapping
Log format
The expected format of this device is the JavaScript Object Notation (JSON) format. The logs are similar to this sample:

{"Record Type": 104,"Record": "Intrusion Event 4.9 - 4.10.x","Server Timestamp": 1403652492,"Detection

Engine": {"ID": 5,"Name": "xxx.yyy.zzz.com"},"Event ID": 153511,"Event Second": 1402658492,"Event
Microsecond": 68241,"Rule ID": {"Generator ID": 134,"Rule ID": 3,"Rule Revision": 1,"Rendered Signature ID":
3,"Message Length": 24,"Rule UUID": 0x11112222111122221111222211112222,"Rule Revision UUID":
0x11114444ssssaaaaa1111222233333221,"Message": "PPM_EVENT_PACKET_ABORTED"},"Generator ID": 134,"Rule
Revision": 1,"Classification ID": {"Classification ID": 1,"Name": "not-suspicious","Description": "Not
Suspicious Traffic","UUID": 0x111111111122222222223333333333344},"Priority ID": {"ID": 3,"Name":
"low"},"Source IPv4 Address": 1111333344,"Destination IPv4 Address": 1111222233,"Source Port/ICMP Type":
16615,"Destination Port/ICMP Code": 25,"IP Protocol ID": 6,"Impact Flags": 7,"Impact": 2,"Blocked":
0,"Reserved": 0,"VLAN ID": 0,"Pad": 0,"is_src_mac": 0xaa22113344dd,"is_dest_mac": 0x1122ddaa3344,"is_sigid":
2278188368}

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 363
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Detection Engine, Detection Engine.Name, Sensor_Name Sensor_Name

Detection Engine.Type, Sensor_Type Sensor_Type

Detection Engine.UUID, Sensor_UUID Sensor_UUID

Event Second, First/Last Seen, First/Last Used First Time, Last Time

is_xforward, is_srcipv6, Source IPv4 Address, SourceIPv6 Source IP

is_destipv6, Destination IPv4 Address, DestinationIPAddress, DestinationIPv6 Destination IP

Is_src_port, Source Port/ICMP Type, SourcePort Source Port

Is_dest_port, Destination Port/ICMP Code, DestinationPort Destination Port

Is_src_mac, SourceMAC Source Mac

Is_dest_mac, DestinationMAC Destination Mac

Priority ID, Severity Severity

Network Protocol, Host Type, ID, Attribute ID, Source Type, Protocol, Custom Product, Application Application

Action, Blocked Event Subtype

Bytes Sent Bytes_Sent

Bytes Received Bytes_Received

Drop User Product, Drop Command

364 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Protocol Protocol

VLAN ID, Source VLAN ID VLAN

EventCount Event Count

Classification ID, Host Type, Source Type Object

Domain, Version, Custom Version, Service Version Domain

NetBIOS Name, CVE ID, Custom Vendor, Service Vendor name, Hostname Host

Source ID.Name, Username Source User

Generator ID External_EventID

Rule ID External_SubEventID

Intrusion Policy ID Policy_ID

UUID UUID

Cisco Firepower Management Console - eStreamer

supported events
This is a list of all supported events from Defense Center.

• Record Type 7 - Intrusion Event

• Record Type 10 - New Host
• Record Type 11 - New TCP Service
• Record Type 12 - New UDP Service
• Record Type 13 - New Network Protocol
• Record Type 14 - New Transport Protocol
• Record Type 15 - New Client Application
• Record Type 16 - TCP Service Information Update
• Record Type 17 - UDP Service Information Update
• Record Type 18 - Operating System Update Message

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 365
5| Configuring 3rd-party data sources

• Record Type 19 - Host Timeout

• Record Type 20 - Host IP Address Reused
• Record Type 21 - Host Deleted: Host Limit Reached
• Record Type 22 - Hops Change
• Record Type 23 - TCP Port Closed
• Record Type 24 - UDP Port Closed
• Record Type 25 - TCP Port Timeout
• Record Type 26 - UDP Port Timeout
• Record Type 27 - MAC Information Change
• Record Type 28 - Additional MAC Detected for Host
• Record Type 29 - Host IP Address Changed
• Record Type 30 - Host Last Seen
• Record Type 31 - Host Identified as Router/Bridge
• Record Type 34 - VLAN Tag Information Update
• Record Type 35 - Client Application Timeout
• Record Type 37 - User Set Valid Vulnerabilities 4.0
• Record Type 38 - User Set Invalid Vulnerabilities 4.0
• Record Type 42 - NetBIOS Name Change
• Record Type 44 - Host Dropped: Host Limit Reached
• Record Type 45 - Update Banner Message
• Record Type 46 - Host Attribute Add
• Record Type 47 - Host Attribute Update
• Record Type 48 - Host Attribute Delete
• Record Type 51 - TCP Service Confidence Update
• Record Type 52 - UDP Service Confidence Update
• Record Type 71 - Flow/Connection Statistic
• Record Type 74 - User Set Operating System
• Record Type 78 - User Delete Address
• Record Type 80 - User Set Valid Vulnerabilities
• Record Type 81 - User Set Invalid Vulnerabilities
• Record Type 82 - User Host Criticality
• Record Type 83 - Host Attribute Set Value
• Record Type 84 - Host Attribute Delete Value
• Record Type 85 - User Add Hosts
• Record Type 86 - User Add Service
• Record Type 88 - User Add Protocol
• Record Type 89 - Host Service Data for RNA 4.9.0.x
• Record Type 92 - User Identity Dropped: User Limit Reached
• Record Type 93 - User Removed Change Event
• Record Type 94 - New User Identity
• Record Type 95 - User Login
• Record Type 101 - New OS Event

366 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

• Record Type 102 - Identity Conflict System Message

• Record Type 103 - Identity Timeout
• Record Type 104 - Intrusion Event
• Record Type 105 - Intrusion Event
• Record Type 107 - Client Application Messages
• Record Type 112 - Correlation Event
• Record Type 150 - Intrusion Policy
• Record Type 207 - Intrusion Event
• Record Type 208 - Intrusion Event

Cisco IOS

Configure Cisco IOS

Task

1. Open a secure connection to the console of your Cisco IOS device, then go into enable mode.

Router> enable

Note

Depending on your configuration, you might need to enter a password.

2. Once in enable mode, go into global configuration mode.

Router# configure terminal

Router(config)#

3. Enable the syslog message.

Note

System messages are enabled by default. If logging is disabled, use this command to enable it or to ensure that it is on.

Router(config)# logging on

By default, this only logs to the console. Use this command to enable logging to send to a specific host, such as the McAfee
Event Receiver. The host argument is the name or IP address of the host.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 367
5| Configuring 3rd-party data sources

Router(config)# logging <host>

4. Enable time stamps for logs.

Router(config)# service timestamps log datetime localtime

Router(config)# service timestamps debug datetime localtime

5. Adjust the security level with this command.

Router(config)# logging trap <level>

Emergency 0 System unusable messages

Alert 1 Immediate action required messages

Critical 2 Critical condition messages

Error 3 Error condition messages

Warning 4 Warning condition messages

Notification 5 Normal but significant messages

Information 6 Informational messages

6. Save changes and exit:

a. Close out of config mode.

Router(config)# exit

b. Save changes.

Router# copy running-config startup-config

OR

Router# copy run start

368 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

c. Exit from enable mode.

Router# disable
Router>

Add Cisco IOS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model IOS (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 369
5| Configuring 3rd-party data sources

Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

370 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cisco IOS log format and field mapping

Log format
The expected format for this device is:

Date Time: %Facility-Severity-mnemonic: Description SourceIP -> DestIP

Log sample
This is a sample log from a Cisco IOS device:

Jan 01 01:23:45.678: %SEC-6-IPACCESSLOGNP: list 99 denied 0 192.0.2.2 -> 192.0.2.3, 1 packet

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 371
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Date Time First Time, Last Time

Facility Application

SourceIP Source IP

DestIP Destination IP

Protocol Protocol

SourcePort Source Port

DestPort Dest Port

Interface Interface

Source MAC Source MAC

Error Code Response Code

Bundle, Group Group Name

category Category

Configure Cisco IOS IPS

No special steps are required on the Cisco IPS device.

Add Cisco IOS IPS

Add the data source to a receiver.

Task

1. Select a receiver.

372 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

2. Click the Properties icon.

3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model IOS IPS (SDEE protocol)

Data Format Default

Data Retrieval API (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Port 443

Use SSL/TLS Selected

URI cgi-bin/sdee-server

Username User name for logging on to the IPS

Password Password for logging on to IPS

Interval Choose the frequency you want to pull from the IPS

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 373
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

374 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cisco IOS IPS field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log field McAfee ESM fields

sd:hostId Hostname

cid:initialAlert | sd:evIdsAlert/@eventId External SessionID

sdIdsAlert/@severity Severity

sd:time First Time | Last Time

sd:signature/@description Message Text

sd:attacker/sd:addr | sd:attacker/sd:ipv6Address Source IP

sd:target/sd:addr | sd:target/sd:ipv6Address Dest. IP

cid:interface Interface

cid:protocol Protocol

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 375
5| Configuring 3rd-party data sources

Log field McAfee ESM fields

cid:summary Event Count

@cid:version Version

CVE Vulnerability Reference

cid:appName Application

cid:alertDetails Message Text

cid:riskRatingValue Reputation

sd:signature/@cid:type Threat Category

sd:signature/@id Incident_ID

cid:os/@type Object

marsCategory Threat_Name

sd:attacker/sd:addr/@cid:locality Source Zone

sd:target/sd:addr/@cid:locality Destination Zone

Cisco Meraki

Configure Cisco Meraki

Task

1. From the dashboard, navigate to Network-wide → Configure → General, then click Add a syslog server.
2. In the Server IP field, enter the IP address of the McAfee Event Receiver, and in the Port field, enter 514 (the default port
for syslog).
3. Add the roles to the Roles field to enable logging for them.

376 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Add Cisco Meraki

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model Meraki

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 377
5| Configuring 3rd-party data sources

Option Definition

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

378 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cisco Meraki field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

src Source IP

dst Destination IP

mac Source Mac

request Method

url URL

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 379
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

protocol Protocol

direction Direction

DNS server DNS_Server_IP

router Device_IP

signature Signature_Name

port changes Old_Value, New_Value

time First Time, Last Time

group Group_Name

client Host

SSID Wireless_SSID

radio number External_Device_ID

reason Reason

priority Priority

Cisco NX-OS

Configure Cisco NX-OS

The syslog configuration is done at the command line. See your product documentation for instructions about how to access and
use the CLI.

380 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Enter enable mode, then enter configuration mode:

> enable

# configure terminal

2. Configure a host where you want to send syslogs:

# logging server 192.0.2.1 6

where 192.0.2.1 is the IP address of your McAfee Event Receiver, and 6 is the severity level of the logs you want to send (6
is all events, 2 is only critical and emergency events).

3. To confirm these settings, show remote syslog server configuration.

# show logging server

4. Save the configuration:

# copy running-config startup-config

Add Cisco NX-OS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model NX-OS (ASP)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 381
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

382 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 383
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cisco NS-OX log format and field mapping

Log format
The expected format for this device is:

<timestamp> <hostname>: %<application>-<severity>-<message type>: <message>

Log sample
This is a sample log from a Cisco NX-OS device:

2001 Jan 01 01:01:01 EET: %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user example_username
from 192.0.2.2 - sshd[12345]

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Host Hostname

protocol Protocol

IP address / sender Source IP

IP address / target Destination IP

384 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Source Port / Port Source Port

Destination / Port Destination Port

MAC address / sender Source MAC

MAC address / target Destination MAC

Application Application

file Filename

domain Domain

user Source User

remote user Destination User

Interface, Port Interface

Destination Interface Interface_Dest

Timestamp First Time, Last Time

Cisco PIX ASA

Configure Cisco PIX ASA

Task

1. Go to the ASDM Home window, then select Configuration → Features → Properties → Logging → Logging Setup.
2. To enable syslog, select Enable logging.
3. In the navigation tree under Logging, select Syslog Servers, then click Add to add syslog server.
4. In the Add Syslog Server dialog box, enter the syslog server details, then click OK.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 385
5| Configuring 3rd-party data sources

Add Cisco PIX ASA

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model PIX/ASA/FWSM (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

386 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 387
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cisco PIX ASA field mapping

Field mapping
This table shows the mapping between the data source and ESM fields.

Log fields ESM fields

Action Application

Bytes_Sent Command

Count Destination_Hostname

388 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields ESM fields

Device_IP Direction

Domain Destination IP

Destination Mac Destination Port

Destination User Filename

Group_Name Host

Interface_Dest Interface

Rule Message NAT_Details

Object Object_Type

Policy_Name Protocol

Reason Session

Severity Source IP

Source MAC Source Port

Source User Subject

URL Username

Cisco Unified Computing System

Configure Cisco Unified Computing System

1. Log on to the Cisco Unified Computing System (UCS) Manager.
2. In the navigation pane, select the Admin tab, expand Faults, Events and Audit Log, then select Syslog.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 389
5| Configuring 3rd-party data sources

3. In the right pane, enable Remote Destination Server, enter the IP address of the syslog server, then select the appropriate
level and facility.
4. Click Save Changes.

Add Cisco Unified Computing System

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model Unified Computing System (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled: Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

390 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 391
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cisco Unified Computing System log format and field

mapping
Log format
The expected format for this device is:

<date> <time>: %<facility>-<severity>-<mnumonic>: <description>

Log sample
This is a sample log from a Cisco Unified Computing System device:

392 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

<13>: 2012 Oct 10 21:37:25 EDT: %UCSM-5-DEVICE_SHARED_STORAGE_ERROR: [F0863][warning][device-shared-storage-

error][sys/mgmt-entity-B] device FOX1616G2JC, error accessing shared-storage

Field mapping
This table shows the mapping between the data source and ESM fields.

Log fields ESMfields

facility Application

severity Severity

server Host

Cisco Wireless LAN Controller

Configure Cisco Wireless LAN Controller

Task

1. In the controller UI, select Management → Logs → Config, enter the IP address of the server where you want to send the
syslog messages, then click Add.
2. In the Syslog Level field, select the severity level.

Note

The only messages sent to the syslog server are messages with severity equal to or less than the level you set.

3. In the Syslog Facility field, set the facility for outgoing syslog messages to the syslog servers.
4. By default, messages logs include information about the source file. To not include this information, deselect File Info.
5. To commit and save the changes, click Apply, then click Save Configuration.

Add Cisco Wireless LAN Controller

Add the data source to a receiver.

Task

1. Select a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 393
5| Configuring 3rd-party data sources

2. Click the Properties icon.

3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cisco

Data Source Model Wireless LAN Controller (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

394 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 395
5| Configuring 3rd-party data sources

Option Definition

Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cisco Wireless LAN Controller log format and field mapping

Log format
The expected format for this device is:

Host Time_Stamp: FACILITY-SEVERITY-MNEMONIC: Message-text

Log sample
This is a sample log from a Cisco Wireless LAN Controller device:

<180>ABCDE12345: *CDP Main: Nov 09 16:02:36.289: #LWAPP-4-AP_DUPLEX_MISMATCH: spam_api.c:7755 Duplex

mismatch discovered on GigabitEthernet0 (not full duplex), with ABCDE12345 FastEthernet0/1 (full duplex) for
AP ABCDE12345

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer, host Host, Destination Host

396 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Facility Code Application

Severity Level Severity

CMD Command

Domain Domain

SSID Wireless_SSID

Interface Interface, Interface_Dest

MAC, Client, MAC-ID Source Mac, Destination Mac, Old_Value

Remote IP Device IP

Remote Port Device Port

Username Source User

SNMP Trap SNMP_Item

Citrix NetScaler

Configure Citrix NetScaler

Task

1. In the Configuration utility, expand System → Auditing, then click syslog.

2. Click the Servers tab, then click Add.
a. In the Name field, enter the name of the syslog server (for example, McAfee Event Receiver), then select syslog from
the Auditing Type list.
b. In the IP Address field, enter the IP address of the McAfee Event Receiver.
c. In the Port field, enter the port number used for syslog by the McAfee Event Receiver (default is 514).
d. In the Log Levels group, select ALL to send all logs to the McAfee Event Receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 397
5| Configuring 3rd-party data sources

Note

Individual levels can be selected as needed.

e. Click Create, then click Close.

3. Click the Policies tab to add audit policies, then click Add.
a. In the Name field, enter a name for the policy (for example, McAfee ESM).
b. Select SYSLOG in the Auditing Type list, then select the McAfee Event Receiver server name in the Server list.
c. Click Create, then click Close.
4. Click Global Bindings, click Insert Policy, and select the policy name that you created.
5. Click OK.

Add Citrix NetScaler

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Citrix

Data Source Model NetScaler (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

398 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 399
5| Configuring 3rd-party data sources

Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Citrix NetScaler log format and field mapping

Log format
The expected format for this device is:

400 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

<date time zone> <device> <application> <message> <key-value pairs…>

Log sample
This is a sample log from a Citrix NetScaler device:

<12> 01/10/2001:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context username@192.0.2.1 -
SessionId: 12345- example.com User username : Group(s) groupname : Vserver
a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - -

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log Fields McAfee ESM Fields

Host Host

Protocol Protocol

Source Source IP

Destination Destination IP

Vserver IP Device_IP

Source Source Port

Destination Destination Port

Vserver Port Device Port

VPN Session Session ID

Application Application

Command Command

Domain Domain

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 401
5| Configuring 3rd-party data sources

Log Fields McAfee ESM Fields

Filename Filename

User Source User

URL URL, Web_Domain

Nat_ip NAT_Details

Citrix Secure Gateway

Configure Citrix Secure Gateway

Task

1. In the Access Gateway Management Console, click Management → System Administration, then click Logging.
2. Click Remote Server Settings → Access Gateway Logging, then enter the IP address of the McAfee Event Receiver in the
Server field.
3. In the Port field, enter the port used to receive syslog by the McAfee Event Receiver (default is 514).
4. Under Log Type, select one or more types of logs to be sent to the McAfee Event Receiver.
5. (Optional) To change the frequency with which logs are sent or to send them manually, click Management → System
Administration → Logging → Access Gateway Logging → Log Settings.

Add Citrix Secure Gateway

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Citrix

402 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Model Secure Gateway (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Port 514 (default)

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 403
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

404 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Citrix Secure Gateway log format and field mapping

Log format
The expected format for this device is:

<data time> <severity> <message>

Log sample
This is a sample log from a Citrix Secure Gateway device:

[Mon Jan 01 01:01:01 2001] [error] SSL Library Error 47 on 1.2.3.4:123 with peer 4.5.6.7:456 An unclassified
SSL network error occurred. (error code: 12345 error:12345678)

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log Fields McAfee ESM Fields

Username Username

Protocol Protocol

Source IP Source IP

Destination IP Destination IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 405
5| Configuring 3rd-party data sources

Log Fields McAfee ESM Fields

Source Port Source Port

Destination Port Destination Port

Time First Time, Last Time

Cluster Labs Pacemaker

Configure Cluster Labs Pacemaker

Task

1. Open the /etc/corosync/corosync.conf configuration file using a text editor.

2. Edit the following lines, below the Logging section:

To_syslog: yes

Syslog_facility: daemon

3. Save your changes, close the file, then copy the file to all nodes.

Add Cluster Labs Pacemaker

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cluster Labs

406 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Model Pacemaker (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 407
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

408 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cluster Labs Pacemaker log format and field mapping

Log format
The expected format for this device is:

<priority><hostname>[<ID>]: [<service>/<name>] <Log ID> <message>…

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields ESM fields

Hostname Host

PID, UUID Object

Message Message

Application, Node Application

Node Command

Username Source User

Target Username Destination user

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 409
5| Configuring 3rd-party data sources

Log fields ESM fields

Severity Severity

Code Green Data Loss Prevention

Configure Code Green Data Loss Prevention

See the Code Green Data Loss Prevention product documentation for setup instructions about sending syslog data to a remote
server. Use the IP address of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.

Add Code Green Data Loss Prevention

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Code Green

Data Source Model Data Loss Prevention (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

410 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 411
5| Configuring 3rd-party data sources

Option Definition

• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Code Green Data Loss Prevention log format and field

mapping

412 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log format
The expected format for this device is:

“<Date> <Time>”,<Device Type>,<Hostname>,,,<IP address>,<Session ID>,<Severity>,<Message>

Log sample
This is a sample log from a Code Green Data Loss Prevention device:

"Jan 1, 2001 4:01:01 PM",Appliance,hostname,0,,,123456,Notice,Login Events,admin,192.0.2.1,,Login completed

by admin from 192.0.2.2

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Host

email domain Domain

IP Address Source IP

Destination IP Destination IP

“changed port number to” Source Port

“destination port” Destination Port

Date, Time First Time, Last Time

Session ID Session ID

Severity Severity

Username Source User

Device Type Object

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 413
5| Configuring 3rd-party data sources

Cofense Intelligence

Configure Cofense Intelligence

Task

1. Make sure that you have a recent version of Python installed, and the python-requests library.
2. Acquire the Cofense Python scripts and configure the config.ini file with the Cofense API credentials.
3. To execute the script, use the command:

python cofense_to_mcafee.py”

• If you need a proxy to connect to Cofense, change the [proxy]:use value to True and fill out your proxy information
in the following two fields.
• Verify that any absolute paths are correct for your operating system.
• To send Indicators of Compromise (IOCs) to McAfee ESM via CEF, set [output-cef]:use to True and provide a host
name/IP address and port where you want to send CEF events.
• For Cyber Threat Feeds, set up the McAfee ESM integration to output STIX files to a directory: set [output-
stix]:use to True and provide the directory where you want to write the files.

Add Cofense Intelligence

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cofense

Data Source Model Intelligence

Data Format Default

414 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 415
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

416 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cofense Intelligence log format and field mapping

Log format
The expected format for this device is:

CEF:0|Cofense|Intelligence|1.0|deviceEventClassId|name|Severity|URL/Domain externalID category Malware

Family First Published Brand Infrastructure Type ThreatHQ URL T3 Report URL

Log sample
This is a sample log from a device:

CEF:0|Cofense|Intelligence|1.0|watchlist_url|Watchlist URL|10|cs4Label=Malicious URL cs4=https://

www.example.com/s/5rnzwnpnvlpqppf/modulo2.dat externalId=5879 cat=/ImpactRating/Major cs1Label=Malware
Family cs1=JAR Downloader deviceCustomDate1Label=First Published deviceCustomDate1=1461106012435
cs2Label=Brand cs2=Generic Malware Threat cs3Label=Infrastructure Type cs3=Location from which a payload is
obtained cs5Label=ThreatHQ URL cs5=https://www.example.com/p42/search/default?m\=5879 cs6Label=T3 Report URL
cs6=https://www.example.com/api/l/activethreatreport/5879/html

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

CEF.Event Name Rule Message

CEF.Severity Severity

externalId External_EventID

Cat Subcategory

dst Destination IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 417
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

fname File_Path

fileHash File_Hash

Malware Family Threat_Name

T3 Report URL / Active Threat Report Device_URL

Malicious URL URL

Malicious Email From

First Published First Time, Last Time

Watchlist Domain Object

Cofense Triage

Configure Cofense Triage

Task

1. Make sure you have a recent version of Python installed, and the python-requests library.
2. Acquire the Cofense Python scripts and configure the config.ini file with the Cofense API credentials.
3. To execute the script, use this command:

python Cofense_to_mcafee.py”

• If a proxy is needed to connect to Cofense, change the [proxy]:use value to True and fill out your proxy
information in the following two fields.
• Verify that any absolute paths are correct for your operating system.
• To send Indicators of Compromise (IOCs) into McAfee ESM via CEF, set [output-cef]:use to True and provide a host
name/IP address and port where you want to send CEF events.
• For Cyber Threat Feeds, set up McAfee ESM integration to output STIX files to a directory; set [output-stix]:use to
True , and provide the directory where you want to write the files.

418 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Add Cofense Triage

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cofense

Data Source Model Triage

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 419
5| Configuring 3rd-party data sources

Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

420 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cofense Triage log format and field mapping

Log format
The expected format for this device is:

CEF:0|Cofense|Triage|2.0|Rule ID|Event|Severity|start rt Time Message Reported duser suser cat Recipe Name
Highest Priority Rule Matched – Priority Level Highest Priority Rule Matched – Rule Name Report URL Subject

Log sample
This is a sample log from a device:

<13>Jan 1 01:01:01 cofense-triage Triage: I, [2016-01-01T20:10:51.914471 #62969] INFO -- : CEF:0|Cofense|

Triage|2.0|1|Recipe Match|3|start=JAN 1 2016 01:01:01 rt=JAN 01 2016 01:01:01 deviceCustomDate1=JAN 01 2016
01:01:01 deviceCustomDate1Label=Time Message Reported duser=user@example.com suser=user2@example.com
cat=Crimeware cs1= cs1Label=Recipe Name cn1=4 cn1Label=Highest Priority Rule Matched - Priority Level
cs2=Test_Rule cs2Label=Highest Priority Rule Matched - Rule Name cs3=https://203.0.113.0/reports/1
cs3Label=Report URL cs4=Review Documents cs4Label=Subject

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 421
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

start First Time, Last Time

duser Destination User

suser Source User

cat Threat_Category

Recipe Name Policy_Name

Report URL Device_URL

Subject Subject

Highest Priority Rule Matched – Rule Name Rule_Name

Highest Priority Rule Matched – Priority Level Priority

Rule ID, Event Rule Message

Severity Severity

Cooper Power Systems Cybectec RTU

Configure Cooper Power Systems Cybectec RTU

See the Cooper Power Systems Cybectec RTU product documentation for instructions about sending syslog logs to a remote
server. Use the McAfee Event Receiver IP address for the address of the remote server.

Add Cooper Power Systems Cybectec RTU

422 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cooper Power Systems

Data Source Model Cybectec RTU (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask 32

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 423
5| Configuring 3rd-party data sources

Option Definition

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

424 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cooper Power Systems Cybectec RTU log format and field

mapping
Log format
The expected format for this device is:

<timestamp> <device name> <log type> [<location>] <service>; <message type> <message>

Log sample
This is a sample log from a Cooper Power Systems Cybectec RTU device:

Jan 1 01:01:01 deviceName Security: [Example - Location] Security Service; MAINTENANCE: "Admin" -
Authenticated (EXAMPLEDOMAIN\admin; HOSTNAME)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 425
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Source Hostname

PROTO Protocol

SRC Source IP

DST Destination IP

SRC Source Port

DST Destination Port

Command Command

Domain Domain

Event Object

Username Source User

Service Service Name

Message Type Application

Point Interface

Device External_Device_Name

Value New_Value

426 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Cooper Power Systems Yukon IED Manager Suite

Configure Cooper Power Systems Yukon IED Manager Suite

See the Cooper Power Systems Yukon IED Manager Suite product documentation for instructions about sending syslog logs to a
remote server. Use the McAfee Event Receiver IP address for the address of the remote server.

Add Cooper Power Systems Yukon IED Manager Suite

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Cooper Power Systems

Data Source Model Yukon IED Manager Suite (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 427
5| Configuring 3rd-party data sources

Option Definition

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

428 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Cooper Power Systems Yukon IED Manager Suite log format

and field mapping
Log format
The expected format for this device is:

<Priority> <date> <time> <hostname> <server> <message>

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 429
5| Configuring 3rd-party data sources

Log sample
This is a sample log from a Cooper Power Systems Yukon IED Manager Suite device:

<123>Jan 01 01:01:01 HOSTNAME ApplicationServer: (Connection) Connection established with DeviceName

[HOSTNAME:Application Manager Server:1234]

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Originating Host Host

Protocol Protocol

IP Address Source IP

Port Source Port

Date, Time First Time, Last Time

Priority Severity

Connection status Event Subtype

Server Application

Domain Domain

Destination Device Object

User Source User

To User Destination User

430 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Corero IPS

Configure Corero IPS

See the Corero IPS or Top Layer - Attack Mitigator IPS documentation for instructions about how to send syslog data to the
McAfee Event Receiver.

Add Corero IPS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Corero

Data Source Model Corero IPS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 431
5| Configuring 3rd-party data sources

Option Definition

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

432 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Corero IPS log format and field mapping

Log format
The expected format for this device is:

<date> <time> <device IP> <severity> <device name> <id> <pt> <prot> <cip> <cprt> <sip> <sprt> <atck> <disp>
<ckt> <src> <msg>

Log sample
This is a sample log from a Corero IPS device:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 433
5| Configuring 3rd-party data sources

01-01-2001 01:01:01 192.0.2.1 auth.warn IPS5500: id=123456 pt=ABC-DE prot=TCP cip=192.0.2.2

cprt=12345 sip=192.0.2.3 sprt=12 atck=abc-123456 disp=abcde ckt=1 src=extern msg="Message: SynFlood -
Connection From Malicious Source IP Address"

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

prot Protocol

cip Source IP

sip Destination IP

cprt Source Port

sprt Destination Port

atck Signature ID

msg Message

Crowdstrike

Configure Crowdstrike
See the Crowdstrike documentation for instructions about configuring the data source on Crowdstrike. For information about
Crowdstrike API access, see Getting Access to the CrowdStrike API.

Add Crowdstrike
Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.

434 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

3. From the Receiver Properties window, select Data Sources.

4. Click Add.

Option Definition

Data Source Vendor Crowdstrike

Data Source Model Crowdstrike

Data Format Default

Data Retrieval API (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address IP address associated with the data source device.

Hostname Host name associated with the data source device. Click Look up to automatically fill the IP
field.

Note: Don't use _ (underscore) in a host name field.

Client Key Access key for APIs (obtain from Crowdstrike)

Client Secret Key Secret key for APIs (otain from Crowdstrike)

Use Proxy Enable to configure proxy

Proxy IP Address IP address of the proxy

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 435
5| Configuring 3rd-party data sources

Option Definition

Proxy Port Default

Proxy Username Username of the proxy

Proxy Password Password of the proxy

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

436 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

6. Click OK.

Crowdstrike log format and field mapping

Log sample
This is a sample log from a device:

Detection summary event

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 437
5| Configuring 3rd-party data sources

{"metadata":{"customerIDString":"0123456789ABCDEFGHIJKLMNOPQRSTUV","offset":14947764,
"eventType":"DetectionSummaryEvent","eventCreationTime":1536846439000,"version":"1.0"},
"event":{"ProcessStartTime":1536846339,"ProcessEndTime":0,"ProcessId":38684386611,"ParentProcessId":
38682494050,
"ComputerName":"CS-SE-EZ64","UserName":"demo","DetectName":"Process Terminated",
"DetectDescription":"Terminated a process related to the deletion of backups,
which is often indicative of ransomware\r\nactivity.","Severity":4,"SeverityName":"High",
"FileName":"explorer.exe","FilePath":"\\Device\\HarddiskVolume1\\Windows",
"CommandLine":"C:\\Windows\
\Explorer.EXE","SHA256String":"6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",
"MD5String":"ac4c51eb24aa95b77f705ab159189e24","MachineDomain":"CS-SE-EZ64",
"FalconHostLink":"https://falcon.crowdstrike.com/activity/detections/detail/
abcdefghijklmnopqrstuvwxyz012345/12345678901?_cid=xxxxxxxxxxxxxxxxxx",
"SensorId":"abcdefghijklmnopqrstuvwxyz012345","DetectId":"ldt:abcdefghijklmnopqrstuvwxyz012345",
"LocalIP":"1.2.3.4","MACAddress":"xx-xx-xx-xx-xx","Tactic":"Malware","Technique":"Ransomware",
"Objective":"Falcon Detection Method","PatternDispositionDescription":"Prevention, process killed.",
"PatternDispositionValue":16,"PatternDispositionFlags":
{"Indicator":false,"Detect":false,"InddetMask":false,"SensorOnly":false,
"Rooting":false,"KillProcess":true,"KillSubProcess":false,"QuarantineMachine":false,"QuarantineFile":false,
"PolicyDisabled":false,"KillParent":false,"OperationBlocked":false,"ProcessBlocked":false}}}

Indicator of compromise (IOC)

{"metadata":{"customerIDString":"0123456789ABCDEFGHIJKLMNOPQRSTUV","offset":460662,"eventCreationTime":
1480375833,
"eventType":"CustomerIOCEvent"},"event":
{"AgentIdString":"f2c76aa30f40454064d4ecbdaecfd2ca","ProcessId":"25917476803",
"ComputerName":"WINDOWS-10-12345","MD5String":"2f0eaaf91fc7a5c70d1f4be9b18a1cf5","ParentProcessId":"258260559
31",
"ProcessStartTime":1462816700,"FileName":"StikyNot.exe","FilePath":"\\Device\\HarddiskVolume1\\Windows\
\System32",
"CommandLine":"\"C:\\Windows\\system32\\StikyNot.exe\" ","DeviceId":"f2c76aa30f40454064d4ecbdaecfd2ca"}}

Other logs

{"event":{"AuditKeyValues":[{"Key":"target_name","ValueString":"user@example.com"}],
"OperationName":"activateUser","ServiceName":"CrowdStrike
Authentication","Success":true,"UserId":"user@example.com","UserIp":"192.0.2.100",
"UTCTimestamp":1452711518},"metadata":{"customerIDString":"0123456789ABCDEFGHIJKLMNOPQRSTUV",
"eventType":"AuthActivityAuditEvent","eventCreationTime":1480375833,"offset":80960}}

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Detection summary events

Log fields McAfee ESM fields

metadata.version Version

metadata.eventCreationTime firsttime, lasttime

event.UserName src_username

438 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

event.Technique Malware_Insp_Result

event.Tactic Malware_Insp_Action

event.SHA256String SHA256

event.Severity severity

event.SensorId Sensor_Name

event.PatternDispositionDescription Subcategory

event.MachineDomain DomainID

event.MACAddress src_mac

event.LocalIP src_ip

event.FilePath File_Path

event.FileName Destination_Filename

event.FalconHostLink TC_URL

event.DetectName Event Message, Signature ID

event.DetectDescription Description

event.ComputerName HostID

event.CommandLine Target_Context

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 439
5| Configuring 3rd-party data sources

Customer IOC events

Log fields McAfee ESM fields

metadata.eventType Event Message, Signature ID

event.DetectId UUID

event.FilePath File_Path

event.FileName Destination_Filename

metadata.eventCreationTime firsttime,lasttime

event.DeviceId External_Device_Name

event.ComputerName HostID

event.MD5String Hash

event.CommandLine Target_Context

Operation events

Log fields McAfee ESM fields

event.OperationName Event Message, Signature ID

metadata.eventCreationTime firsttime,lasttime

event.UserIp src_ip

event.UserId src_username

event.ServiceName Service_Name

event.Success Status,action

440 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

metadata.Version Version

metadata.eventType Category

Other events

Log fields McAfee ESM fields

metadata.eventType Event Message, Signature ID

metadata.Version Version

metadata.eventCreationTime firsttime,lasttime

event.UserIp src_ip

event.UserId UserIDSrc

event.ServiceName Service_Name

event.Success Status

CyberArk Enterprise Password Vault

Configure CyberArk Enterprise Password Vault

Syslog messages can be sent to multiple syslog servers in two different ways.

• One message can be sent to multiple servers by configuring an XSLT file.

• Multiple messages can be sent to different servers and formatted differently for each server by configuring multiple XSLT
files, formats, and code-message lists. The code-message lists must be matched. They must contain the same number of
items in the same order.

Task

1. In \PrivateArk\Server\DBParm.sample.ini, copy the SYSLOG section.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 441
5| Configuring 3rd-party data sources

Note

The .ini file contains these configuration values.

• SyslogServerIP—The IP addresses of the Syslog servers where messages are sent. Specify multiple values with
commas.
• SyslogServerProtocol—Specifies the Syslog protocol that is used to send audit logs. Specify TCP or UDP. The
default value is UDP.
• SyslogServerPort—The port used to connect to the Syslog server. The default value is 514.
• SyslogMessageCodeFilter—Defines which message codes are sent from the Vault to McAfee ESM through the
Syslog protocol. You can specify message numbers or ranges of numbers, separated by commas. Specify multiple
values with pipelines. By default, all message codes are sent for user and safe activities.
• SyslogTranslatorFile—Specifies the XSL file used to parse CyberArk audit records data into Syslog protocol.
Specify multiple values with commas.
• DebugLevel—Determines the level of debug messages. Specify SYSLOG(2) to include Syslog xml messages in
the trace file.
• UseLegacySyslogFormat—Controls the format of the syslog message, and defines whether it is sent in a newer
syslog format (RFC 5424) or in a legacy format. The default value is No, which enables working with the newer
syslog format. Specify multiple values with commas.

2. In DBParm.ini, paste the SYSLOG section at the bottom of the file, then rename the file to McAfee.xsl.
3. Copy the relevant XSL translator file from the syslog subfolder of the server installation folder to the location specified in
the SyslogTranslatorFile parameter in DBParm.ini.

Note

During vault installation or upgrade, sample XSL files are copied to the PrivateArk\Server\syslog folder.

4. Make any needed changes to the XSL translator file relevant to ESM implementation.
5. Stop and Start the vault for the changes to take effect.

Add CyberArk Enterprise Password Vault

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

442 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor CyberArk

Data Source Model Enterprise Password Vault (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 443
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

444 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

CyberArk Enterprise Password Vault log format and field

mapping
Log sample
Here is a sample log from a CyberArk Enterprise Password device:

Nov 05 15:08:51 VLT2PI "Cyber-Ark Vault 5.50.0074" 295 295 "NULL" 6 LOCALHOST\\SYSTEM Retrieve password
<username>=PasswordManager <action>=Retrieve password <msg>=, , Root\\Groups\\RMAPSDBGroup, ,
PROD_RMAPS_OLA_DB, , , , CPM, , Retrieve password

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

username src_username (ASP)

action Msg (ASP)

fname Filename.Filename (cef)

duser dst_username (cef)

src src_ip (cef)

cs1_Affected_User_Name src_username (cef)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 445
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

cs2_Safe_Name Objectname (cef)

CyberArk Privileged Identity Management Suite (DEF)

Configure CyberArk Privileged Identity Management Suite

(CEF)
Syslog messages can be sent to multiple syslog servers in two different ways:

• One message can be sent to multiple servers by configuring an XSLT file.

• Multiple messages can be sent to multiple syslog servers and formatted differently for each server by configuring
multiple XSLT files, formats, and code-message lists. The code-message lists must be matched, meaning they must contain
the same number of items in the same order.

Task

1. In \PrivateArk\Server\DBParm.sample.ini, copy the SYSLOG section.

Note

The .ini file contains these configuration values.

• SyslogServerIP – The IP addresses of the syslog servers where messages are sent. Specify multiple values with
commas.
• SyslogServerProtocol – Specifies the syslog protocol that is used to send audit logs. Specify TCP or UDP. The
default value is UDP.
• SyslogServerPort – The port used to connect to the syslog server. The default value is 514.
• SyslogMessageCodeFilter – Defines which message codes are sent from the vault to McAfee ESM through the
syslog protocol. You can specify message numbers or ranges of numbers, separated by commas. Specify multiple
values with pipelines. By default, all message codes are sent for user and safe activities.
• SyslogTranslatorFile – Specifies the XSL file used to parse CyberArk audit records data into syslog protocol.
Specify multiple values with commas.
• DebugLevel – Determines the level of debug messages. Specify SYSLOG(2) to include syslog xml messages in
the trace file.
• UseLegacySyslogFormat – Controls the format of the syslog message, and defines whether it is sent in a newer
syslog format (RFC 5424) or in a legacy format. The default value is No, which enables working with the newer
syslog format. Specify multiple values with commas.

2. In DBParm.ini, paste SYSLOG section at the bottom, then rename the file to McAfee.xsl.

446 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

3. Copy the relevant XSL translator file from the syslog subfolder of the server installation folder to the location specified in
the SyslogTranslatorFile parameter in DBParm.ini.

Note

During vault installation or upgrade, sample XSL files are copied to the PrivateArk\Server\syslog folder.

4. Make any needed changes to XSL translator file relevant to ESM implementation.
5. Stop and Start the vault for changes to take effect.

Add CyberArk Privileged Identity Management Suite (CEF)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor CyberArk

Data Source Model Privileged Identity Management Suite - CEF

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 447
5| Configuring 3rd-party data sources

Option Definition

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

448 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

CyberArk Privileged Identity Management Suite CEF log

format and field mapping
Log sample
Here is a sample log from a CyberArk Privileged Identity Management Suite – CEF device:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 449
5| Configuring 3rd-party data sources

Dec 14 09:49:33 PRODVAULT CEF:0|Cyber-Ark|Vault|6.0.0430|38|Failure: CPM Verify Password Failed|7|act=CPM

Verify Password Failed duser=PasswordManager fname=Root\S-1-5-21-1147481723-1708746877-4547331-38808
src=10.7.3.171 cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=Windows PCAdmin Accounts
cs3Label="Location" cs3= cs4Label="Property Name" cs4= cs5Label="Target User Name" cs5= cn1Label="Request
Id" cn1= msg=Failure. Failure Description: CACPM344E Verifying Password Safe: Windows PCAdmin Accounts,
Folder: Root, Object: S-1-5-21-1147481723-1708746877-4547331-38808 failed (try #368). Code: 2101, Error:
Error in verifypass to user IT28326D1L.hmcorp.local\pcadmin on domain IT28326D1L.hmcorp.local(\
\IT28326D1L.HMCORP.LOCAL). Reason: No network provider accepted the given network path. (winRc\=1203). ,
address\=IT28326D1L.hmcorp.local;retriescount\=368;username\=pcadmin;, Failure: CPM Verify Password Failed

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Fname Filename.Filename

cs4_Database Database_Name.Database_Name

Dhost Destination_Hostname.Destination_Hostname

Spriv Priviledged_User.Priviledged_User

externalId Instance_GUID.Instance_GUID

cs1_Affected_User_Name Destination_UserID.Destination_UserID

App protocol

App application

duser dst_username

suser src_username

cs2_Safe_Name objectname

Dvc src_ip

shost src_ip

450 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Src src_ip

CyberArk Privileged Threat Analytics

Configure CyberArk Privileged Threat Analytics

Task

1. On the Privileged Threat Analytics (PTA) system, open the /opt/tomcat/diamond-resources/default/

systemparm.properties configuration file using a text editor.
2. Copy the line that contains the syslog_outbound property, then close the file.
3. Open the /opt/tomcat/diamond-resources/local/systemparm.properties configuration file.
4. Paste the line you copied, then uncomment the syslog_outbound property and edit the parameters.

Note

Use this example as a guide.

syslog_outbound=[{"host": "<SIEM_IP>", "port": 514, "format": "<FORMAT>", "protocol": "UDP"}]

where <SIEM_IP> is the IP address of the McAfee Event Receiver and <FORMAT> is the CEF.

5. Save and close the file, then restart CyberArk PTA.

Add CyberArk Privileged Threat Analytics

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 451
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor CyberArk

Data Source Model Privileged Threat Analytics - CEF (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

452 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 453
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

CyberArk Privileged Threat Analytics log format and field

mapping
Log sample
This is a sample log from a device:

CEF:0|CyberArk|PTA|3.1|21|Suspected credentials theft|9|duser=jessica dst=fileserver4.orgdomain.com

cs2Label=eventID cs2=647864b993dcfc92f014fe7a deviceCustomDate1Label=detectionDate
deviceCustomDate1=1421021802000 cs3Label=link cs3=https://1.1.1.1/incidents/647864b993dcfc92f014fe7a

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

CustomDate1 Firsttime, Lasttime

Src, sip Source IP

Dst, dip Destination IP

severity severity

Vaultuser Source Username

url link

454 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

eventID External Session ID

duser Destination Username

Src_host Hostname

eventname Message

Dst_host Destination Hostname

CEF.SignatureID Sid, External Event ID

Damballa Failsafe

Configure Damballa Failsafe

Task

1. Log on to the Damballa Failsafe Management Console, then navigate to Setup → Integration Settings.
2. Click the Syslog tab, then select Enable Publishing to Syslog.
3. In the Syslog Hostname field, enter the IP address of the McAfee Event Receiver, then select Enable Syslog Header.
4. In the Syslog Facility and Syslog Severity drop-down lists, select the facility and severity of events to send to the McAfee
Event Receiver.
5. Leave the Syslog Port field blank for the default port of 514, then click Save.

Add Damballa Failsafe

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 455
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Damballa

Data Source Model Failsafe (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

456 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 457
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Damballa Failsafe log format and field mapping

Log format
The expected format for this device is:

CEF:<version>|<device vendor>|<device product>|<device version>|<signature ID>|<name>|<severity>|<key=value>

<key=value> <key=value>…

Log sample
This is a sample log from a Damballa Failsafe device:

CEF:0|Damballa|Failsafe|5.0.3|Convicted Host|Evidence|10|app=DNS cat=DNS Query cfp1=123 cfp1Label=Asset Risk

Factor cfp2=123 cfp2Label=Incident Severity cn1=100 cn1Label=Threat Conviction Score cn2=52 cn2Label=Local
Severity cs1=name cs1Label=Threat Name cs2=name cs2Label=Industry Name cs3=example.com cs3Label=KB Link
cs4Label=Connection Status cs6=example.com cs6Label=Asset Detail Link destinationDnsDomain=example.com
dst=192.0.2.1 dvchost=name externalid=1234567 in=0 out=0 proto=UDP rt=978310861 src=192.0.2.2 start=978310861

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

shost Host

proto Protocol

src Source IP

458 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

dst Destination IP

spt Source Port

dpt Destination Port

smac Source MAC

dmac Destination MAC

start, end, rt, tstamp, collection First Time, Last Time

cs4 Event Subtype

cn1, cn2, Severity (CEF header) Severity

cnt Event Count

externalid Session ID

app Application

cat Object_Type

cs1, fname, spriv Object

destinationDnsDomain, sntdom Domain

suser Source User

duser Destination User

request URL

Signature ID (CEF Header) +Name (CEF Header) Message

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 459
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

msg Message_Text

cs2 Threat_Name

Dell Aventail

Configure Dell Aventail

Task

1. Log on to the Aventail Management Console, then click Monitoring → Logging.

2. Click the Configure Logging tab, then set the logging levels in the Aventail service level section.
3. In the Syslog configuration section, enter these settings:

• Server n: The IP address of the McAfee Event Receiver

• Port: 514
• Protocol: UDP

4. Click Save, then click Pending Changes to apply the new settings.

Add Dell Aventail

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Dell

Data Source Model Aventail

460 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 461
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

462 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Dell Aventail field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Before 9.2.0:

Log fields McAfee ESM fields

Date Time First Time, Last Time

Hostname Host

Severity Severity

Src Source IP, Source Port

User *Source User, Domain

Dest Destination IP, Destination Port

Command, rule Command

Duration Elapsed_Time

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 463
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Session ID Session ID

status Event Subtype

Variable, cleanup, attribute, file, assigned to, Client OS, Client OS Version, policy Object

access to Object, Destination IP, Destination Port

* Data from log is reconstructed in a more human readable format

9.2.0 and later:

Log fields McAfee ESM fields

Date Time First Time, Last Time

Hostname Host

Severity Severity

Src Source IP, Source Port

User *Source User, Domain

Dest Destination IP, Destination Port

Command, rule Command

SrcBytes Bytes_Sent

DstBytes Bytes_Received

Duration Elapsed_Time

Session ID Session ID

464 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

status Event Subtype

Variable, cleanup, attribute Object

access to Destination_Hostname, Destination IP, Destination Port

file Filename

assigned to Destination_Zone

Client OS, Client OS Version Operating_System

policy Policy_Name

* Data from log is reconstructed in a more human readable format

Dell PowerConnect Switches

Configure Dell PowerConnect Switches

Task

1. Using a web browser, log on to the Dell PowerConnect Switch.

2. Navigate to System → Logs → Remote Log Server, then click Add to add a server.
3. In the Log Server field, enter the IP address of the McAfee Event Receiver.
4. In the UDP Port field, enter the port used on the McAfee Event Receiver to receive syslog (default is 514).
5. In the Severity section, select the severity of logs to be sent to the McAfee Event Receiver, then click Apply Changes.

Add Dell PowerConnect Switches

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 465
5| Configuring 3rd-party data sources

3. From the Receiver Properties window, select Data Sources.

4. Click Add.

Option Definition

Data Source Vendor Dell

Data Source Model PowerConnect Switches (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent

466 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 467
5| Configuring 3rd-party data sources

Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Dell PowerConnect Switches log format and field mapping

Log format
The expected format for this device is:

<date time> <device IP> <application> <message number> <message>

Log sample
This is a sample log from a Dell PowerConnect Switches device:

JAN 01 01:01:01 192.0.2.1-1 TRAPMGR[123456789]: service(123) 1234 %% An invalid user tried to login through
Web from 192.0.2.2

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Application Application

IP Protocol Protocol

IP Address Source IP

Destination IP Address Destination IP

Login Method Object

468 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

User Username

Date Time First Time, Last Time

Severity Severity

Dell SonicOS

Configure Dell SonicOS

Task

1. Log on to the web interface, then select Log → Automation from the navigation menu.
2. In the Syslog Servers section, click Add, then, in the Name or IP Address field, enter the IP address of your McAfee Event
Receiver.
3. In the Port field, enter 514 (the default port for syslog), then click OK.
4. In the Syslog Format list, select Default, then click Apply.

Add Dell SonicOS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Dell

Data Source Model SonicOS

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 469
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

470 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 471
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Dell SonicOS log format and field mapping

Log format
The expected format for this device is:

<pri>id=id sn=serial_number time=“date time” fw=IP_Address pri=priority c=Message_Category m=Message_ID

msg=“IPS_Message” sid=IPS_Signature_ID extra_fields…

Log sample
This is a sample log from a SonicWall device:

Standard Event:

<129>id=firewall sn=0012ABCD3456 time="2014-01-10 12:11:10 UTC" fw=123.45.56.1 pri=1 c=32 m=608 msg="IPS
Detection Alert: ICMP Destination Unreachable (Port Unreachable)" sid=310 ipscat=ICMP ipspri=3 n=323984
src=192.168.0.12:53:X1: dst=10.10.0.88:6045:X4:

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Management Event:

Log fields McAfee ESM fields

id Application

mgmtip Source IP

472 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

m Signature ID

time First Time, Last Time

Standard Event:

Log fields McAfee ESM fields

pri Severity

m Siganture ID

msg Message, *Signature_Name

c **Event_Class

Category Category

bytesRx Bytes_Received

bytesTx Bytes_Sent

usr Source User

src Source IP, Source Port

dst Destination IP, Destination Port

proto Protocol, Application

“from machine”, Host Host

FQDN Domain

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 473
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

time First Time, Last Time

* Only available in ESM 9.2.0 and later ** Values are converted to their text equivalent

DG Technology - InfoSec MEAS

Configure DG Technology - InfoSec MEAS

See the DG Technology – InfoSec Mainframe Event Acquisitions System (MEAS) product documentation for setup instructions
about sending syslog data to a remote server. Use the IP address of the McAfee Event Receiver as the destination IP address and
port 514 as the destination port.

Add DG Technology - InfoSec MEAS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor DG Technology - InfoSec

Data Source Model Mainframe Event Acquisitions System (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

474 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 475
5| Configuring 3rd-party data sources

Option Definition

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

476 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

DG Technology - InfoSec MEAS log format and field mapping

Log format
The logs follow the CEF logging format. In addition to the regular CEF formatted key-value pairs, additional keys can be found in
the msg=”” key-value pair. Here is the CEF logging format:

CEF:Version|INFOSEC-DGTECH|MEAS|MeasServer Version|Signature ID|Name|Severity|extensions

Log sample
This is a sample log from a MEAS device:

Jan 1 00:00:00 HOST1 CEF:0|INFOSEC-DGTECH|MEAS|#.##.##|###|SIGNATURE NAME|1|act=log shost=HOST1 suid=USER1

src=192.0.2.1 msg="MEASType\=###-### UID\=< UserID > SID\=<HOST1> TYPE\=<CMND> Text\=<TSS.ADD(UserID2).PSUS>
sproc\=HOST1..log"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

act Event Subtype

Attempts Rejects Failures Session_Status

CAT Catalong_Name

Cmd FTP_Command

cnt Event Count

DEPT Organizational_Unit

dmac Destination MAC

dproc Application

dprot Access_Resource

dpt Destination Port

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 477
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

dst Destination IP

duid, Duid Destination_UserID

FileType File_Type

fname Destination_Filename

fname Filename

host Host

jobname, sproc Mainframe_Job_Name

Jobtype Job_Type

LPort Source Port

LUName Logical_Unit_Name

MEASType (XXX-YYY) External_EventID(XXX)/External_SubEventID(YYY)

MEASType (XXX-YYY) Signature ID (396-XXX99YYY)

name Rule_Name

Number.of.Bytes *Bytes_Sent

pgname Application

Plan DB2_Plan_Name

proto protocol

Reason Reason

478 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Return Code Response_Code

RPort Destination Port

severity severity

shost LPAR_DB2_Subsystem

smac Source MAC

src Source IP

sntdom Domain

SQLSTMT SQL_Statement

start, end ,rt, tstamp, collection First Time, Last Time

Step/Stepname Step_Name

StepCount Step_Count

suid Source_UserID

suser Source User

Test, Text Message_Text

TYPE Command

VOLS Volume_ID

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 479
5| Configuring 3rd-party data sources

Dragos

Configure Dragos Platform

Task

1. Log on to Dragos as an administrator and browse to https://<your-site-store>/syslog/.

2. Select the Servers tab and click Add Server.

Option Description

Name
Choose a descriptive name for the server.

Hostname/IP
The hostname or IP address of the ESM server.

Port
The port configured for the Receiver in ESM.

Protocol
TCP

Source Hostname
Accept the default value or assign your own.

Source Process
Accept the default value or assign your own.

Message Format
RFC 3164 BSD Syslog

Message Delimiter
Use newline delimiter for TCP and TLS streams

3. Configure message content and notifications using Dragos product documentation.

Add Dragos Platform

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.

480 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

4. Click Add.

Option Definition

Data Source Vendor Dragos

Data Source Model Dragos Platform

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of the data source.

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 0

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Port 514

Support Generic Syslogs Do nothing.

Generic Rule Assignments User Defined 1

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 481
5| Configuring 3rd-party data sources

Option Definition

Time Zone Time zone where the sending device is located.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format

482 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Dragos Platform log format and field mapping

Log sample
An example log from the data source.

<13>1 2020-03-05T20:38:56.687723Z dragos dragos_syslog - - CEF:0|Dragos|Platform|1.5|notification|

CaptureLoss::Too_Much_Loss|0|msg=The capture loss script detected an estimated loss rate above 19.931% from
customer: "Dragos" midpoint: "midpoint-dev.hq.dragos.services" collector: "corpdev" dvc=N/A dvchost=N/A
dst=N/A dhost=N/A dmac=N/A dntdom=N/A src=N/A shost=N/A smac=N/A sntdom=N/A externalId=185305
asset_domain=N/A asset_id=N/A asset_mac=N/A createdAt=2020-03-05T20:38:56Z detection_quad=N/A detectorId=
dst_asset_id=N/A matchedRuleId=4 occurredAt=2020-03-05T20:37:46Z originalSeverity=N/A reviewed=False
src_asset_id=N/A type=System

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

severity Severity

type Category

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 483
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

occurredAt firsttime

occurredAt lasttime

shost HostID

sntdom DomainID

src_ip src_ip

smac src_mac

dst_ip dst_ip

dmac dst_mac

externalId External_SessionID

msg Message_Text

matchedRuleId Policy_ID

community_rule_name Rule_Name

Econet Sentinel IPS

Configure Econet Sentinel IPS

See your Econet Sentinel IPS documentation for information about sending syslog events to a remote server or McAfee ESM. Use
the IP address of the McAfee Event Receiver for the IP address of the remote server.

Caution

Some versions of Sentinel IPS have different setup methods for remote syslog than other versions of the same product. See
the corresponding documentation for your version of Sentinel IPS.

484 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Add Econet Sentinel IPS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Econet

Data Source Model Sentinel IPS

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 485
5| Configuring 3rd-party data sources

Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

486 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Econet Sentinel IPS log format and field mapping

Log format
The expected format for this device is:

Timestamp | Src | Src Port | Dst | Dst Port | Severity | Attack Description

Log samples
This is a sample log from a Econet Sentinel IPS device:

2013-10-30 16:27:17.772624|192.168.2.2|8080|192.168.2.1|80|1|VNC Aggressive SCAN attempt

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 487
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Timestamp First Time, Last Time

Src Port Source Port

Source Source IP

Dst Destination IP

Dst Port Destination Port

Severity Severity

Attack Description Message

EdgeWave iPrism Web Security

Configure EdgeWave iPrism Web Security

Task

1. Log on to the iPrism Web Security configuration web console, then click System Settings → Event Logging.
2. Select Enable event logging using Syslog, then, in the Syslog Host field, enter the IP address of the McAfee Event
Receiver.
3. In the Syslog Port field, enter 514, then click Save and Activate Changes.

Add EdgeWave iPrism Web Security

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

488 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor EdgeWave

Data Source Model iPrism Web Security (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 489
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

490 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

EdgeWave iPrism Web Security log format and field

mapping
Log format
The expected format for this device is:

<priority> <date> <time> <device> <type> <protocol> <time> <action> <IP> <profile> <user> <bandwidth> <URL>
<rating> <duration> <method> <status> <mime>

Log sample
This is a sample log from an EdgeWave iPrism Web Security device:

<123>Jan 01 01:01:01 iprism: WEB http 978310861 P 192.0.2.1 Block-User domain\username 123 http://
example.com/sub web search 0 HTTPGET 200 image/gif

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Rating Message

Action Event Subtype

IP Source IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 491
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Protocol Application

Web Domain Domain

Mime Object

User Source User

Enforcive Cross-Platform Audit

Configure Enforcive Cross-Platform Audit

See the Enforcive Cross-Platform Audit product documentation for instructions on sending syslog logs to a remote server. Use
the McAfee Event Receiver IP address for the address of the remote server.

Add Enforcive Cross-Platform Audit

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Enforcive

Data Source Model Cross-Platform Audit

Data Format Default

Data Retrieval SYSLOG (Default)

492 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 493
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

494 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Enforcive Cross-Platform Audit log format and field

mapping
Log format
The expected format for this device is:

<pri> CEF:0|Enforcive|ES CPA|version|eventID|EventDesc|Severity|app=appname cat=category act=action

cs1=cs1string cs1Label=cs1Label dhost=DestHost end=timestamp duser=DestUser dproc=destinationProcess
src=SourceIP dst=DstIP msg=Event Description:Message

Log sample
This is a sample log from an Enforcive Cross-Platform Audit device:

<110> CEF:0|Enforcive|ES CPA|8.2|SIN00F0000|FTP_SERVER-FTP LOGON|3|app=System i - Application Audit

cat=FTP_SERVER act=FTP LOGON cs1=Warning cs1Label=event status dhost=DES THOST
end=2001-02-03-12.34.56.123456 duser=DestUser dproc=123456/FTPGUEST/QTFTP123456 src=192.0.2.0
dst=203.0.113.0 msg=Event Description:User is unauthorized to ftp

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

EventID Signature ID

EventDesc Rule Message

Severity Severity

cat Category

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 495
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Act Event Subtype

Dhost Destination_Hostname

end, start, rt First Time, Last Time

duser Destination User

src Source IP

dst Destination IP

Application Application

Event Status Status

Dproc Target_Process_Name

Message Message_Text

Entrust IdentityGuard

Configure Entrust IdentityGuard

Task

1. In the Entrust Identity Guard Properties Editor, click System Logging Appenders from the Table of Contents.
2. In the SYSTEM_SYSLOG Host Name field, enter the IP address of the McAfee Event Receiver.
3. To specify a port other than the standard syslog UDP port, add a colon and the port number at the end of the IP address
(for example, 192.0.2.1:514).
4. Click Validate → Save.

Add Entrust IdentityGuard

Add the data source to a receiver.

496 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Entrust

Data Source Model IdentityGuard (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 497
5| Configuring 3rd-party data sources

Option Definition

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

498 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Entrust IdentityGuard log format and field mapping

Log format
The expected format for this device is:

<Priority> <Date> <Time> <IP> <Log Type> <Severity> <Log ID> <Domain> <User> <Message>

Log samples
This is a sample log from an Entrust Identity Guard device:

<123>Jan 1 01:01:01 196.0.2.1 Audit Writer] [INFO ] [IG.AUDIT] [AUD3003] [DOMAIN/user] One time password
with index 4 created for user DOMAIN/user. Expiry Date: 2001-01-01 01\:01\:01

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 499
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Date, Time First Time, Last Time

Description Message

IP Source IP

Description Action

Application Name Application

Domain Domain

User Source User

Extreme Networks ExtremeWare XOS

Configure Extreme Networks ExtremeWare XOS

The syslog configuration is done at the command line. See the Extreme Networks ExtremeWare XOS product documentation
about how to access and use the command line.

Replace <ip_address> with the McAfee Event Receiver IP address. Replace <vr_name> with the virtual router name. Replace
<local0 ... local7> with the local level you want to send to the McAfee Event Receiver.

configure syslog add <ip_address>:514 vr <vr_name> <local0 ... local7>

enable log target syslog <ip_address>:514 vr <vr_name> <local0 ... local7>

configure log target syslog <ip_address>:514 vr <vr_name> <local0 ... local7> DefaultFilter severity Debug-
Data

configure log target syslog <ip_address>:514 vr <vr_name> <local0 ... local7> match Any

500 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

configure log target syslog <ip_address>:514 vr <vr_name> <local0 ... local7> format timestamp seconds date
Mmm-dd event-name none process-slot priority tag-name

Add Extreme Networks ExtremeWare XOS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Extreme Networks

Data Source Model ExtremeWare XOS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 501
5| Configuring 3rd-party data sources

Option Definition

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

502 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Extreme Networks ExtremeWare XOS log format and field

mapping
Log formats
The expected format for this device is:

<PRI> DATE TIME APPLICATION: MESSAGE

Log samples
These are sample logs from an device:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 503
5| Configuring 3rd-party data sources

<123> Jan 01 01:01:01 AAA: MSM-A: Login failed for user Bob through ssh (192.0.2.0/24) <123> Jan 01 01:01:02
AAA: MSM-A: User Bob logout from ssh (192.0.2.0/24) <123> Jan 01 01:01:03 AAA: MSM-A: Login passed for user
Bob through ssh (192.0.2.0/24)

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Severity Severity

Action Action

Application Application

Source MAC Source MAC

Username Source User

Source IP Source IP

Source Port Source Port

Destination IP Destination IP

Destination Port Destination Port

Message Rule Message

Object Object

F5 Networks FirePass SSL VPN

Configure F5 Networks FirePass SSL VPN

504 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Log on to the F5 Networks FirePass Admin Console, then navigate to Device Management → Maintenance → Logs.
2. In the System Logs menu, select Enable Remote Log Server, and verify that Enable Extended System Logs is deselected.
3. In the Remote Host field, type the IP address of the McAfee Event Receiver.
4. In the Log Level drop-down list, select Information.
5. In the Kernel Log Level drop-down list, select Information, then click Apply System Changes to save.

Add F5 Networks Firepass SSL VPN

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor F5 Networks

Data Source Model Firepass SSL VPN (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 505
5| Configuring 3rd-party data sources

Option Definition

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

506 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

F5 Networks Firepass SSL VPN log format and field mapping

Log formats
The expected format for this device is:

<priority> <log type>[<log id>]: [<user>@<domain>] <message> <key> = <value>…

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 507
5| Configuring 3rd-party data sources

Log sample
This is a sample log from an F5 Networks FirePass SSL VPN device:

<123>security[12345]: [support@exampleDomain] User exampleUser logged on from 192.0.2.1 Sid =1a2b3c

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

hostname Host

domain Domain

Source IP, from Source IP

Destination IP, to Destination IP

Source Port, from Source Port

Destination Port, to Destination Port

session Session ID

Access menu Message

group Command

Sid Object

User Source User

account Destination User

Email To

Backup filename Destination_Filename

508 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Email Subject Subject

F5 Networks Local Traffic Manager

Configure F5 Networks Local Traffic Manager

Syslog settings are configured through the command line. See the F5 Networks Local Traffic Manager product documentation for
steps to access the command line interface.

Task

1. Log on to the command line of the F5 Local Traffic Manager.

2. At the tmsh prompt, add a syslog server using this command format:
modify /sys syslog remote-servers add {<server name> {host <server IP address> remote-port <port number>}}

Example:

modify /sys syslog remote-servers add {server{host 10.1.1.1 remote-port 514}}

3. Save the configuration:

save /sys config

Add F5 Networks Local Traffic Manager

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor F5 Networks

Data Source Model Local Traffic Manager – LTM (ASP)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 509
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

510 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 511
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Fidelis XPS

Configure Fidelis XPS

See the Fidelis XPS/CommandPost product documentation for setup instructions about sending syslog data to a remote server.
Use the IP address of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.

Add Fidelis XPS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Fidelis

Data Source Model Fidelis XPS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

512 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 513
5| Configuring 3rd-party data sources

Option Definition

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

514 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Fidelis XPS log format and field mapping

Log format
The expected format for this device is:

<action> <alert UUID> <compression> <destination address> <destination port> <filename> <from> <group>
<policy> <protocol> <rule> <sensor IP> <sensor name> <severity> <source address> <source port> <subject>
<summary> <time> <to> <user>

Log sample
This is a sample log from a Fidelis XPS device:

alert aabbccdd-eeff-1122-3344-5566778899aa 0 192.0.2.1 123 <n/a> <n/a> default POLICY TLS Expired SSL
Certificate 127.0.0.1 sensor1 Medium 192.0.2.2 456 <n/a> Invalid SSL certificate detected from 192.0.2.3
2001-01-01 01:01:01 <n/a> <n/a>

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

rule Message

proto Protocol

srcaddr Source IP

dstaddr Destination IP

srcport Source Port

dstpor Destination Port

severity Severity

time First Time, Last Time

filename Filename

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 515
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

from From

to To

subject Subject

user Source User

"Fidelis XPS" Application

FireEye Malware Protection System

Configure FireEye Malware Protection System

Configure the syslog using the command line. See your product documentation about how to access and use the command line
interface.

Task

1. To enter configuration mode, enter the following commands :

enable
configure terminal

2. Activate rsyslog notifications:

fenotify rsyslog enable

3. Add a new remote SIEM server:

fenotify rsyslog trap-sink <SIEM-name>

Replace <SIEM-name> with a short name without spaces to identify the server.

4. Specify the IP address for the new remote server:

fenotify rsyslog trap-sink <SIEM-name> address <IP-address>

516 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Replace <SIEM-name> with the name created in step 3.

Replace <IP-address> with the IP address of the McAfee Event Receiver.

5. Set the event format:

fenotify rsyslog trap-sink <SIEM-name> prefer message format cef

Replace <SIEM-name> with the name you created.

6. Save the configuration:

write memory

Add FireEye Malware Protection System

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor FireEye

Data Source Model FireEye Malware Protection System – CEF (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 517
5| Configuring 3rd-party data sources

Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).

518 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

FireEye Malware Protection System log format and field

mapping

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 519
5| Configuring 3rd-party data sources

Log format
The expected format for this device is:

CEF:<version>|<device vendor>|<device product>|<device version>|<signature ID>|<name>|<severity>|<key=value>

<key=value> <key=value>…

Log sample
This is a sample log from a FireEye Malware Protection System device:

CEF:0|FireEye|MPS|6|AB|infection-match|1|rt=Jan 01 2001 01:01:01 src=192.0.2.1 cn2Label=sid cn2=123

shost=example.com proto=tcp dvchost=name dst=192.0.2.2 spt=123 dvc=192.0.2.3 smac=00:11:22:33:44:55
cn1Label=vlan cn1=1 dpt=123 externalId=1234 cs4Label=link cs4=example.com dmac=66:77:88:99:00:AA
cs1Label=sname cs1=name

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

shost, dvchost Host

cn2 Protocol

src Source IP

dst Destination IP

spt Source Port

dpt Destination Port

smac Source MAC

dmac Destination MAC

cn1 VLAN

rt First Time, Last Time

520 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

cnt Event Count

severity (CEF header) Severity

cs1 Message

msg Application

cs2 Command

cat Object

cs4 URL

cs3 Operating_System

filepath File_Path

filehash File_Hash

act Event Subtype

Fluke Networks AirMagnet Enterprise

Configure Fluke Networks AirMagnet Enterprise

Task

1. From the AirMagnet Policy Notification List, select Syslog to open the Syslog Notification dialog box.
2. In the Notification Name field, enter a unique notification name.
3. In the Generation drop-down list, select an interval to generate notifications.
4. In the Syslog server name field, enter the fully qualified domain name (FQDN) or IP address of the McAfee Event Receiver.
5. In the Facility code drop-down list, select the type of messages you want to send.
6. In the Protocol area, select UDP, then enter the port used on the McAfee Event Receiver for receiving syslog (default is
514).
7. Click OK to save and close.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 521
5| Configuring 3rd-party data sources

Add Fluke Networks AirMagnet Enterprise

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Fluke Networks

Data Source Model AirMagnet Enterprise (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

522 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 523
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Fluke Networks AirMagnet Enterprise log format and field

mapping
Log format
The expected format for this device is:

<date time> <device name> <message> <sensor> <location> <description> <source MAC> <SSID>

Log sample
This is a sample log from a Fluke Networks AirMagnet Enterprise device:

<123>Jan 01 01:01:01 deviceName deviceName Alert: Rogue AP by MAC address (ACL) from sensor SensorName,
Location: location, Description: , Source MAC: A1:B2:C3:D4:E5:F6, Channel: 123

524 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

SSID Host

Sensor Object

Source MAC Source MAC

Destination MAC Destination MAC

Force10 Networks FTOS

Configure Force10 Networks FTOS

Configure the syslog at the command line. See your product documentation for instructions about how to access and use the
command line.

Task

1. Log on to the command line and enter these commands:

logging 192.0.2.1

Replace 192.0.2.1 with the IP address of the McAfee Event Receiver.

2. To confirm that the logging settings updated successfully, check the running configuration:

show running-config logging

3. Save changes:

copy running-config startup-config

Add Force10 Networks FTOS

Add the data source to a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 525
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Force10 Networks

Data Source Model FTOS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

526 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 527
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Force10 Networks FTOS log format and field mapping

Log format
The expected format for this device is:

<date> <time> %<hostname> %<service>-<severity>-<log type>: <message>

Log sample
This is a sample log from a Force10 Networks FTOS device:

Jan 01 01:01:01: %HOSTNAME %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on

vty0 ( 192.0.2.1 )

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

528 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log Fields McAfee ESM Fields

User Source User

Service Application

IP Address Source IP

Severity Severity

Forcepoint Next Generation Firewall

Configure Forcepoint Next Generation Firewall

Task

1. Select Monitoring → System Status.

2. Expand the Servers branch.
3. Right-click the Log Server from which you want to forward log data, and select Properties to open the Log Server
Properties.
4. Switch to the Log Forwarding tab.
5. Click Add to create a Log Forwarding rule. A new row is added to the table.
6. Configure the Log Forwarding rule to point to your McAfee ESM. Make sure that Format is set to McAfee ESM.
7. Click OK.

Add Forcepoint Next Generation Firewall

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 529
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Forcepoint

Data Source Model Next Generation Firewall

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Port Select the port number.

Support Generic Syslogs Do nothing

Generic Rule Assignment Accept default.

530 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 531
5| Configuring 3rd-party data sources

Option Definition

Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Forcepoint Next Generation Firewall log format and field

mapping
Log sample
This is a sample log from a Forcepoint Next Generation Firewall device:

Timestamp="2013-11-21 00:00:00",LogId="1615132411",NodeId="10.1.0.2",Facility="Cluster
protocol",Type="Diagnostic",Event="Cluster protocol event",CompId="148",InfoMsg="p0 load: 3 (passed: 1111111
netload_factor: 2 all: 2222222 p: 19",ReceptionTime="2013-11-21
00:00:00",SenderType="Firewall",SituationId="2011",Situation="System_Cluster-Protocol-
Event",EventId="5809198281527719675"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

ReceptionTime firsttime/lasttime

NodeId Device_IP.Device_IP

532 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Facility application

Type/AlertSeverity severity

Situation/Event/SenderType : Facility message

Action action

Src src_ip

Dst dst_ip

Protocol protocol

SrcPort/IcmpType src_port

DstPort/IcmpCode dst_port

SrcIF Interface.Interface

AccTxBytes Bytes_Sent.Bytes_Sent

AccRxBytes Bytes_Received.Bytes_Received

Username/AuthName src_username

Sendertype objectname

Situation sid

Forcepoint Websense

Configure Forcepoint Websense

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 533
5| Configuring 3rd-party data sources

After you install or enable Websense Multiplexer, activate and configure McAfee ESM integration on TRITON - Web Security.
Follow this procedure for each Policy Server instance in your deployment.

Task

1. Navigate to Settings → General → SIEM Integration and select Enable SIEM integration for this Policy Server.
2. Provide the IP address or host name of the system hosting McAfee ESM, then provide the communication port to use for
sending McAfee ESM data.
3. Specify the transport protocol (UDP or TCP) to use when sending data to McAfee ESM, then select the McAfee ESM format
to determine the syntax of the string used to pass log data to the integration.
4. From the available options, select the CEF format, then click OK to cache your changes.
5. To implement the changes, click Save and Deploy.

Results

When the changes are saved, Websense Multiplexer connects to Filtering Service and distributes the log data to both Log Server
and the selected McAfee ESM integration.

Add Forcepoint Websense

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Forcepoint

Data Source Model Websense - CEF, Key Value Pair (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

534 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 535
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

536 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Forcepoint Websense log format and field mapping

Log format

The expected format for this device is Common Event Format (CEF).

Log sample
This is a sample log from a Websense device:

<13>Mar 06 12:55:48 192.0.2.1 CEF:0|Forcepoint|Security|7.7.0|9|Transaction permitted|1| act=permitted

app=http dvc=192.0.2.2 dst=192.0.2.3 dhost=test.host.com dpt=80 src=192.0.2.4 spt=2209 suser=LDAP://
192.0.2.4 OU\\=User,DC\\=example,DC\\=com/sanitized destinationTranslatedPort=51101 rt=1362603348000 in=727
out=554 requestMethod=GET requestClientApplication=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; .NET4.0C;
InfoPath.2; .NET4.0E) reason=- cs1Label=Policy cs1=role-8**Test Standard ,role-8**Test Standard
cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=text/plain;charset\\=UTF-8 cn1Label=DispositionCode cn1=1026
cn2Label=ScanDuration cn2=1 request=http://test.host.com/path

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log Fields McAfee ESM fields

act Action

severity Severity

cat Category

suser, suid Source User

src Source IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 537
5| Configuring 3rd-party data sources

Log Fields McAfee ESM fields

dst Dest. IP

dpt Dest. Port

spt Source IP

destinationTranslatedPort Nat_Details

requestMethod Method

request URL

in Bytes_Received

out Bytes_Sent

cn2_ScanDuration Elapsed_Time

fname Filename

cat Category

msg Rule Message | Description

sourceServiceName Service_Name

request URL

dhost Web_Domain

app Protocol

dst Dest. IP

dpt Dest. Port

538 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log Fields McAfee ESM fields

src Source IP

spt Source Port

suser Source User

Cn1_DispositionCode Signature ID

Timestamp First Time | Last Time

EventID External_EventID

ForeScout CounterACT

Configure ForeScout CounterACT

To configure CounterACT to send syslog events to the McAfee Event Receiver, you must install a plug-in for CounterACT.

Task

1. From the ForeScout website, download the ForeScout plug-in for integration with the McAfee ESM.
2. In the CounterACT software, click Options from the toolbar, then click Plugins.
3. Click Install and navigate to the plug-in file that you downloaded, then click Install.
The plug-in appears in the Plugins list.
4. Select the McAfee ESM plug-in, then click Configure.
5. Select the devices that need to be configured to send events to the McAfee Event Receiver, then click OK to open the
Configuration window.
6. In the Server Address field, enter the IP address of the McAfee Event Receiver.
7. In the Syslog Port field, enter 514, then click OK to save and exit.

Add ForeScout CounterACT

Add the data source to a receiver.

Task

1. Select a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 539
5| Configuring 3rd-party data sources

2. Click the Properties icon.

3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor ForeScout

Data Source Model CounterACT (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

540 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 541
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

ForeScout CounterACT log format and field mapping

Log format
The expected format for this device is:

<Priority> <device name>[<event ID>]: <log type> <source IP> <rule> <policy> <match> <category> <details>
<reason> <added>

Log sample
This is a sample log from a ForeScout CounterACT device:

<123>CounterACT[12345]: NAC Policy Log: Source: 192.0.2.1, Rule: Policy "AntiVirus Compliance" , Match: "AV
Not Running:Match", Category: Not Compliant, Details: Host evaluation changed from "AV Not Installed:Match"
to "AV Not Running:Match" due to condition . Reason: Property update: AntiVirus Installed: Added: AV
Software.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Event ID Session ID

to, User Source User

from, Source Source IP

542 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Destination Destination IP

Destination Destination Port

Policy Application

command Command

CPU usage, Uptime (in seconds) Object

Configure ForeScout CounterACT for CEF

ForeScout CounterACT does not generate events in CEF format. Use the ArcSight SmartConnector to send CEF formatted logs to
the McAfee Event Receiver.

See the ArcSight product documentation for setup instructions about sending syslog data to a remote server. Use the IP address
of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.

Add ForeScout CounterACT for CEF

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor ForeScout

Data Source Model CounterACT CEF (ASP)

Data Format Default

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 543
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

544 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 545
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

ForeScout CounterACT for CEF log format and field mapping

Log Format
The expected format for this device is:

<priority> <device name> <event ID> CEF:<version>|<device vendor>|<device product>|<device version>|

<signature ID>|<name>|<severity>|<key=value> <key=value> <key=value>...

Log Sample
This is a sample log from a ForeScout CounterACT device:

<123>CounterACT[1234]: CEF:0|ForeScout Technologies|CounterAct|6|NONCOMPLIANCE|host is not compliant|5|

cs1Label=Compliancy Policy Name cs2Label=Compliancy Policy Subrule Name cs3Label=Host Compliancy Status
cs4Label=Compliancy Event Trigger cs1=VirusScan Status cs2=VirusScan Updated cs3=no cs4=Periodical
dst=192.0.2.1 dmac=aa:bb:cc:dd:ee:ff duser=username dhost=hostname dntdom=DOMAIN dvc=192.0.2.2 dvchost=host
rt=978310861000

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

shost, dvchost Host

Dpt Protocol

src, dvc Source IP

Dst Destination IP

Spt Source Port

546 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Dpt Destination Port

smac Source MAC

dmac Destination MAC

rt, start, end, tstamp, collection First Time, Last Time

Cnt Event Count

Name (CEF Header) Message

Severity (CEF Header) Severity

dproc Application

sntdom Domain

fname, spriv Object

suser Source User

duser Destination User

request URL

Compliance Status, cs1 Message_Text

filePath Subject

Fortinet FortiGate

Configure Fortinet FortiGate using the command line

interface

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 547
5| Configuring 3rd-party data sources

Note

The preferred format is space-delimited logs, but you can also use comma-separated logs.

Task

Enter these commands:

config log syslogd setting

set status enable
set server <IP address of Receiver>
set mode <udp or reliable TCP>
set port 514
set facility <facility name>
set source-ip <IP address of syslog source>
set format default
end

Note

If you already have a syslog server configured in the FortiGate UTM, you can still add up to a total of three syslog servers in
the configuration by changing the first line to config log syslogd2 setting or config log syslogd3 setting.

For more information, see FortiOS™ Handbook Logging and Reporting for FortiOS 6.0 under the section, Advanced Logging.

Configure Fortinet FortiGate UTM through the Management

Console
Note

The preferred format is space-delimited logs, but you can also use comma-separated logs.

Task

1. Go to Log&Report → Log Config → Log Setting, then select Syslog.

2. Expand the Options section to set any custom logging options, then enter this information in the corresponding fields:

• Name/IP—Enter the host name or IP address of the McAfee Event Receiver.

• Port—Set the port to 514.
• Level—Set the level of logging.
• Facility—Leave the default value.
• Enable CSV—Leave this box deselected.

3. Click Apply.

Add Fortinet FortiGate UTM

Add the data source to a receiver.

548 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Fortinet

Data Source Model FortiGate UTM – Space Delimited – (ASP)

Data Format Default

Data Retrieval Default

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Syslog Relay None

Mask Default

Require Syslog TLS Leave unchecked

Support Generic Syslogs Do nothing

Time Zone The value must be (GMT,00:00) Greenwich Mean Time because the receiver parses the
time from the eventtime field within the log which is in the UTC/GMT time zone.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 549
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

550 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Fortinet FortiGate UTM log format and field mapping

Log format
The expected format for this device is:

computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID

Log sample
This is a sample log from a Fortinet FortiGate UTM device:

SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 551
5| Configuring 3rd-party data sources

Fortinet FortiMail

Configure Fortinet FortiMail

Task

1. Go to Log and Report → Log Settings → Remote Log Settings.

The Remote Log Settings tab is displayed.

Option definitions

Option Definition

Enabled Select to enable remote storage on the server.

ID Displays the remote host ID.

Server Displays the IP address of the syslog server.

Port Displays the port on the syslog server.

Level Displays the minimum severity level for logging.

Facility Displays the facility identifier that the FortiMail unit uses to identify itself.

2. Select Enabled to allow logging to a remote host, then, in Profile name, enter a profile name.
3. In IP, enter the IP address of the syslog server where FortiMail stores the logs.
4. In Port, enter 514 for syslog (default is UDP).
5. In Level, select the severity level that a log message must equal or exceed to be recorded to this location.
6. In Facility, select the facility identifier that the FortiMail unit uses to identify itself when sending log messages.
7. To easily identify log messages from the FortiMail unit, enter a unique facility identifier, then verify that no other network
devices use the same facility identifier.
8. Deselect CSV format.
9. In Logging Policy Configuration, enable the types of logs that you want to record to this storage location, then click
Create.

Add Fortinet FortiMail

552 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Fortinet

Data Source Model Fortimail

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 553
5| Configuring 3rd-party data sources

Option Definition

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

554 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Fortinet FortiMail log format and field mapping

Log sample
Here are sample logs from a device.

Statistics:

date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=Admin

pri=Critical user=admin ui=192.0.2.0 module=unknown submodule=unknown user=<user_ name> ui={console|
SSH(<ip_address>)|telnet(<ip_address>)} module=syst

Config:

date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=config

pri=information user=admin ui=203.0.113.0 module=unknown submodule=unknown msg="changed settings for 'log
setting local'"

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 555
5| Configuring 3rd-party data sources

System:

date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=System

pri=Warning user=admin ui=203.0.113.0 module=unknown submodule=unknown user=<user_ name> ui={console|
SSH(<ip_address>)|telnet(<ip_address>)} module=system submodule=interface msg=“DNS: Connection timed out. No
servers could be reached.”

Update:

date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=Update

pri=Warning user=admin ui=203.0.113.0 module=unknown submodule=unknown user=<user_ name> ui={console|
SSH(<ip_address>)|telnet(<ip_address>)} module=system submodule=interface msg=”Update result: virusdb:<yes|
no>, avengine:<yes|no>, spamdb:<yes|no>, asengine:<yes|no>

SMTP:

date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=SMTP

pri=Warning user=admin ui=203.0.113.0 module=unknown submodule=unknown user=<user_ name> ui={console|
SSH(<ip_address>)|telnet(<ip_address>)} module=system submodule=interface msg= “Starting flgrptd”

Admin:

date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=Admin

pri=Critical user=admin ui=203.0.113.0 module=unknown submodule=unknown user=<user_ name> ui={console|
SSH(<ip_address>)|telnet(<ip_address>)} module=system submodule=interface msg=“User <user_name> login
successfully from {GUI(<ip_address>) | console|SSH(<ip_address>)|telnet(<ip_address>)}”

HA:

date=2015-08-09 time=10:30:31 device_id=FE100C3909600504 log_id=0004001036 type=event subtype=ha pri=notice

user=ha ui=ha action=none status=success msgs=“monitord: main loop starting, entering MASTER mode”

Webmail:

date=2015-08-09 time=12:42:48 device_id=FE100C3909600504 log_id=0000000920 type=event subtype=Webmail

pri=Warning user=admin ui=203.0.113.0 module=unknown submodule=unknown user=<user_ name> ui={console|
SSH(<ip_address>)|telnet(<ip_address>)} module=system submodule=interface msgs=“User <user_name> from <IP
address> logged in.”

Antivirus:

date=2015-07-24 time=17:07:42 device_id=FE100C3909600504 log_id=0100000924 type=virus subtype=infected

pri=information from="syntax@www.ca" to="user2@1.ca" src=203.0.113.0 session_id="q6OL7fsQ018870-
q6OL7fsR018870" msg="The file inline-16-69.dat is infected with EICAR_TEST_FILE."

556 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Antispam:

date=2015-07-20 time=14:33:26 device_id=FE100C3909600504 log_id=0300000924 type=spam pri=information

session_id="q6KIXPZe008097-q6KIXPZf008097" client_name="[203.0.113.0]" dst_ip="203.0.113.1" endpoint=""
from="syntax@www.ca" to="user1@1.ca" subject="Email with wd, excel, and rtf test" msg="Detected by
BannedWord test"

Encryption:

date=2015-08-09 time=10:45:27 device_id=FE100C3909600504 log_id=0400005355 type=encrypt pri=information

session_id="q79EiV8S007017-q79EiV8T0070170001474" msg="User user1@1.ca read secure message,
id:'q79EiV8S007017-q79EiV8T0070170001474', sent from: 'user2@2.ca', subject: 'ppt file'"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Date/Time First Time, Last Time

dst_ip Destination IP

Src Source IP

Pri Severity

client_name Domain, Source IP

session_id Message_ID

user Source User, Destination User

To To

from From

direction Direction

domain Domain

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 557
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

virus Threat_Name

subject Subject

log_id External_EventID

device_id External_SessionID

mailer Application

Dictionary Category

hash File_Hash

File Filename

clientname, host Host

interface Interface

group Group_Name

message Message_Text, Rule Message

Pid PID

daemon Process_Name

proto Protocol

reason Reason

System White List Reputation_Server_IP

Score Spam_Score

558 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

URL URL

alias User_Nickname

Fortinet FortiManager

Configure Fortinet FortiManager

Task

1. Go to System Settings → Advanced → Syslog Server.

2. Select Create New to open the New Syslog Server window.
3. Fill in the Name, for example, McAfee ESM.
4. Fill in the IP address or FQDM of the McAfee Event Receiver.
5. Enter the Port number. The default is 514.

Add Fortinet FortiManager

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Fortinet

Data Source Model FortiManager (ASP)

Data Format Default

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 559
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

560 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 561
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Fortinet FortiManager log format and field mapping

Log format
The expected format for this device is:

date=<date> time=<time> devicename=<devicename> deviceID=<deviceID> logID=<logID> type=<type>

subtype=<subtype> priority=<priority> user=<user> message=<message> firmware=<firmware> type=<type>
version=<version>

Log sample
This is a sample log from a Fortinet FortiManager device:

<123>date=2001-01-01time=12:01:01,devname=device,device_id=ABC123,
log_id=0123456789,type=example,subtype=example,pri=example,user=username; msg="Message Text;
firmware=12345678; type=ABCD1234; version=1.0

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

timestamp First Time, Last Time

user Source User

pri, level Severity

devname Host

log_id Object

562 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

subtype Application

Fortscale User and Entity Behavior Analytics (UEBA)

Configure Fortscale User and Entity Behavior Analytics

(UEBA)
Task

1. From the main Fortscale interface, navigate to System Configuration → System → Alert Forwarding via Syslog.
2. Toggle Enable Forwarding to Yes.
3. For Forwarding Type, select Alerts.
4. In the IP field, enter the IP address for the McAfee Event Receiver.
5. In the Port field, type the port where the McAfee Event Receiver is listening. Default is 514.
6. Under Selective Forwarding: Alert Severity, check which alert severities to forward.
7. Under Selective Forwarding: User Tags, check which tags to filter for forwarded events.
8. Click Apply.

Add Fortscale User and Entity Behavior Analytics (UEBA)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Fortscale

Data Source Model Fortscale UEBA

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 563
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

564 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 565
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Fortscale User and Entity Behavior Analytics (UEBA) log

format and field mapping
Log format
The expected format for this device is:

<PRI>DATE TIME HOSTNAME -: KEY: VALUE KEY: VALUE KEY: VALUE…

Log sample
This is a sample log from a device:

<123>Jan 01 01:01:01 demo.fortscale.com -: Alert URL: https://demo.fortscale.dom Alert Name:

data_exfiltration_normalized_username_daily Start Time: 978336061 End Time: 978336061 Entity Name: someName
Entity Type: User Severity: Critical Alert Status: Open Comment:

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Alert URL URL

Alert Name Message

Start Time First Time, Last Time

566 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Entity Name Source User, External_Device_Name

Entity Type Object_Type

Severity Severity

Alert Status Status

Comment Message_Text

FreeRADIUS

Configure FreeRADIUS
Task

1. In the /etc/freeradius/radius.conf file, make these changes:

logdir = syslog
Log_destination = syslog
log {
destination = syslog
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}

2. Make this addition to /etc/syslog.conf:

# .=notice will log only authentication messages (L_AUTH)

example1.=notice @10.10.3.21
# .=err will log only module errors for radius
example1.=err @10.10.3.21

where 10.10.3.21 is the IP address or host name of the McAfee Event Receiver, and “example1” is the facility to be used with
FreeRADIUS in the next step.

3. Set up FreeRadius to run with these options:

-l syslog
–g example1

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 567
5| Configuring 3rd-party data sources

where “example1” is the facility name that you have chosen to use.

Add FreeRADIUS
Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor FreeRADIUS

Data Source Model FreeRADIUS (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Syslog Relay None

Mask 32

568 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Require Syslog TLS Unchecked

Support Generic Syslogs Default

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 569
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

FreeRADIUS log format and field mapping

Log format
The expected format for this device is:

computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID

Log sample
This is a sample log from a FreeRADIUS device:

SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999

570 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

Gigamon GigaVUE

Configure Gigamon GigaVUE

The syslog configuration is done at the command line. See your product documentation for instructions about how to access and
use the command line.

Task

From the command line, enter:

config syslog_server host 192.0.2.1

where 192.0.2.1 is the IP address of the McAfee Event Receiver.

Add Gigamon GigaVUE

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 571
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Gigamon

Data Source Model GigaVUE (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

572 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 573
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Gigamon GigaVUE log format and field mapping

Log format

<priority>Original Address=<IP address> <date time> <hostname> <application> <message>

Log samples
This is a sample log from a Gigamon GigaVUE device:

<123>Original Address=192.0.2.1 Jan 1 01:01:01 hostname application: Packet Drop port 12 drop 123 packets

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Host

Application Application

Original Address Source IP

Interface Port Number Object

Date Time First Time, Last Time

574 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Globalscape Enhanced File Transfer

Configure Globalscape Enhanced File Transfer

Before you begin
See the Globalscape Enhanced File Transfer (EFT) documentation for configuration instructions. Specific details can be located in
the EFT Logging and Visibility → Log Format, Type, and Location section. Ensure that the default logging settings are used for
proper parsing.

The McAfee Collector is used to send the Globalscape logs to McAfee ESM. See the McAfee Collector documentation for
configuration help.

Task

1. In the administration interface, connect to EFT, then click the Server tab.
2. Click the Server node, set the log level to Diagnostic, then select Generic log tail for the client.
3. In the right pane, click the Logs tab.
4. In Log File Settings folder in which to save log files box, type the path to the directory in which to save this server's log files.
To browse for a path, click the folder icon.
5. In the Log file format list, click W3C Extended, Microsoft IIS, NCSA Common, or No Logging.

Note

The McAfee Collector is used to send the Globalscape logs to McAfee ESM. See the McAfee Collector documentation.

6. Under the McAfee Collector, set the log level to Diagnostic.

7. Select Generic log tail for the client.

Note

If a Host ID is used, you must use this same Host ID when creating the data source on the McAfee Event Receiver.

8. Verify that the client is enabled, then apply the changes.

Add Globalscape Enhanced File Transfer

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 575
5| Configuring 3rd-party data sources

3. From the Receiver Properties window, select Data Sources.

4. Click Add.

Option Definition

Data Source Vendor Globalscape

Data Source Model Enhanced File Transfer (EFT)

Data Format Default

Data Retrieval McAfee Event Format (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Host ID Name of the host ID in the McAfee Collector, if a Host ID was entered.

Use encryption Checked if encryption was selected in the McAfee Collector.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

576 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 577
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Globalscape Enhanced File Transfer log format and field

mapping
Log format
The expected format for this device is:

computer timestamp IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID

Log samples
This is a sample log from a <Product Name> device:

SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

timestamp First Time, Last Time

c-ip Source IP

c-port Source Port

cs-username Source User

cs-method Command

578 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

cs-uri-stem Message_Text

sc-bytes Bytes_from_Server

cs-bytes Bytes_from_Client

s-name Destination_Hostname

s-port Destination Port

Gurucul Risk Analytics Data Forwarder

Configure Gurucul Risk Analytics Data Forwarder (CEF logs)

Task

1. From the Gurucul interface, navigate to Configure → Data → Data Export → Data Forwarder Workflow → Configuration
(Top right corner) → +Add (Top right corner).
2. Configure the data source.

Option Definition

Name A logical name for the configuration

Destination type SyslogForwarder

Query String
SELECT

trendingriskvalues.id AS id,

globalusers.userrisk AS userrisk,

concat(trendingriskvalues.risk_update_time,' ',(select DATE_FORMAT(end_date,'%H:%i:%s') from

job_details where job_name like '%Risk Scoring%' and status_flag='SUCCESS' limit 1)) AS
reporttime,

concat(globalusers.firstname, ' ' , globalusers.lastname) as fullname,

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 579
5| Configuring 3rd-party data sources

Option Definition

globalusers.firstname As firstname,

globalusers.lastname As lastname,

globalusers.employeeid AS employeeid,

'First Name' AS firtsnamelabel,

'Last Name' AS lastnamelabel,

'Risk Score' AS riskscorelabel,

round(globalusers.userrisk/(10*2)) AS severity

FROM

trendingriskvalues,

globalusers

WHERE

trendingriskvalues.userid_id = globalusers.id

Header -

Template CEF:0|Gurucul|GRA|6.1|1|Activities|#severity#| id=203950 cfp1=#userrisk# rt=#reporttime#

duser=#fullname# cs1=#firstname# cs2=#lastname# duid=#employeeid#
cs1Label=#firtsnamelabel# cs2Label=#lastnamelabel# cfp1Label=#riskscorelabel#

Footer -

Log Format CEF

Batch Size 0 (zero)

Key Column trendingriskvalues.id

3. Save the configuration.

The configuration is now available in the drop-down list on the Data Forwarder Job page.

580 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Configure Gurucul Risk Analytics Data Forwarder (JSON

logs)
Task

1. From the Gurucul interface, navigate to Configure → Data → Data Export → Data Forwarder Workflow → Configuration
(Top right corner) → +Add (Top right corner).
2. Configure the data source.

Option Definition

Name A logical name for the configuration

Destination SyslogForwarder
type

Query String
SELECT

trendingriskvalues.id AS id,

globalusers.userrisk AS userrisk,

concat(trendingriskvalues.risk_update_time,' ',(select DATE_FORMAT(end_date,'%H:%i:%s') from

job_details where job_name like '%Risk Scoring%' and status_flag='SUCCESS' limit 1)) AS reporttime,

concat(globalusers.firstname, ' ' , globalusers.lastname) as fullname,

globalusers.firstname As firstname,

globalusers.lastname As lastname,

globalusers.employeeid AS employeeid,

'First Name' AS firtsnamelabel,

'Last Name' AS lastnamelabel,

'Risk Score' AS riskscorelabel,

round(globalusers.userrisk/(10*2)) AS severity

FROM

trendingriskvalues,

globalusers

WHERE

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 581
5| Configuring 3rd-party data sources

Option Definition

trendingriskvalues.userid_id = globalusers.id

Header -

Template {id:203950,EmployeeId:#employeeid#,Full Name:#fullname#,First Name:#firstname#,Last

Name:#lastname#,Userrisk:#userrisk#,Reporttime:#reporttime#,Severity:#severity#}

Footer -

Log Format JSON

Batch Size 0 (zero)

Key Column trendingriskvalues.id

3. Save the configuration.

The configuration is now available in the drop-down list on the Data Forwarder Job page.

Add Gurucul Risk Analytics Data Forwarder

Task

1. From the ESM dashboard, select a receiver.

2. Click the Add Data Source icon.

Option Definition

Data Source Vendor Gurucul

Data Source Model Risk Analytics

Data Format Default

Data Retrieval SYSLOG (Default)

582 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of the data source

IP Address/Hostname The IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Do nothing

Syslogs

Time Zone Time zone where the data is generated

3. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 583
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

584 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Gurucul Risk Analytics log format and field mapping

CEF log format

<log date time> <device IP> CEF: <CEF version>|Gurucul|GRA|<Gurucul version>|<Signature ID>|<name>|
<severity>| <external event ID> <reputation score> <event time> <destination username> <first name> <last
name> <destination user ID> <first name label> <last name label> <reputation score label>

CEF log sample

Jun 2 18:19:40 192.168.142.84 CEF: 0|Gurucul|GRA|6.1|1|Activities|10.0| id=5 cfp1=95.0 rt=2017-04-20

12:38:00 duser=arpan bhojwani cs1=arpan cs2=bhojwani duid=arpan cs1Label=First Name cs2Label=Last Name
cfp1Label=Risk Score

JSON log format

<log date time> <device IP> {<Signature ID> <destination user ID> <destination username> <reputation score>
<event time> <severity>}

JSON log sample

Jun 2 18:02:19 192.168.142.84 {id:1,EmployeeId:arpan,Full Name:arpan bhojwani,First Name:arpan,Last

Name:arpan,Userrisk:95.0,Reporttime:2017-03-01 12:38:00,Severity:10.0}

Field mapping

Log fields ESM fields

Severity Sigdesc, severity

External event ID External_eventID

Reputation score Reputation_score

Event time Firsttime, lasttime

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 585
5| Configuring 3rd-party data sources

Log fields ESM fields

Destination username dst_username

Destination User ID Destination_userID

HashiCorp Vault

Configure HashiCorp Vault

Set up the data source to send events and flows to ESM.

Task

See the HashiCorp product documentation for instructions.

Add HashiCorp Vault

Add the data source to a McAfee Event Receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor HashiCorp

Data Source Model Vault

Data Format Default

Data Retrieval SYSLOG (Default)

586 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Enter a name for the data source.

IP Address/Host Name Enter the IP address and host name.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 0

Require syslog TLS Select to require TLS.

Port Select the port number.

Support Generic Syslogs Do nothing

Generic Rule Assignment Accept default.

Time Zone Select the time zone offset applicable to the data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 587
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

588 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

HBGary Active Defense

Configure HBGary Active Defense

Task

1. Log on to the Active Defense Management Console.

2. Navigate to Settings → Alerts.
3. In the Alerts window, click Add Route to open the Router Editor.
4. Enter a name to identify the McAfee Event Receiver into Route Name.
5. In the Settings area, enter the IP address of the McAfee Event Receiver into the Host field.
6. In the Port field, enter 514 (the default port for syslog).
7. In the Events area, select the events to be sent to the McAfee Event Receiver.
8. Click OK to save and exit.

Add HBGary Active Defense

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 589
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor HBGary

Data Source Model ActiveDefense (ASP)

Data Format Default

Data Retrieval SYSLOG (Dafault)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

590 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 591
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

HBGary Active Defense log format and field mapping

Log format
The expected format for this device is:

<priority> <date> <time> <hostname> <process>[ID]:LEEF:<version>|<vender>|<product>|<version>|<event ID>|

<key>=<value> <key>=<value> <key>=<value> …

Log samples
This is a sample log from a HBGary Active Defense device:

<123> 2001-01-01T01:01:01Z hostname process[1234]:LEEF:1|HBGary|Active Defense|1.2.3|Login|sev=0 user=admin

dstHost=hostname dst=192.0.2.1 message=Logged In

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

srcHost Host

Event ID Application

src Source IP

dst Destination IP

592 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

message Message

result Event Subtype

sev Severity

Hewlett-Packard 3Com Switches

Configure Hewlett-Packard 3Com Switches

See the product documentation for information about how to send syslog events to a remote syslog server or McAfee ESM.

Add Hewlett-Packard 3Com Switches

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Hewlett-Packard

Data Source Model 3Com Switches (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 593
5| Configuring 3rd-party data sources

Option Definition

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

594 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 595
5| Configuring 3rd-party data sources

Hewlett-Packard 3Com Switches log format and field

mapping
Log format
The expected format for this device is:

<device IP> <date time> <application> <message> <username> <source IP> <object>

Log samples
This is a sample log from a Hewlett-Packard 3Com Switch device:

[192.0.2.1] <123>Jan 1 01:01:01 1234 1234G %%10VTY/5/VTY_LOG(l):- 1 - TELNET user username in group failed
to login from 192.0.2.2(a1b2-c3d4-e5f6) on interface.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Application Application

Command Command

Source IP Address Source IP

MAC Address Source MAC

User Source User

Task Object

Hewlett-Packard LaserJet Printers

Add Hewlett Packard LaserJet Printers

Add the data source to a receiver.

596 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Hewlett-Packard

Data Source Model LaserJet Printers (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 597
5| Configuring 3rd-party data sources

Option Definition

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

598 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Configure Hewlett-Packard LaserJet Printers

Send printer events to McAfee ESM.

These instructions are for FutureSmart printers. For instructions on configuring other Hewlett-Packard printers, see the product
documentation.

Task

1. Using the Web interface, access the supported HP printer through any Web browser. For example: http://<IP address of the
printer>.
2. Click the Networking tab and the Advanced sub-tab.
3. Enter the IP address of the SmartConnector server in the Syslog Server field.
4. Select Enable CCC Logging to activate the logging of advanced security events.

Hewlett Packard LaserJet Printers log format and field

mapping

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 599
5| Configuring 3rd-party data sources

Log format
The expected format for this device is:

<severity> <hostname> <message>

Log sample
This is a sample log from a Hewlett-Packard LaserJet Printers device:

<13> printer: paper out

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Host

Hewlett-Packard ProCurve

Configure Hewlett-Packard ProCurve

The syslog configuration is performed at the command line. See the ProCurve documentation provided by Hewlett-Packard for
more information about how to access and use the command line interface.

Task

Enter this command to add a syslog server:

logging <ip_address>

Replace <ip_address> with the IP address of the McAfee Event Receiver.

Add Hewlett-Packard ProCurve

Add the data source to a receiver.

600 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Hewlett-Packard

Data Source Model ProCurve (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 601
5| Configuring 3rd-party data sources

Option Definition

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

602 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Hewlett-Packard ProCurve log format and field mapping

Log format
The expected format for this device is:

<date time> <device name> <message>

Log sample
This is a sample log from a Hewlett-Packard ProCurve device:

Jan 01 01:01:01 procurve.com/ procurve.com ABC_1234, Interface ethernet 1/01, state up

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 603
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Application Application

IP Protocol Protocol

Source IP Source IP

Destination IP Destination IP

Source IP Source Port

Destination Port Destination Port

Action / State Event Subtype

HyTrust Appliance

Configure HyTrust Appliance

Task

1. Open the HyTrust Appliance application.

2. Navigate to Configuration → Logging.
3. Select Capture from the Logging Level drop-down list.
4. In the HTA Logging Aggregation field, select External.
5. Select Proprietary in the Logging Aggregation Template Type field.
6. In the HTA Syslog Servers field, type the IP address or host name and port number of the McAfee Event Receiver, using this
format:

IPaddress:port

-or-

hostname:port

7. Ensure Encrypt Syslog is empty.

604 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

8. Click Apply.

Add HyTrust Appliance

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor HyTrust

Data Source Model Appliance (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 605
5| Configuring 3rd-party data sources

Option Definition

Syslog Relay None

Mask leave default (32)

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

606 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

HyTrust Appliance log format and field mapping

Log format
The expected format for this device is:

<PRI> Date HTA-FQDN Facility:Error_Type : HTA-log-message-code Source: src_ip Msg

Log sample
This is a sample log from a HyTrust Appliance device:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 607
5| Configuring 3rd-party data sources

<174>Feb 15 19:17:44 hta3a.testdrive.hytrust.com local5:INFO : ARC0005I Job scheduled to run Feb 15, 2012
7:17:44 PM on 101.652.04.10 is started at Feb 15, 2012 7:17:44 PM.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

HTA-log-message-code Message_ID.Message_ID

IBM

Configure IBM Guardium

Task

1. From the Guardium CLI command line, enter this command:

store remote log add daemon.* 192.168.2.1 tcp

where 192.168.2.1 is the IP address of the McAfee Event Receiver.

2. Log on to the Guardium UI with admin permissions.

3. Select the Administration Console tab.
4. Navigate to Configuration and select Global Profile.
5. In the Message Template text area, enter one of these options.

• Standard syslog format:

608 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

<pri>Date Time Username Application[pid]: Alert based on rule ID

ruleDescription|Category:
category|Classification:
classification|Severity
severity|Rule #
ruleID [ruleDescription ]|Request Info: [Session start:
sessionStart]|Server Type:
serverType|Client IP
clientIP|ServerIP:serverIP|Client PORT:
clientPort|Server Port:
serverPort|Net Protocol:netProtocol|DB Protocol:
DBProtocol|DB Protocol Version:
DBProtocolVersion|DBUser:
DBUser|Application User Name
AppUserName|Source Program:
SourceProgram|Authorization Code:
AuthorizationCode|Request Type:
requestType|Last Error:
lastError|SQL:
SQLString|To add to baseline:
addBaselineConstruct

• CEF format:

CEF:0|IBM|Guardium|7.0|%%ruleID|%%ruleDescription|5|rt=%%receiptTimeMills cs1=%%severity
cs1Label=Severity cs2=%%serverType cs2Label=Server Type cs3=%%classification
cs3Label=Classification cat=%%category app=%%DBProtocol cs4=%%DBProtocolVersion cs4Label=DB
Protocol Version suser=%%AppUserName sproc=%%SourceProgram act=%%requestType start=%
%sessionStartMills externalId=%%violationID duser=%%DBUser dst=%%serverIP dpt=%%serverPort src=%
%clientIP spt=%%clientPort proto=%%netProtocol msg=%%SQLString

Add IBM Guardium

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor IBM

Data Source Model Guardium

Data Format Default

Data Retrieval SYSLOG (Default)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 609
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

610 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 611
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Configure IBM Websphere Application Server

By default, basic logging is enabled in IBM WebSphere Application Server. However, you can also change the log level settings to
produce higher and lower volumes of logs based on the log severity level (for example, fatal, severe, warning, detail, and all).

All logging levels are supported. For more information about how to change the log level settings, see the product
documentation provided by IBM for your version of WebSphere Application Server.

Add IBM Websphere Application Server

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor IBM

Data Source Model WebSphere Application Server

Data Format Default

Data Retrieval SCP

Enabled Select options for processing events. Some options may not be available for your data
source.

612 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Port 22

Number of lines per 1

record

File copy timeout 30

Login timeout 30

Interval 5

File Completion 15 seconds

Delete processed files Select to delete processed logs.

Path The path to the log files.

In Linux, UNIX, AIX, and Solaris, the default path is:

“/opt/IBM/WebSphere/AppServer/profiles/name_of_profile/logs/server1”

In Windows, the default path is:

“C:\IBM\WebSphere\AppServer\profiles\name_of_profile\logs\server1” where
“name_of_profile” is the profile name of the IBM InfoSphere Information Server
instance, and “server1” is the instance name of the application server.

Wildcard expression System*.log

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 613
5| Configuring 3rd-party data sources

Option Definition

Username The logon for the computer that runs the server (a user name with sufficient
permissions on the server running IBM WebSphere Application Server).

Password The password for the specified user name.

Time Zone Time zone of data being sent.

Support Generic Syslogs Do nothing

5. Test the connection. If the test returns “test connection successful”, the device is configured correctly.
6. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

614 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

IBM Websphere Application Server log format and field

mapping
Log format
Here is the basic logging format listed in the IBM documentation. The advanced logging format and tracing logs are not currently
supported. The expected format for this device is:

<timestamp><threadId><shortName><eventType>[className][methodName]<message>

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 615
5| Configuring 3rd-party data sources

Log sample
This is a sample log from an IBM Websphere Application Server device:

[5/25/15 23:24:25:123 EDT] 00000001 BatchSensorCo I CWLRB5903I: BatchSensorComponent initialized

successfully.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

timestamp First Time, Last Time

threadId External_SessionID

shortname Message (modified by data source rules)

shortname (hashed) Signature ID

eventType Severity

classname External_Application

methodName Method

Set by DSR Event Subtype

IBM Websphere Application Server supported facilities

These facilities are currently supported, and provide more descriptive information when parsed by the McAfee ESM.

ACIN, ACWA, ADFS, ADMC, ADMN, ADMR, ASYN, CHFW, CNTR, CSCP, CWLDD, CWLRB, CWLRS, CWNEN, CWOAU, CWPKI, CWPMI,
CWRCB, CWRLS, CWSCT, CWSID, CWSIU, CWWJP, CWXRS, DYNA, FFDC, HMGR, I18N, IVTL, NMSV, OBPL, PLGC, RASD, SCHD,
SECJ, SESN, SRVE, STUP, TCPC, TRAS, UTLS, WACS, WAR, WKSP, WMSG, WSSC, WSVR, WSWS, WTRN

IBM Guardium log format and field mapping

Log format
The expected syslog format for this device is:

616 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

<pri>Date Time Username Application[pid]: Alert based on rule ID ruleDescription|Category: category|

Classification: classification|Severity severity|Rule # ruleID [ruleDescription ]|Request Info: [Session
start: sessionStart]|Server Type: serverType|Client IP clientIP|ServerIP:serverIP|Client PORT: clientPort|
Server Port: serverPort|Net Protocol:netProtocol|DB Protocol: DBProtocol|DB Protocol Version:
DBProtocolVersion|DBUser: DBUser|Application User Name AppUserName|Source Program: SourceProgram|
Authorization Code: AuthorizationCode|Request Type: requestType|Last Error: lastError|SQL: SQLString|To add
to baseline: addBaselineConstruct

The expected CEF format for this device is:

CEF:0|IBM|Guardium|8.0|%%ruleID|%%ruleDescription|5|rt=%%receiptTimeMills cs1=%%severity cs1Label=Severity

cs2=%%serverType cs2Label=Server Type cs3=%%classification cs3Label=Classification cat=%%category app=%
%DBProtocol cs4=%%DBProtocolVersion cs4Label=DB Protocol Version suser=%%AppUserName sproc=%%SourceProgram
act=%%requestType start=%%sessionStartMills externalId=%%violationID duser=%%DBUser dst=%%serverIP dpt=%
%serverPort src=%%clientIP spt=%%clientPort proto=%%netProtocol msg=%%SQLString

Log sample
This is a sample syslog log from an IBM Guardium device:

<13>Jan 01 01:01:01 usr123456 guard_sender[0001]: Alert based on rule ID log full sql - US DBAs
Oracle#012Category: Classification: Severity INFO #012Rule # 20251 [log full sql - US DBAs
Oracle ]#012Request Info: [ Session start: 2001-01-01 01:01:01 Server Type: ORACLE Client: 192.0.2.1
(DEVICENAME1000) Server: 192.0.2.1 (DEVICENAME1000) Client PORT: 0001 Server Port: 0 Service Name:
SERVICEOAX1111 Net Protocol: NetProtocolName Protocol: ProtocolName Protocol Version: 9.99 User:
sys#012Application User Name :PU=SYS#012Source Program: Application Authorization Code: 0 Request Type:
BIND_DATA Last Error: #012SQL: begin sys . command_name . Command_Name ( l0row_id => 11111 , l0row_stamp =>
22222222 , row_id => 11111 , row_stamp => 22222222 , txt => 'backup piece handle=/Filepath/ recid=11111
stamp=22222222' , sameline => 0.00 ) ; end ;#012 To add to baseline:

This is a sample CEF log from an IBM Guardium device:

<13>Jan 1 01:01:01 usr123456 guard_sender[0001]: CEF:0|IBM|Guardium|8.0|20322|log full sql - US DBAs MSSQL|

5|rt=1420074061000 cs1=INFO cs1Label=Severity cs2=MS SQL SERVER cs2Label=Server Type cs3=
cs3Label=Classification cat= app=TDS cs4=8.0 cs4Label=DB Protocol Version suser= sproc= act=SQL_RPC
start=1420074061000 externalId=123456789 duser=user2 dst=10.10.10.10 dpt=1234 src=10.10.10.11 spt=1234
proto=TCP msg= [ISDB].[dbo].[sp_ISDB_Obj_AD_AuditEvents_Insert] 'user2','usr123456','Logoff','AMC'

Field mapping
This table shows the mapping between the data source and McAfee ESM.

Log fields McAfee ESM

Application Application

Severity Severity

ClientIP Source IP

ClientPort Source Port

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 617
5| Configuring 3rd-party data sources

Log fields McAfee ESM

ServerIP Destination IP

ServerPort Destination Port

DB user Source User

Application User Destination User

Net Protocol Protocol

Category Category

Server Destination_Hostname

ExternalID External_EventID

Partition File_Path

Time, Start, Session Start First Time, Last Time

Host Host

msg Message_Text, Rule Name, SQL_Statement

ObjectID Object

PID PID

Rule # Policy_ID

Rule Name Policy_Name

sproc Process_Name

Act, Request Type Request_Type

618 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM

SID Signature ID

SQL SQL_Statement

Imperva

Add Imperva
Add the data source to a receiver.

Before you begin

Configure Imperva to send CEF. See the Imperva web site for instructions.

Note

This link refers to third-party documentation. McAfee doesn't maintain or verify the content.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Imperva

Data Source Model WAF/ DAM - CEF

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 619
5| Configuring 3rd-party data sources

Option Definition

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of the data source.

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 0

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Port 514

Support Generic Syslogs Do nothing.

Generic Rule Assignments User Defined 1

Time Zone Time zone where the sending device is located.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

620 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 621
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Imperva field mapping

This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

start firsttime,lasttime

src src_ip

cpt src_port

sip dst_ip

spt dst_port

request URL

app Application_Protocol

deviceExternalId External_Device_ID

Customer UserIDSrc

sourceServiceName HostID

act action

cs9 Signature_Name

622 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

fileType Event_Class

requestClientApplication User_Agent

fileId External_SessionID

suid Source_Logon_ID

xff NAT_Details.NAT_Address

siteid External_Hostname

suser username

Indegy

Configure Indegy
Set up Indegy to send events to McAfee ESM.

Task

1. From the Policies menu, select the Servers tab, then select the Syslog Servers tab.
2. Click +Add Syslog Server.
3. In the Server Name field, enter the name of the Syslog Server.
4. In the Hostname\IP field, enter a host name or an IP address of the Syslog server.
5. In the Port field, enter the port number on the Syslog server.
6. In the Transport field, enter the transport protocol.
7. Click Send Test Message and verify that the message arrived.
8. Configure Indegy policies to log events to McAfee ESM. See Indegy documentation for detailed instructions.

Results

Indegy begins sending data to McAfee ESM.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 623
5| Configuring 3rd-party data sources

Add Indegy
Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Indegy

Data Source Model Indegy Security Platform

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

624 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Mask 0

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Port 514

Support Generic Do nothing.

Syslogs

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 625
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Indegy log format and field mapping

Log format

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Example log

2019-01-01T12:00:00.012Z,192.168.2.1,192.168.2.2 CEF:0|Indegy|Indegy Security Platform|1.2.3|30|Baseline

Deviation|2|dvchost=indegy rt=Jan 01 2019 12:00:00 duser=192.168.2.3 suser=Sample User proto=UDP
dst=192.168.2.4 src=192.168.2.5 dpt=123456

626 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Field mapping

Log fields McAfee ESM fields

msg CEF.EventName

severity CEF.Severity

src_ip src

src_port spt

src_mac smac

dst_ip dst

dst_port dpt

dst_mac dmac

External_Hostname dvchost

UserIDSrc suser

UserIDDst duser

Application_Protocol proto

Status outcome

Old_Value value_change

norm_sigid signature_id

Bytes_Received bytesIn

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 627
5| Configuring 3rd-party data sources

Infoblox NIOS

Configure Infoblox NIOS

Task

1. Do one of the following:

• From the Grid perspective, click grid → Edit → Grid Properties

• From the Device perspective, click hostname → Edit → Device Properties

2. In the Grid or Device editor, click Monitoring, then define these options.

• Enable external syslog server: Select this to enable the Infoblox device to send messages to the specified syslog
server.
• Syslog Server Group: To define one or more syslog servers click Add, enter the following, then click OK:

• Server Address: Enter the IP address of the syslog server.

• Connection Type: Specify whether the device uses TCP or UDP to connect to the external syslog server.
• Port: Specify the destination port number (standard port is 514).
• Out Interface: Specify the interface where the device sends syslog messages to the syslog server.
• Severity Filter: Select a filter from the drop-down list.
• Message Source: Specify which syslog messages the device sends to the external syslog server:

• Internal: Device sends the syslog messages that it generates.

• External: Device sends the syslog messages that it receives from other devices, such as syslog servers
and routers.
• Any: Device sends both internal and external syslog messages.

• Copy audit log messages to syslog: Select the Infoblox device to include audit log messages with the
messages it sends to the syslog server. This function can be helpful to monitor administrative activity on multiple
devices from a central location.
• Audit Log Facility: Select the facility where you want the syslog server to sort the audit log messages.

3. Click the Save icon to save your settings.

Add Infoblox NIOS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

628 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Infoblox

Data Source Model NIOS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 629
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

630 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Configure Syslog for a grid member

Task

1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties.
2. In the Grid Member editor, click Monitoring, then define these options.

• Override grid syslog settings: Select to override grid-level syslog settings and apply member-level settings.
• Enable external syslog server: Select to enable the Infoblox device to send messages to a specified syslog server.
• Syslog Server Group: To define one or more syslog servers, click Add, enter the following, and then click OK:

• Server Address: Type the IP address of a syslog server.

• Connection Type: Specify whether the device uses TCP or UDP to connect to the external syslog-server.
• Port: Specify the destination port number.
• Out Interface: Specify the interface where the device sends syslog messages to the syslog server.
• Severity Filter: Choose a filter from the drop-down list.

• Message Source: Specify which syslog messages the device sends to the external syslog server:

• Internal: The device sends the syslog messages that it generates.

• External: The device sends the syslog messages that it receives from other devices.
• Any: The device sends both internal and external syslog messages.

• Enable syslog proxy: Select to enable the device to receive syslog messages from other devices, such as syslog
servers and routers, then forward these messages to an external syslog server.
• Enable listening on TCP: Select if the device uses TCP to receive messages from other devices.

• Port: Enter the port number where the device receives syslog messages from other devices.

• Proxy Client Access Control: Click Add, enter the following in the Access Control Item dialog box, then click OK:

• IP Address option: Select IP Address to add the IP address of a device, or select Network to add the
network address of a group of devices.

• Address: Enter the IP address of the device or network.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 631
5| Configuring 3rd-party data sources

• Subnet Mask: If you entered a network IP address, you must also enter its subnet mask.

3. Click the Save icon to save your settings.

Infocyte

Add Infocyte HUNT

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Infocyte

Data Source Model HUNT

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of the data source.

IP Address/Hostname The IP address and host name associated with the data source device.

632 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 0

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Port 514

Support Generic Syslogs Do nothing.

Generic Rule Assignments User Defined 1

Time Zone Time zone where the sending device is located.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 633
5| Configuring 3rd-party data sources

Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Infocyte HUNT log format and field mapping

Log format
Logs are CEF formatted.

634 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

CEF:0|Infocyte|HUNT|1.0.0.178|Infocyte-2022|Test Log Message|2|av=1/74 flagName=

sha1=290093ed5fdf56b0896aebd1e2d498b0e554d697
sha256=69061e33acb7587d773d05000390f9101f71dfd6eed7973b551594eaf3f04193 path=c:\program files (x86)\google
\update\googleupdate.exe shost=w12-01-infected.ca.galactica.int sip=10.17.10.26 persistance=Service
scan=Infected-20181212-1856 isSigned=true fileSize=153168 isManaged=false synapseScore=1.0904
ssdeep=3072:uYtZ2JylzQkBv9ahxzHyZtrFgLAQB+jldaE//Rnkn+YGb8R1sYlP8h/7YAlqLr85:QG1 regPath=System
\CurrentControlSet\Services regValue=c:\program files (x86)\google\update\googleupdate.exe

Field mapping

Log fields McAfee ESM fields

eventId sid

CEF.EventName msg

sev severity

sip src_ip

synapseScore Spam_Score

shost hostname

fileSize File_Size

pid PID

regPath Registry_Key

regValue Registry_Value

user UserIDSrc

path Destination_Filename

flagName Category

av Status

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 635
5| Configuring 3rd-party data sources

InterSect Alliance Snare for Windows

Configure InterSect Alliance Snare for Windows

Task

1. In the Windows Start menu, navigate to the Intersect Alliance folder in the programs listing, then open Snare for
Windows. The open-source version of the software includes Open Source in the title. This opens your default browser and
takes you to a web interface running on the local host.
2. In the upper left, click Network Configuration.
3. In the Destination Snare Server address field, enter the IP address of your McAfee Event Receiver.
4. In the Destination Port field, enter the port number used for sending syslog to your McAfee Event Receiver (default is 514).
5. Select Enable SYSLOG Header? to have syslog headers included with events.
6. (Optional) If using the Enterprise version of Snare, you can use the Coordinated UTC feature. This changes the time stamps
in the logs to UTC. If you enable this feature, you must set the time zone for this data source in McAfee ESM to Greenwich
Mean Time.
7. Click Change Configuration when done.

Add InterSect Alliance Snare for Windows

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor InterSect Alliance

Data Source Model Snare for Windows (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

636 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent (Greenwich Mean Time if using the Coordinated Universal
Time feature in Snare).

Note

The Open Source version of Snare does not support coordinated UTC. Events delivered by Snare, contain time stamps
based on the time zone of the localhost from which they were sent. For coordinated UTC support, use the Enterprise
version of Snare for Windows.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 637
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

638 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

InterSect Alliance Snare for Windows log format and field

mapping
Log format

Hostname Event Log Type Criticality SourceName Snare Event Counter DateTime EventID SourceName UserName
SIDType EventLogType ComputerName CategoryString DataString ExpandedString MD5 Checksum

Log samples
This is a sample log from Snare for Windows:

Test_Host MSWinEventLog 0 Security 3027 Fri May 24 09:30:43 2013 593

Security Administrator User Success Audit EXAMPLE Detailed
Tracking A process has exited:Process ID: 656 User Name:
Administrator Domain: EXAMPLE Logon ID: (0x0,0x6C52)

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname, Caller Machine Name, Caller Workstation, Client Name, from Workstation, Source Host
Workstation, Target Server Name, User Workstations, Workstation Name

Criticality Severity

Source, Client Address, Source Network Address, Network Address Source IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 639
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Source Port Source Port

Destination Dest. IP

SourceName Application

Logon Type Logon_Type

Domain, Caller Domain, Domain Name, Member ID, New Domain, Primary Domain, Supplied Realm Domain
Name, Target Domain, User Domain, Account Domain

Authentication Package Name, Authentication Package, Logon Process Name, Process Name, Application
Service Name

Object Name, Group Name, Target Account Name, Program Object

UserName, User Name, Caller User Name, Client User Name, Logon Account, Account Name, Source User
UserID

New Account Name, Member Name, Target Account Name, Account Name Destination User

Failure Code Command

NtLogon Session_Status

Logon Type Logon_Type

EventID and SourceName Signature ID

EventLogType Event Subtype

Interset

Configure Interset

640 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

With a fully configured and working Interset and McAfee ESM solution, this information is required.

• Familiarity with configuring Flume using Ambari. See the Configure Data Ingest documentation.
• The tenant ID in Interset that contains the data to send to the McAfee Event Receiver ESM (for example, 0).
• The name (FQDN or IP address) and port of the McAfee Event Receiver.

Task

1. In Apache Ambari, create the Flume Export Configuration Group.

2. Configure the system so that events are sent as Syslog to the McAfee Event Receiver.
a. Copy the esmSyslog.conf file from the /opt/interest/export/conf-templates folder to a local system, and make these
substitutions:

• On each line, change the tenant ID <TID> to the appropriate tenant ID (for example, 0).
• Change the ESM McAfee Event Receiver location <ESM Syslog Receiver Port> with the port number of the
McAfee Event Receiver.
• Replace any other system variables, such as <ZOOKEEPER_HOST>, with appropriate values.

b. Upload and save the new esmSyslog.conf file to Ambari for processing.
3. Repeat step 2 with esmStorySyslog.conf, located in the same template folder, to also send high risk stories to the McAfee
Event Receiver. By default, only stories with a risk score greater than 75 are sent. To change this behavior, change the value
in the following line as needed:

interset_auth_events_<TID>_esm.sources.kafkaSource.interceptors.scoreChecker.toCompare =
riskScore:greaterThan:75

Add Interset
Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Interset

Data Source Model Interset

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 641
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

642 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 643
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Integrate Interset
An integration feature enables additional details involving Interset events displayed in the McAfee ESM.

This integration feature only works with events that contain the URL custom type. Ensure that the data source has been
configured and that the data source has been added to the McAfee Event Receiver before completing these steps.

Task

1. In the McAfee ESM console, select an ESM on the left side, then click the Properties icon.
2. From the System Properties menu, select Custom Settings.
3. Near the bottom of Custom Settings, click Device Links.
4. In the Custom Device Links window, select the Interset device that you previously added, then select Edit.
5. In the Edit URL window, click the arrow directly to the right of the blank URL field. Select Custom Types | URL.
Once selected, a value is automatically entered in the previously blank URL section.
6. The Custom Device Links window now displays the CustomType value. Select OK.
7. Select an event that contains the URL custom type, then select the Launch Device URL icon (an image of the Earth).
Once the Launch Device URL is selected, a browser window displays a logon prompt for your Interset device. Once logged
on, additional details about the selected Interset event in the ESM are displayed.

Interset log format and field mapping

Log sample
This is a sample log from an Interset device:

644 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

On Jan 21, 2016 8:00:00 AM, user543 told a Story with a Risk Score of 88. See 'https://analytics.example.com/
investigator#/?t=story&type=story&ts=1414746760&te=1417392000&state=stories' for details. It was very
unusual for user543 to take from the projects /project0871, /project0156, /project0589, /project0473, /
project0821, /project0221, /project0369. user543 mooched from the project /project0263. user543 took from
the inactive projects /project0833, /project0821, /project0852. user543 took significantly more from the
project /project0822 than others.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

/timestamp, /clienteventtime, /_time, Time First Time, Last Time

Username, /sourceuseridname, /user, /src_user Source User

Message Details Message_Text

Risk Score Reputation, Severity

URL URL

/appidname Application

/eventuuid UUID

/sourcemachineidname, /src Host

/sourceip, /src, /ip Source IP

/eventtype, /signature_id Job_Type, SID

/fileidpath Destination_Filename

/sourcepath Filename

/contactip, /dest Destination IP, Destination_Hostname

/action Action, Rule Message

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 645
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

/dvc External_Device_ID

/src_port Source Port

/vendor External_Device_Type

/project Category

/size File_Size

Juniper Networks JUNOS Structured-Data Format

Configure Juniper Networks JUNOS Structured-Data Format

JUNOS supports logging in standard Junos format and structured-data format. We recommend the structured-data format.

Structured-data format includes more information without significantly increasing log size. It also makes it easier for automated
applications to extract information from a message. This format complies with Internet draft-ietf-syslog-protocol-23 (https://
tools.ietf.org/html/draft-ietf-syslog-protocol-23).

These instructions apply to any JUNOS device running 10.3 or later. Some examples are EX, M, MX, PTX, QFX, QFabric, and T
series systems.

Here is a basic setup example of sending logs to a remote syslog host:

[edit system]
syslog {
host <HOSTNAME/IP ADDRESS of McAfee Event Receiver> {
facility SEVERITY;
structured-data {
brief;
}
}
}

Here is a basic setup example of sending logs to a log file:

646 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

[edit system]
syslog {
file <Path/Filename> {
facility SEVERITY;
structured-data {
brief;
}
}
}

More options can be specified for log outputs. See the JUNOS System Log Messages Reference document to learn more.

Task

1. To configure the system to log system messages, add a syslog statement at the [edit system] hierarchy level.
2. To log in structured-data format, include a structured-data statement for each logging output.

Add Juniper Networks JUNOS Structured-Data Format

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Juniper Networks

Data Source Model JUNOS – Structured-Data Format (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 647
5| Configuring 3rd-party data sources

Option Definition

• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.

648 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 649
5| Configuring 3rd-party data sources

Juniper Networks JUNOS Structured-Data Format log format

and field mapping
Log format
The expected format for this device is:

<priority> version timestamp hostname process processID TAG [junos@2636.platform variable-value-

pair1=”value” message-text]

Log samples
This is a sample log from a JUNOS structured-data format device:

<165>1 2007-02-15T09:17:15.719Z router1 mgd 3046 UI_DBASE_LOGOUT_EVENT [junos@2636.1.1.1.2.18

username="regress"]

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Hostname

Service-name Application

Source-address Source IP

Destination-address Destination IP

Nat-destination-address Nat Details Nat Address

Source-port Source Port

Destination-port Destination Port

Nat-source-address Nat Details Nat Address

Nat-source-port Nat Details Nat Port

650 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Packet-incoming-interface Interface

Source-zone-name Source Zone

Destination-zone-name Destination Zone

Bytes-from-client Bytes from client

Bytes-from-server Bytes from server

Policy-name Policy name

Elapsed-time Elapsed time

Attack-name Threat name

Protocol-id Protocol

Session-id Session

Reason Object name

Username Source Username

Juniper Networks NetScreen

Configure Juniper Networks NetScreen using the command-

line interface
Task

To configure Juniper Networks NetScreen using the command line, type the following commands:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 651
5| Configuring 3rd-party data sources

Set syslog config <ip_address> <security_facility> <local_faciltiy>

Set syslog config <ip_address> port 514
Set syslog config <ip_address> log all
Set syslog enable

Add Juniper Networks NetScreen

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Juniper Networks

Data Source Model NetScreen/IDP (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

652 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 653
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Juniper Networks NetScreen log format and field mapping

Log format
The expected format for this device is:

<PRI>HOSTNAME: NetScreen device_id=HOSTNAME []EVENT_DESCRIPTION: MESSAGE (DATE TIME)

Log sample
This is a sample log from a device:

654 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

<123>JNHOST: NetScreen device_id=JNHOST [Root]system-warning-00515: Admin user BobJ has logged on via SSH
from 192.0.2.1:1234 (2001-01-01 01:01:01)

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

src, ip address Source IP

src_port, port, icmp_type Source Port

dst Dest. IP

dst_port, icmp_code Dest. Port

proto Protocol

src_zone Source Username, Source_Zone

dst_zone Dest Username, Destination_Zone

device_id Host

Service Application

Sent Bytes_sent

Rcvd Bytes_received

reason Reason

domain domain

start_time First Time

start_time Last Time

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 655
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Severity Severity

Session id Session ID

policy id Command

src-xlated ip NAT Address

src-xlated ip (port) NAT Port

policy id Policy Name

deviceId External_Device_ID

application Application

Juniper Networks Network and Security Manager

Configure Juniper Networks Network and Security Manager

Task

1. From the Network and Security Manager application, go to Action Manager → Action Parameters.
2. Fill in Syslog Server IP with the IP address of the McAfee Event Receiver.
3. Select the Syslog Facility you want to send the events as.
4. Click OK to save.

Add Juniper Networks Network and Security Manager

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.

656 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

4. Click Add.

Option Definition

Data Source Vendor Juniper Networks

Data Source Model Network and Security Manager – NSM (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 657
5| Configuring 3rd-party data sources

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

658 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Juniper Networks Network and Security Manager log

format and field mapping
Log format
The expected format for this device is:

<Priority> <Date Time> <hostname> <message>

Log sample
This is a sample log from a Juniper Networks Network and Security Manager device:

<123>Jan 1 01:01:01 192.0.2.1 20010101, 1234, 2001/01/01 01:01:01, 2001/01/01 01:01:01, domain.Name, 0,
deviceName, 192.0.2.2, info, cmd, (NULL), (NULL), 192.0.2.3, 3, 192.0.2.4, 4, (NULL), (NULL), 192.0.2.5,50,
192.0.2.6, 6, protocol, SYSTEM, 0, unknown, none, 0, 0, not applicable, informational, no,details, admin,
file, (NULL), 0, 0, 0, 0, 0, 0, 0, 0, no, 0, Not Set, service

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Device Name Host

Protocol Protocol

Src Addr Source IP

Dst Addr Destination IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 659
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Src Port Source Port

Dst Port Destination Port

Action Action

Time Received First Time, Last Time

Severity Severity

Subcategory Application

Bytes Out Bytes_Sent

Bytes In Bytes_Received

Details Command

Device Domain Domain

User User

Nat Src Addr, Nat Src Port NAT_Details

Policy Policy_Name

Kaspersky Administration Kit

Configure Kaspersky Administration Kit

See your product documentation for instructions about sending log events to a remote server. Use the McAfee Event Receiver IP
address for the IP address of the remote server.

Add Kaspersky Administration

660 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Kaspersky

Data Source Model Administration Kit – SQL Pull (ASP)

Data Format Default

Data Retrieval SQL (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

User ID User name of the Kaspersky database

Password Password of the Kaspersky database

Port 1433

Database Name Database name

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 661
5| Configuring 3rd-party data sources

Option Definition

Poll frequency How often you want to pull logs.

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

662 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Kapersky Administration Kit log format and field mapping

Log sample
This is a sample log from a Kaspersky Administration Kit device:

event_id="4164828" nIpAddress="167772161" domain_name="DOMAIN" hostname="HOSTNAME" group_name="GROUPNAME"

rise_time="2013-09-16 09:22:52.257" registration_time="2013-09-16 09:22:57.840" severity="1"
task_display_name="Update_KBDOM-SRV_KAV6.0 MP4" description="" product_name="KAVFS6"
product_version="6.0.4.0" product_display_version="6.0.4.1611" event_type="KLPRCI_TaskState" string_1=""
string_2="" string_3="" string_4="" string_5="" string_6="" string_7="" string_8=""

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

rise_time First Time, Last Time

severity Severity

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 663
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

product_name Application

domain_name Domain

hostname Hostname

product_version Version

event_type Event_Class

nIpAddress src_ip

File_Path* File_Path

Threat_Name* Threat_Name

task_display_name Job_Name

objectname* objectname

URL* URL

Message_Text* Message_Text

Process_Name* Process_Name

Category* Category

PID* PID

*Keys are found in string_ or in the description field

664 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Lastline Enterprise

Configure Lastline Enterprise

See Lastline Enterprise product documentation for instructions on how to send syslog logs to a remote server.

Before you begin

Configuring this data source requires:

• McAfee ESM version 9.5.0 or later

• Administrative level access to configure syslog service to send logs
• McAfee Event Receiver IP address for the address of the remote server

1. From the Lastline portal, click Admin.

2. Click Syslog.
3. Click the Integration tab.
4. Create a syslog destination by selecting the sensors to log, time zone, IP address/port for the McAfee Event Receiver, host
name, and log format message (CEF).
5. Enable the notification option.
6. Set the default configuration to log all categories with no delay between logs and no maximum limit per day.
7. Optionally, limit the volume of messages by category, minimum severity level, rate, and maximum daily volume.

Add Lastline Enterprise

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Lastline

Data Source Model Enterprise

Data Format Default

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 665
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address IP address associated with the data source device

Hostname Host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Require McAfee Event Receiver to communicate over TLS

Support generic syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

666 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 667
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Lastline Enterprise log format and field mapping

Log format
The expected format for this device is as follows:

<Date-Time> <CEF Version> <Device Vendor> <Device Product> <Device Version> <Signature ID> <Name> <Severity>
<Key-Value Pairs>

Log sample
This is a sample log from a Lastline Enterprise device:

May 20 13:20:56 mcafeecef CEF:0|Lastline|Enterprise|7.3|signature-match|IDS Signature Match|4|act=LOG

cat=drive-by/Fiesta EK cn1=45 cn1Label=impact cn2=6052 cn2Label=IncidentId cn3=100 cn3Label=IncidentImpact
cnt=1 cs1=d6aeef2b:20fbe7df:13acfcd2 cs1Label=detectionId cs2=https://user.lastline.com/event#/
3999999999/677777777/78888?event_time\\=2017-05-20 cs2Label=EventDetailLink cs3=http://example.com/
asp9gg3/0040e4c25360c1ec435c460d570f5a0602080b040704580704010742550607;5061531 cs3Label=EventUrl
deviceExternalId=3888888888:688888888 dpt=80 dst=203.0.113.0 end=May 20 2017 13:16:16 UTC externalId=74444
proto=TCP src=192.0.2.0 start=May 20 2017 13:16:16 UTC

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

name - category Rule Name

severity Severity

EventUrl URL

668 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

EventDetailLink Device_URL

IncidentId Incident_ID

act Action

cat Threat_Category, Category, Subcategory

cnt Count

detectionId File_ID

dhost Destination_Hostname

dpt Destination Port

dst Destination IP

start, rt, end First Time, Last Time

externalId External_EventID

fileHash File_Hash

fileSHA1 SHA1

fname Filename

fileType Object

proto Protocol

src Source IP

spt Source Port

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 669
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

deviceType Sensor_Type

deviceExternalId External_Device_Type

dvchost Host

smac Source Mac

msg Message_Text

Locum RealTime Monitor

Configure Locum RealTime Monitor

See documentation for information about how to send syslog events to a remote server or McAfee ESM. Use the IP address of
the McAfee Event Receiver for the IP address of the remote server.

Add Locum RealTime Monitor

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Locum

Data Source Model RealTime Monitor (ASP)

Data Format Default

670 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 671
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

672 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Locum RealTime Monitor log format and field mapping

Log format
The expected format for this device is:

<date time> <device IP> <device> <time> <status> <message>

Log sample
This is a sample log from a Locum RealTime Monitor device:

<123>Jan 01 01:01:01 192.0.2.1 RealTime_Monitor 01:01 VALIDATION: 1234 Usercode example validated for
example (by FTP/SERVER/FOR/"192.0.2.2")

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Host

Protocol Protocol

Device IP Source IP

UC Destination IP

Application Application

Object Object Type

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 673
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Object Object

Task Command

User Source User

Usercode Destination User

Database Name Database_Name

Description Message_Text

LOGbinder

Configure LOGbinder
Task

1. Open the LOGbinder Configurator.

2. Select the Output section, then select your preferred logging method. McAfee ESM currently supports the CEF format and
the Syslog-Generic format for all types.
3. Double-click the selected logging method and fill in the required syslog information.

Add LOGbinder
Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

674 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor LOGbinder

Data Source Model LOGbinder

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 675
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

676 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

LOGbinder log format and field mapping

Log format (Sharepoint)
The expected formats for this device is:

Syslog

syslogTimestamp syslogHost signatureID LOGbinder SP|deviceVersion|type|eventTimestamp|message|name=“key1”

label=“Key 1” value=“value1”|name=“key2” label=“Key 2” value=“value2”|…

CEF

CEF:version|LOGbinder|SP|deviceVersion|signatureID|message key1=value1 key2=value2…

Log format (Exchange)

The expected format for this device is:

Syslog

syslogTimestamp syslogHost signatureID LOGbinder EX|deviceVersion|type|eventTimestamp|message|name=“key1”

label=“Key 1” value=“value1”|name=“key2” label=“Key 2” value=“value2”|…

CEF

CEF:version|LOGbinder|EX|deviceVersion|signatureID|message key1=value1 key2=value2…

Log format (SQL)

The expected format for this device is:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 677
5| Configuring 3rd-party data sources

Syslog

syslogTimestamp syslogHost signatureID LOGbinder SQL|deviceVersion|type|eventTimestamp|message|name=“key1”

label=“Key 1” value=“value1”|name=“key2” label=“Key 2” value=“value2”|…

CEF

CEF:version|LOGbinder|SQL|deviceVersion|signatureID|message key1=value1 key2=value2…

Log sample (Exchange)

This is a sample log from a LOGbinder EX device:

Syslog

Jan 01 01:01:01 192.0.2.1 25190 LOGbinder EX|2.0|success|2015-01-01T01:01:01.0000001-00:00|New-

AdminAuditLogSearch Exchange cmdlet issued|name="occurred" label="Occurred" value="1/1/2015 1:01:01 AM"|
name="cmdlet" label="Cmdlet" value="New-AdminAuditLogSearch"|name="performedby" label="Performed By"
value="testUser"|name="succeeded" label="Succeeded" value="Yes"|name="error" label="Error" value="n/a"|
name="originatingserver" label="Originating Server" value="DEV1 (198.51.100.1)"|name="objectmodified"
label="Object Modified" value="AuditLogSearch\\f8376002-c01c-45e3-ad9c-0c1dd7cfe780"|name="parameters"
label="Parameters" value="Name: StartDate, Value: [1/1/2015 1:01:01 AM]Name: EndDate, Value: [9/6/2013
6:55:00 PM]Name: StatusMailRecipients, Value: [test@test.com]Name: Name, Value: [8e41b65d-46ee-4f41-9e4d-
f8996c19ce04]"|name="properties" label="Modified Properties" value="n/a"|name="additionalinfo"
label="Additional Information" value="CmdletParameters/Parameter/Name\= [StartDate]; CmdletParameters/
Parameter/Value\= [1/1/2015 1:01:01 AM]; CmdletParameters/Parameter/Name\= [EndDate]; CmdletParameters/
Parameter/Value\= [1/1/2015 1:01:06 AM]; CmdletParameters/Parameter/Name\= [StatusMailRecipients];
CmdletParameters/Parameter/Value\= [test@test.com]; CmdletParameters/Parameter/Name\= [Name];
CmdletParameters/Parameter/Value\= [8e41b65d-46ee-4f41-9e4d-f8996c19ce04]"|name="support" value="For more
information, see http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=25190"

CEF

Jan 01 01:01:01 192.0.2.1 CEF:0|LOGbinder|EX|3.0|25190|New-AdminAuditLogSearch Exchange cmdlet

issuedrt=1/1/2015 1:01:01 AM act=Error suser=testUser outcome=Yes msg=New-AdminAuditLogSearch Exchange
cmdlet issued dvchost=DEV1 fname= AuditLogSearch\\f8376002-c01c-45e3-ad9c-0c1dd7cfe780 filePermission=n/a
cs4=n/a cs4Label=Modified Properties cs3= name="additionalinfo" label="Additional Information"
value="CmdletParameters/Parameter/Name\= [StartDate]; CmdletParameters/Parameter/Value\= [1/1/2015 1:01:01
AM]; CmdletParameters/Parameter/Name\= [EndDate]; CmdletParameters/Parameter/Value\= [1/1/2015 1:01:06 AM];
CmdletParameters/Parameter/Name\= [StatusMailRecipients]; CmdletParameters/Parameter/Value\=
[test@test.com]; CmdletParameters/Parameter/Name\= [Name]; CmdletParameters/Parameter/Value\=
[8e41b65d-46ee-4f41-9e4d-f8996c19ce04]" cs3Label=Additional Info reason=For more information, see http://
www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=25190

Log sample (SharePoint)

This is a sample log from a LOGbinder SP device:

Syslog

Jan 01 01:01:01 192.0.2.1 65 LOGbinder SP|5.1|success|2015-01-01T01:01:01.0000001-00:00|Item declared as a

record|name="occurred" label="Occurred" value="2015-01-01T01:01:01.0000001-00:00"|name="site" label="Site"
value="testSite"|name="user" label="User" value="testUser"|name="objecturl" label="Object URL" value="\
\testSite\place\thing\"|name="support" value="For more information, see http://
www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=65"

CEF

678 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Jan 01 01:01:01 192.0.2.1 CEF:0|LOGbinder|SP|5.1|65|Item declared as a

recordrt=2015-01-01T01:01:01.0000001-00:00 request=testSite duser=testUser filePath=\\testSite\place\thing\
reason=For more information, see http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?
eventid=65

Log sample (SQL)

This is a sample log from a LOGBinder SQL device:

SQL

Jan 01 01:01:01 192.0.2.1 24000 LOGbinder SQL|2.0|failure|2015-01-01T01:01:01.0000001-00:00|SQL audit event|

name="occurred" label="Occurred" value="1/1/2015 1:01:01.0000000 AM"|name="action_id" label="Action"
value="RWC"|name="succeeded" label="Succeeded" value="False"|name="permissionbitmask" label="Permission
bitmask" value="16"|name="iscolumnpermission" label="Is column permission" value="False"|name="sessionid"
label="Session ID" value="78"|name="serverprincipalid" label="Server Principal ID" value="2"|
name="databaseprincipalid" label="Database Principal ID" value="1"|name="targetserverprincipalid"
label="Target Server Principal ID" value="0"|name="targetdatabaseprincipalid" label="Target Database
Principal ID" value="0"|name="objectid" label="Object ID" value="n/a"|name="classtype" label="Class Type"
value="n/a"|name="sessionserverprincipalname" label="Session Server Principal Name" value="LB\
\Administrator"|name="serverprincipalname" label="Server Principal Name" value="LB\\Administrator"|
name="serverprincipalsid" label="Server Principal SID" value="n/a"|name="databaseprincipalname"
label="Database Principal Name" value="2015-01-01T01:01:01.0000001"|name="targetserverprincipalname"
label="Target Server Principal Name" value="dbo"|name="targetserverprincipalsid" label="Target Server
Principal SID" value="n/a"|name="targetdatabaseprincipalname" label="Target Database Principal Name"
value="n/a"|name="serverinstancename" label="Server Instance Name" value="n/a"|name="databasename"
label="Database Name" value="DEV2"|name="schemaname" label="Schema Name" value="master"|name="objectname"
label="Object Name" value="n/a"|name="statement" label="Statement" value="n/a"|name="additionalinformation"
label="Additional Information" value="REVOKE ALTER ON XML SCHEMA COLLECTION::[dbo].[$(SchemaCollectionName)]
TO [$(UserName2)] CASCADE"|name="support" value="For more information, see http://
www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=24000"

CEF

Sep 23 15:46:10 host CEF:0|LOGbinder|SQL|2.0|24000|SQL audit eventrt=1/1/2015 1:01:01.0000000 AM cfp1=RWA

cfp1Label=Action oldFileId=False filePermission=16 fileHash=N/A dpid=78 suid=1 cn3=1 cn3Label=Database
Principal ID cn1=1 cn1Label=Target Server Principal ID cn2=0 cn2Label=Target Database Principal ID
fileId=n/a cfp2=n/a cfp2Label=Class Type duser=LB\\Administrator suser=n/a spriv=n/a
cs2=2015-01-01T01:01:01.0000001 cs2Label=Database Principal Name cs4=n/a cs4Label=Target Server Principal
Name cs3=1 cs3Label=Target Server Principal SID cs5=0 cs5Label=Target Database Principal Name
deviceExternalId=n/a filePath=n/a cs6=master cs6Label=Schema Name fname=n/a cs1=n/a cs1Label=Statement
reason=n/a reason=For more information, see http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
event.aspx?eventid=24000

Field mapping (Exchange)

This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Signature ID Signature ID

rt | occurred First Time | Last Time

src | ClientIPAddress Source IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 679
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

cmdlet Command

oldFileId | folderid Filename

deviceHostName | dvchost | originatingserver Host

fname | objectmodified Object

suser | performedby Source User

suid Security_ID

sproc | clientprocess Process_Name

performedlogonType Logon Type

mailboxguid Instance GUID

itemsubject Subject

Field mapping (Sharepoint)

This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Signature ID Signature ID

rt | occurred First Time | Last Time

fname | fileName | objecttitle Filename

site | request Object

user | duser | requestedby | membername | administratorname Destination User

680 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

suser | user Source User

objecturl | filepath URL

source | filepath File_Path

newauditpolicy Policy_Name

Field mapping (SQL)

This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Signature ID Signature ID

rt | occurred First Time | Last Time

cfp1 | action_id Device_Action

FileId | succeeded Action

duser | sessionserverprincipalname Destination User

dpid | sessionid Session ID

schemaname Database_Name

memberdomainname Domain

targetobjectname Object

suser | member | targetobjectname Source User

deviceExternalId | server External_Device_ID

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 681
5| Configuring 3rd-party data sources

Lumension Bouncer

Configure Lumension Bouncer

See documentation for information about how to send syslog events to a syslog server or McAfee ESM.

Add Lumension Bouncer

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Lumension

Data Source Model Bouncer (ASP) or Bouncer – CEF (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

682 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 683
5| Configuring 3rd-party data sources

Option Definition

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Lumension Bouncer (CEF) log format and field mapping

Log format
The expected format for this device is:

BouncerMgr CEF:0|Lumension|BOUNCER|<version>|<event type>|<event name>|<severity>| <key>=<value>

<key>=<value> <key>=value>

684 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log sample
This is a sample log from a Lumension Bouncer device:

BouncerMgr CEF:0|Lumension|BOUNCER|6.2|1234|Execute of file denied|1|EndpointName=exampleName

EventClass=Endpoint EventID=1234 CauseID=Executing IPAddress=192.0.2.1 TargetFileName=\Device
\HarddiskVolume1\file.exe TargetPath=\Device\HarddiskVolume1\
TargetSHA=ABCDEF12344567890ABCDEF1234567890ABCDEF TargetSize=12345678
TargetSID=S-1-5-21-1234567890-123456789-1234567890-123 TargetCertSubject=VeriSign Class 3 Code Signing 2001
TargetCertSHA=ABCDEF123445677890ABCDEF1234567890ABCD TargetCertSize=1234 Timestamp=2001-01-01 01:01:01

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

EndpointName Host

IPAddress Source IP

Timestamp First Time, Last Time

Event wName Action

Severity Severity

TargetApp, AppName Application

TargetPath Filename

TargetFileName Object

TargetUser Destination User

AskReason Message_Text

CauseID Subject

EventClass Event Class

Event Type External_Event_ID

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 685
5| Configuring 3rd-party data sources

Lumension Bouncer (syslog) log format and field mapping

Log format
The expected format for this device is:

BouncerMgr CEF:0|Lumension|BOUNCER|<version>|<event type>|<event name>|<severity>| <key>=<value>

<key>=<value> <key>=value>

Log sample
This is a sample log from a Lumension Bouncer device:

Jan 01 01:01:01 hostname Manager:John Client:192.168.1.1 EventID: 123456 Level: 1 Count:78 EventCause: 90
AppName: appName ManagedName:name Pathname:name

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

IpProto Protocol

SrcAddr Source IP

DstAddr Destination IP

SrcPort Source Port

DstPort Destination Port

AppName Application

Manager Source User

Client Destination User

686 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Lumension LEMSS

Configure Lumension LEMSS

See the Lumension LEMSS product documentation for setup instructions about sending syslog data to a remote server. Use the
IP address of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.

Add Lumension LEMSS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Lumension

Data Source Model Lumension LEMSS

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 687
5| Configuring 3rd-party data sources

Option Definition

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

688 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Lumension LEMSS log format and field mapping

Log format
The expected format for this device is:

<date time> <severity> <deviceIP> <date time> <HostName> <ApplicationName> <ProcessName> <Message ID> <User>
<UserName> <DeviceType> <DeviceName> <VolumeLabel> <StrongID> <Filename> <Other> <Reason> <UniqueID>
<ModelID>

Log sample
This is a sample log from a Lumension LEMSS device:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 689
5| Configuring 3rd-party data sources

01-01-2001 01:01:01 System.Info 192.0.2.1 1 2001-01-01T01:01:01Z app MEDIUM-INSERTED [EventLog@12345

User="S-1-2-34-1234567890-1234567890-12345678-1234" UserName="DOMAIN\\user" DeviceType="Removable"
DeviceName="Generic Flash Disk USB Device, Disk drive, (Standard disk drives)"
StrongID="a1b1c3d4e5f6a1b1c3d4e5f6a1b1c3d4" Reason="ENCRYPTED"
UniqueID="a1b1c3d4e5f6a1b1c3d4e5f6a1b1c3d4e5f6a1b1" ModelID="a1b1c3d4e5f6a1b1c3d4e5f6a1b1c3d4e5f6a1b1"]

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

HostName Hostname

ApplicationName Application

DeviceIP Source IP

ProcessName Command

UserName Domain, Source User

VolumeLabel

Version Version

DeviceName External_Device_Name

DeviceType External_Device_Type

Filename Directory

Reason Reason

Malwarebytes Breach Remediation

Configure Malwarebytes Breach Remediation

690 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

See your product documentation for instructions about sending syslog logs to a remote server. Use the McAfee Event Receiver IP
address for the IP address of the remote server.

Add Malwarebytes Breach Remediation

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Malwarebytes

Data Source Model Breach Remediation

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 691
5| Configuring 3rd-party data sources

Option Definition

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

692 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Malwarebytes Breach Remediation log format and field

mapping
Log format
The expected format for this device is:

CEF:0|PRODUCT VENDOR|PRODUCT NAME|PRODUCT VERSION|SIGNATURE ID|NAME|SEVERITY|KEY=VALUE KEY=VALUE…

Log sample
This is a sample log from a device:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 693
5| Configuring 3rd-party data sources

CEF:0|Malwarebytes|Malwarebytes Malware Remediation|1.0|1000|ScanStarted|1|act=Action cat=MalwareCategory

cs1=MalwareName cs1Label=MalwareName cs2=MalwareHash cs2Label=MalwareHash cs3=SessionId cs3Label=SessionId
cs4=MalwareClass cs4Label=MalwareClass

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

CEF.EventName + CEF:Signature.ID Msg

CEF:Severity Severity

Act Action

Cat Threat_Category

MalwareName Threat_Name

MalwareHash Hash

SessionId Session

MalwareClass Event_Class

CommandLine Command

deviceMacAddress Source MAC

Dvchost Host

filePath File_Path

Msg Message_Text

Suser Source User

694 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Malwarebytes Management Console

Configure Malwarebytes Management Console

Syslog settings can be accessed from the Admin Module.

Task

1. Open the Admin Module.

2. Switch to the Syslog Settings tab.
3. By default, logging to an external Syslog server is disabled. Click Change to open the settings dialog box.
4. Select Enable Syslog and fill in the appropriate configuration fields.

• Address: <IP address of the McAfee Event Receiver>

• Port: 514
• Protocol: UDP
• Specify Facility number (ranges from 0–23).
• Specify Severity number (ranges from 0–7).
• Payload Format: CEF

Add Malwarebytes Management Console

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Malwarebytes

Data Source Model Management Console

Data Format Default

Data Retrieval SYSLOG (Default)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 695
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

696 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 697
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Malwarebytes Management Console log format and field

mapping
Log format
The expected format for this device is:

CEF:0|VENDOR|PRODUCT|VERSION|CATEGORY|MESSAGE|SEVERITY|deviceExternalId=externalid dvchost=hostname
deviceDnsDomain=domain deviceMacAddress=mac_address dvc=device_ip rt=TIMESTAMP cs1Label=KEY cs1=VALUE…

Log sample
This is a sample log from a Malwarebytes Management Console device:

CEF:0|Malwarebytes|MBMC|1.7.0.3208 MBAM:1.80.2.1012 DB:913030101 MBAE:1.08.2.1189|DETECTION|Exploit ROP

attack quarantined|5|deviceExternalId=d6961b91-6098-48c4-a64eff75c9e5550e dvchost=PC-WIN123
deviceDnsDomain=WORKGROUP deviceMacAddress=00-00-00-00-00-00 dvc=192.0.2.10 rt=Jan 01 2016 01:01:01 -00:00
cn1=1 cn1Label=ObjectTypeScanned cs6= cs6Label=ObjectScanned cat=DETECTION cn2=1 cn2Label=Action
act=QUARANTINE outcome=success suser=jdoe cs5=data cs5Label=Data msg=Attacked application: C:\\Users\\jdoe\
\Desktop\\iexplore.exe; Parent process name: explorer.exe; Layer: Protection Against OS Security Bypass; API
ID: 453; Address: 0x76F5FE07; Module: ; AddressType: ; StackTop: 0x002F0000; StackBottom: 0x002ED000;
StackPointer: ; Extra: fname=Internet Explorer filePath=C:\\Users\\jdoe\\Desktop\\iexplore.exe
sourceServiceName=MBAE cs1= cs1Label=Payload cs2= cs2Label=PayloadChecksum cs3= cs3Label=PayloadUrl cs4=
cs4Label=PayloadProc

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Message Message

suser Source Username

dst Destination IP

698 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

src Source IP

act Device_Action

Action Action / Subtype

deviceMacAddress Source Mac

rt First Time, Last Time

PayloadProc Application

ObjectScanned Object

dvchost Hostname

Severity Severity

fname Filename

filePath File Path

deviceExternalId Source GUID

ObjectTypeScanned Object Type

dvc Device IP, Source IP (Fallback)

sourceServiceNam Service Name

PayloadUrl URL

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 699
5| Configuring 3rd-party data sources

Microsoft Azure Event Hubs

Configure a Microsoft Azure Event Hub

Set up an Event Hub to send data to ESM.

Before you begin

Set up an Event Hub according to Microsoft instructions.

Task

1. Get the Connection String value from Azure.

a. From the home page, click Overview on the left menu.
b. Under Settings, click Shared Access Policies.
c. Select RootMnageSharedAccessKey.
d. Copy the value of Connection string primary key and paste it where you can find it when you configure the data
source.
2. Get the Event Hub Name from Azure.
a. Under Entities, click Event Hubs.
b. Note the name of the Event Hub so you can use when you configure the data source.
3. (Optional) If you want to send data from the Event Hub to multiple data sources, set up Event Hub partitions. For example,
if you have 32 partitions in the cluster, you can set up a data source to collect from partitions 0–15 and another data source
to collect from partitions 16–31. The number of partitions is set when you create the Event Hub and can't be changed. The
maximum number of partitions is 32.

Note

When referencing partitions in the data source configuration, the partition numbering starts at zero.

Add a Microsoft Azure Event Hub

Add the data source to a receiver.

Before you begin

Make sure port 5671 is open bidirectionally between the Receiver and the Azure Event Hub connector.

Make sure these ports are open to the hostname in the connection string:

• AMQP ports 5671 and 5672

• HTTP/HTTPS ports 80 and 443

Determine the number of partitions you need.

700 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

In Policy Editor, enable all parsing rules for the Azure Event Hub data source.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Microsoft
Source
Vendor

Data Azure Event Hubs

Source
Model

Data Default
Format

Data API
Retrieval

Enabled Select options for processing events. Some options may not be available for your data source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address

Important: Clear the IP Address field before using the Look up feature.

Automatically populated when you enter the Hostname and click Look up.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 701
5| Configuring 3rd-party data sources

Option Definition

Hostname The host name is part of the Event Hub connection string. Copy it from the Azure portal. For
example, if the connection string was Endpoint=sb://
test.windows.net/;SharedAccessKeyName=test;SharedAccessKey=1111/111=;EntityPath=test, the
host name would be test.windows.net.

Event Hub The connection string provided on the Azure portal when you set up the Event Hub.
Connection
String

Eventhub Created when you set up the Event Hub. Paste it from the Azure portal.
name

Note: This is not the Event Hub Namespace name. Find the Event Hub name on the Azure
Portal by clicking Event Hubs under the Entities heading.

Consumer Use $Default. If you want to collect the same data multiple times, add more groups (comma
Group delimited).

Partition
The number of partitions is set when you create an Event Hub and can't be changed. Event Hub's
Start/End
default is to define 4 partitions. The maximum number of partitions is 32, but when referencing
partitions it is done starting at 0.

If the Event Hub has 4 partitions defined, the correct data source configuration would be: Partition
Start: 0 and Partition End: 3.

You can use partitions to set up multiple data sources for a single Event Hub cluster. For example, if
you have 32 partitions in the cluster, you can set up a data source to collect from partitions 0–15 and
another data source to collect from partitions 16–31.

Use proxy Proxy, if required by installation

Support Do nothing
Generic
Syslogs

Time Zone Time zone of the data being sent

702 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another Receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from Receiver 1 into Receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 703
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft Azure Event Hub example log and field mapping

Microsoft Event Hubs can contain and serve any text-based event data. The sample log and field mapping shown here are
examples of one of those types.

Log sample
This is a sample log from a device:

{
"category": "WorkflowRuntime",
"level": "Error",
"operationName": "Microsoft.Logic/workflows/workflowActionCompleted",
"properties": {
"code": "BadGateway",
"correlation": {
"actionTrackingId": "12345678-1234-1234-1234-123456789012",
"clientTrackingId": "12345678901234567890"
},
"endTime": "2016-07-15T00:00:22. 123456Z ",
"resource": {
"actionName": "Send_email",
"location": "westus",
"resourceGroupName": "RG_TEST",
"runId": "12345678901234567890",
"subscriptionId": "87654321-4321-4321-4321-123456789012",
"workflowId": "12345678901234567890123456789012",
"workflowName": "WF_TEST"
},
"schema": "schema_name",
"startTime": "2016-07-15T00:00:01.123456Z",
"status": "Failed"
},
"resourceId": "/SUBSCRIPTIONS/12345678-1234-1234-1234-123456789012/RESOURCEGROUPS/RG_TEST/PROVIDERS/
MICROSOFT.LOGIC/WORKFLOWS/WF_TEST/RUNS/12345678901234567890/ACTIONS/SEND_EMAIL",
"time": "2016-07-15T18:00:22.6235064Z",
"workflowId": "/SUBSCRIPTIONS/12345678-1234-1234-1234-123456789012/RESOURCEGROUPS/RG_TEST/PROVIDERS/
MICROSOFT.LOGIC/WORKFLOWS/WF_TEST"
}

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

704 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

category + opName sigid

opName + properties.resource.actionName msg

category Category

time firsttime lasttime

level severity

properties.status action

properties.status Status

properties.code Return_Code

properties.resource.actionName Description

Microsoft Defender Advanced Threat Protection (ATP)

Configure Microsoft Defender Advanced Threat Protection

Set up an Microsoft Defender Advanced Threat Protection (ATP) to send data to ESM.

Before you begin

Set up an Microsoft Defender ATP according to Microsoft instructions.

Task

1. Create an Azure App

a. Log on to Azure as an Administrator.
b. Click Azure Active Directory → App registrations , and then select your application.
c. To add a secret to the application, click Certificates & secrets.
d. Under Client secrets, click New client secret.
e. Enter a description of the secret and a duration, and then click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 705
5| Configuring 3rd-party data sources

2. Update App permissions

a. Log on to Azure as an Administrator.
b. In the Azure portal, search for your application and open it.
c. Under Manage list, click API permissions → Add a permission → WindowsDefenderATP API.

Note

Make sure that your app has an API permissions to Alert.Read.All.

3. Enable ESM integration in Microsoft Defender. For more information see Microsoft documentation.

Add Microsoft Defender ATP

Add the data source to a receiver.

Before you begin

Make sure that the port 443 is open to the hostname in the connection string.

Make sure to add Azure App. For more information see, Configure Microsoft Defender Advanced Threat Protection topic.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Microsoft

Vendor

Data Source Model Advanced Threat Protection (ATP)

Data Format Default

Data Retrieval API (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

706 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/ It is not used by this collector. You can just enter an IP address that is not used by any device.
Hostname

Important: Clear the IP Address field before using the Look up feature.

Automatically populated when you enter the Hostname and click Look up. The hostname
URL must be: api.securitycenter.microsoft.com
The hostname field can be below URLs based on your location:

• api-eu.securitycenter.microsoft.com
• api-us.securitycenter.microsoft.com
• api-uk.securitycenter.microsoft.com

If you are using GCC/GOV the URL's are:

• GCC: api-gcc.securitycenter.microsoft.us
• GCC High & DoD: api-gov.securitycenter.microsoft.us

Client Key The Client ID of the azure application

Tenant ID The Tenant ID of the azure application

Password The client secret of the azure application

Use proxy Proxy, if required by installation

Proxy IP Address The IP address of the proxy

Proxy Port Default

Proxy Username/ Credentials for logging on to the proxy

Password

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 707
5| Configuring 3rd-party data sources

Option Definition

Time Zone Time zone of data being sent

Support Generic Parse as generic syslog

Syslogs

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another Receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from Receiver 1 into Receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

708 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft Defender ATP log format and field mapping

Microsoft Azure Defender ATP can contain and serve any text-based event data. The field mapping shown here are examples of
one of those types.

Log sample
This is a sample log from a device:

{"aadTenantId": "61598ed8-fe2d-11ec-b939-0242ac120002", "alertCreationTime": "2022-06-22T00:43:43.6035227Z",

"assignedTo": null, "category": "SuspiciousActivity", "classification": null, "comments": [],
"computerDnsName": "bob_iphone 11", "description": "", "detectionSource": "WindowsDefenderSmartScreen",
"detectorId": "61598ed8-fe2d-11ec-b939-0242ac120002", "determination": null, "evidence": [],
"firstEventTime": "2022-06-22T00:43:43.0279543Z", "id": "ab012345678901253456_0123456789", "incidentId":
1234, "investigationId": null, "investigationState": "UnsupportedOs", "lastEventTime":
"2022-06-22T00:43:43.0279543Z", "lastUpdateTime": "2022-06-22T00:43:44.41Z", "loggedOnUsers":
[{"accountName": "Bob", "domainName": null}], "machineId": "98e47692fe2d11ecb9390242ac120002",
"mitreTechniques": [], "rbacGroupName": "UnassignedGroup", "relatedUser": {"domainName": "bob_iPhone 11",
"userName": "Bob"}, "resolvedTime": null, "severity": "Informational", "status": "New", "threatFamilyName":
null, "threatName": null, "title": "Device tried to access a phishing site"}

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 709
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

title msg

title sigid

category Category

threatFamilyName Category

computerDnsName HostID

machineId Virtual_Machine_ID

sha256 Hash

fileName Destination_Filename

filePath File_Path

alertCreationTime firsttime

alertCreationTime lasttime

loggedOnUsers.domainName DomainID

loggedOnUsers.accountName UserIDSrc

severity severity

threatName Threat_Name

incidentId External_EventID

rbacGroupName Group_Name

detectionSource AppID

710 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

investigationState Response_Code

Microsoft DNS

Configure Microsoft DNS

Task

1. Open the Domain Name System Microsoft Management Console (DNS MMC) snap-in.
2. Click Start → Programs → Administrative Tools, then select DNS.
3. From the DNS Server, right-click the server and select the Properties submenu.
4. Click the Debug Logging tab, then select Log packets debugging.
5. Ensure that the Incoming, UDP, Queries/Transfer, and Request checkboxes are selected.

File location is: systemroot\System32\Dns\Dns.log

6. Configure McAfee Collector to tail the log and send to the McAfee Event Receiver.

Add Microsoft DNS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model DNS

Data Format Default

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 711
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval MEF

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Host ID Host ID associated with the McAfee Collector log tail configuration if applicable

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).

712 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft Windows DNS log sample

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 713
5| Configuring 3rd-party data sources

Log sample

9/3/2010 2:06:38 PM 1720 PACKET 02306B10 UDP Rcv 127.0.0.1 be06 Q [0001 D NOERROR] A
(3)www(9)sonystyle(3)com(0)
9/3/2010 2:06:38 PM 1720 PACKET 06569C90 UDP Snd 10.0.0.30 6068 Q [0001 D NOERROR] A
(3)www(9)sonystyle(3)com(0)

Microsoft Forefront Endpoint Protection 2010

Configure Microsoft Forefront Endpoint Protection 2010

No configuration is needed on the FEP application to allow data collection from McAfee ESM, which collects data by connecting
directly to the data warehouse database.

Add Microsoft Forefront Endpoint Protection 2010

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Microsoft

Vendor

Data Source Forefront Endpoint Protection 2010 (ASP)

Model

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.

714 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/ The IP address and host name associated with the data source device.
Hostname

User ID The database user ID.

Password The password associated with the User ID.

Port The TCP port that the database is listening on. The default port is 1433.

Database Name The name of the database that contains the vwFEP_AM_NormalizedDetectionHistory view,
typically prefaced with FEPDW_*.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 715
5| Configuring 3rd-party data sources

Option Definition

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft Forefront Endpoint Protection 2010 log format

and field mapping
Log format
The expected format for this device is:

716 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID

Log sample
This is a sample log from a Microsoft Forefront Endpoint Protection 2010 device:

SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999

Field mapping
This table shows the mapping between the data source and McAfee ESM fields .

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

Microsoft Internet Authentication Service (IAS)

Configure Microsoft Internet Authentication Service (IAS)

This file supports multiple modes of data delivery. This data source supports all file delivery methods (SCP, HTTP, FTP, SFTP, NFS,
and CIFS/Windows File Share). Additional setup steps might be required on the IAS server to allow data to be sent to the McAfee
Event Receiver using these methods.

The recommended method for data delivery is to use the McAfee Collector to send the logs over syslog. These agents can send
only the logs that haven’t yet been sent, eliminating duplicates.

See the documentation for the method you choose to use.

Configure Microsoft IAS (Formatted ASP)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 717
5| Configuring 3rd-party data sources

Task

1. Open Internet Authentication Service.

2. Click Remote Access Logging in the console tree.
3. Right-click Local File in the details pane, then click Properties.
4. Enable the logging you want, then click Apply.
5. Click the Log File tab.
6. In the Directory field, enter the path for log file storage. If you are not using the McAfee Collector, make sure that the path
is accessible to the McAfee Event Receiver.

The default path is systemroot/System32/LogFiles.

7. Under Format, select IAS.

8. To create a log file at specific intervals, select the interval that you want to use.
9. Click Apply, then click OK.

Add Microsoft IAS (Formatted ASP)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Internet Authentication Service – Formatted (ASP)

Data Format Default

Data Retrieval The chosen method of data delivery ( SCP, HTTP, FTP, SFTP, NFS, or CIFS/Windows File
Share)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

718 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 719
5| Configuring 3rd-party data sources

Option Definition

• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft IAS (formatted ASP) log format and field mapping

720 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log format
The expected format for this device is:

NAS-IP-Address, User-Name, Record-Date, Record-Time, Service-Name, Computer-Name, AttributeNumber1,

ValueForAttributeNumber1, AttributeNumber2, ValueForAttributeNumber2, AttributeNumber3,
ValueForAttributeNumber3…

Log sample
This is a sample log from a Microsoft IAS device:

192.0.2.1,client,01/01/2012,00:00:00,UAS,CLIENTCOMP,44,2666,25,311 1 172.1.1.1 01/00/2012 00:00:00

2665,8153,0,8111,0,4130,server.example.com/Domain Users/service/folder/client,
4294967206,14,4294967207,2,6,2,28,14400,7,1,4149,VPN_Allow_user,
4120,0x0049532D48455243554C4553,4127,4,4154,Microsoft Routing and Remote Access Service Policy,
4155,1,4129,Domain\user.name,4136,2,4142,0

Field mapping
This table shows the mapping between the data source and McAfee ESM fields .

Log fields McAfee ESM fields

Client Domain

User-Name Username

Date and Time Firsttime/Lasttime

Service-Name Application

Computer-Name (Radius/AD Server IP) Destination IP

NP-Policy-Name Object name

Packet-type Action

Framed-IP-Address Source IP

NAS-ID External Device Name

NAS-IP-Address Device IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 721
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Called-Station-ID Destination MAC

Calling-Station-ID Source MAC

Application Application

Reason-Code Reason

Connection-Info Message_Text

Configure Microsoft IAS (database compatible)

Task

1. Open Internet Authentication Service.

2. Click Remote Access Logging in the console tree.
3. In the details pane, right-click Local File, then click Properties.
4. Enable the type of logging you want, then click Apply.
5. Click the Log File tab.
6. Enter the path for log file storage in the Directory field. If you are not using the McAfee Collector, make sure that the path
is network accessible to the McAfee Event Receiver.

The default path is systemroot/System32/LogFiles.

7. Click Database-compatible for the Format parameter.

8. To create a log file at specific intervals, select the interval that you want to use.
9. Click Apply, then click OK.

Add Microsoft IAS (Database Compatible)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

722 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Microsoft

Data Source Model Internet Authentication Service – Database Compatible

Data Format Default

Data Retrieval The chosen method of data delivery ( SCP, HTTP, FTP, SFTP, NFS, or CIFS/Windows File
Share)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 723
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

724 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft IAS (database compatible) log format and field

mapping
Log format
The expected format for this device is:

"ComputerName"," ServiceName", Record-Date, Record-Time, Packet-Type," User-Name"," Fully-Qualified-

Distinguished-Name"," Called-Station-ID"," Calling-Station-ID", Callback-Number, Framed-IP-Address," NAS-
Identifier"," NAS-IP-Address",NAS-Port, Client-Vendor,"Client-IP-Address"," Client-Friendly-Name", Event-
Timestamp, Port-Limit, NAS-Port-Type,Connect-Info,Framed-Protocol,Service-Type,Authentication-Type,"Policy-
Name",Reason-Code,"Class",Session-Timeout,Idle-Timeout,Termination-Action,EAP-Name,Acc-Status-Type,Acc-Delay-
Time,Acc-Input-Octets,Acc-Output-Octets,Acc-Session-ID,Acc-Authentic,Acc-Input-Packet,Acc-Output-packet,acc-
terminate-Cause,acc-multi-ssn-ID,acc-link-Count,Acc-Interim-Interval,tunnel-type,tunnel-medium-type,tunnel-
client-endpoint,tunnel-server-endpoint,Acc-tunnel-conn,tunnel-pvt-group-ID,"tunnel-assignment-id",Tunnel-
Preference,MS-acc-auth-type,MS-acc-EAP-Type,MS-RAS-Version,MS-RAS-Vendor,MS-CHAP-Error,MS-CHAP-Error,MS-CHAP-
Domain,MS-MPPE-Encryption-Types,MS-MPPE-Encryption-Policy,"Proxy-Policy-Name:MSG",Provider-Type,Provider-
Name,Remote-Server-IP,MS-RAS-CLient-Name,MS-RAS-Client-Version

Log sample
This is a sample log from a Microsoft IAS device:

"TestHost","IAS",01/01/2016,00:00:00,4,"EXAMPLE
\Test.User",,"192.0.2.1","192.0.2.2",,"192.0.2.2","TestIdentifier","192.0.2.1",
1,9,"192.0.2.1","TestClient",,,,,,,,,0,,,,,,1,,,,,1,,,,,,,,13,6,,,,"110",,,,,,,,,,,"Use Windows
authentication for all users",,,,,
"TestHost","IAS",01/01/2016,00:00:001,"EXAMPLE\Test.User","EXAMPLE\Test.User","0F-0F-0F-0F-0F-0F:EXAMPLE-
Host","0A-0A-0A-0A-0A-0A",,,"TestIdentifier","192.0.2.1",1,9,"192.0.2.1","TestClient",,,
19,,,,11,,0,,,,,,,,,,,,,,,,,,13,6,,,,"190",,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 725
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Client Domain

username Source User

Record-Date+Record-Time First Time, Last Time

IAS Application

Hostname Host

Policy-Name Policy_Name

Packet-type Event Subtype

Tunnel-client-endpoint address Source IP

Reason-Code Reason

Packet-Type+99+Reason-Code Signature ID

ComputerName Destination Host

ServiceName Service_Name

Event-Timestamp First Time, Last Time

Domain, FQ-Domain, MS-CHAP-DOMAIN Domain

User-Name, FQ-Distinguished-Name Source User

Called-Station-ID Destination MAC

Class (IP Address) Destination IP

NAS-Identifier External_Device_ID

726 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

NAS-IP-Address, Client-IP-Address Device_IP

Calling-Station-ID Source MAC

Framed-IP-Address Source IP

Calling-Station-ID (IP Address) Source IP

Connect-Info Message_Text

Acct-Session-Id Session

Microsoft Internet Information Services (IIS)

Configure Microsoft IIS

Task

1. Open the Internet Information Services (IIS) Manager (found in Administrative Tools in the Control Panel).
2. Select the Logging option.
3. Select a log format. W3C format is the default, but IIS and NCSA are also supported. If using the W3C format, you must
select all fields.
4. Make a note of where the logs are being saved, or change the location as needed.
5. Finish the logging setup by configuring the McAfee Collector to tail the IIS logs and send to the McAfee Event Receiver.

Add Microsoft IIS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 727
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Microsoft

Data Source Model Internet Information Services (ASP)

Data Format Default

Data Retrieval MEF

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

728 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 729
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft IIS log format and field mapping

Log format
The expected formats for this device are:

WC3

date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-
version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-
bytes time-taken

NCSA

Remote_host_address Remote_log_name User_name [Date/time Greenwich mean time (GMT) offset] "Request and
protocol version" Service_status_code Bytes_sent

IIS

Client_IP_address, User_name, Date, Time, Service_and_instance, Server_name, Server_IP, Time_taken,

Client_bytes_sent, Server_bytes_sent, Service_status_code, Windows_status_code, Request_type,
Target_of_operation, Parameters,

Advanced Logging

date time cs-uri-stem cs-uri-query s-contentpath sc-status s-computername cs(Referer) sc-win32-status sc-
bytes cs-bytes W3WP-PrivateBytes cs-username cs(User-Agent) time-local TimeTakenMS sc-substatus s-sitename s-
ip s-port RequestsPerSecond s-proxy cs-version c-protocol cs-method cs(Host) EndRequest-UTC date-local CPU-
Utilization cs(Cookie) c-ip BeginRequest-UTC

Log sample
The following are samples of possible logs from the Microsoft IIS device:

WC3

2011-04-14 14:58:36 MS_ISS_1 name 127.0.0.1 GET /exampletest - 80 - 127.0.0.1 HTTP/1.1 Mozilla/4.0+
(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR
+3.5.30729;+.NET+CLR+3.0.30729) - - 127.0.0.1 404 4 2 109 398 2

730 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

NCSA

172.21.13.45 - Microsoft\fred [08/Apr/2001:17:39:04 -0800] "GET /scripts/iisadmin/ism.dll?http/serv HTTP/

1.0" 200 3401

IIS

172.16.255.255, anonymous, 03/20/01, 23:58:11, MSFTPSVC, SALES1, 172.16.255.255, 60, 275, 0, 0, 0, PASS, /
Intro.htm, -,

Advanced Logging

2014-11-16 22:56:55.379 /index.html - "C:\inetpub\wwwroot\index.html" 200 "WIN2008R2-1" - 0 339 39 - - -

15:56:55.379 4 0 "DEFAULT WEB SITE" 10.50.14.9 80 - - "HTTP/1.0" "http" GET "10.50.14.9" 2014-11-16
22:56:55.379 2014-11-16 - - 10.50.14.8 2014-11-16 22:56:55.375

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

WC3 Log fields McAfee ESM fields

Date Time (two fields) FirstTime,LastTime

s-ip Destination IP

cs-method Command

cs-uri-stem Object

s-port Destination Port

cs-username (domain section) Domain

cs-username Source User

c-ip Source IP

cs(User-Agent) Application

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 731
5| Configuring 3rd-party data sources

WC3 Log fields McAfee ESM fields

cs-host Hostname

sc-status sid

sc-status(first number) Action

IIS log fields McAfee ESM fields

Client IP Source IP

User name Source User

Date Time (two fields) FirstTime, LastTime

Server Name Hostname

Server IP Destination IP

Clients bytes sent Bytes_from_Client

Server bytes sent Bytes_from_Server

Service Status Code sid

Service Status Code (first number) action

Request Type Command

Target of Operation Object

732 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

NCSA Log fields McAfee ESM fields

Remote Host Address Source IP

User name Source User

Date Time (two fields) FirstTime, LastTime

Request and protocol version (first part) Command

Request and protocol version (second part) Object

Request and protocol version (third part) Protocol

Service Status Code sid

Service Status Code (first number) action

Bytes Sent Bytes_Sent

Advanced logging McAfee ESM fields

Date Time (two fields) FirstTime,LastTime

s-ip Destination IP

cs-method Command

cs-uri-stem Object

s-port Destination Port

cs-username (domain section) Domain

cs-username Source User

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 733
5| Configuring 3rd-party data sources

Advanced logging McAfee ESM fields

c-ip Source IP

cs(User-Agent) User_Agent

cs-host Hostname

sc-status sid

sc-status(first number) Action

sc-bytes Bytes_from_Server

cs-bytes Bytes_from_Client

protocol Application_Protocol

Install Microsoft IIS Advanced Logging

Task

1. Download the Advanced Logging extension for IIS. At the time of this documentation, it was available at:
http://www.iis.net/downloads/microsoft/advanced-logging
2. Run AdvancedLogging.exe to start the Web Platform Installer.
Once loaded, the installer displays a window to install Advanced Logging.
3. Select Install.
4. When the installer displays the licensing information, select I Accept.
The remaining phases complete the installation automatically.
5. Click Finish to exit the Advanced Logging installation.
6. Click Exit to exit the Web Platform Installer.
Advanced Logging is now installed.

Configure Microsoft IIS Advanced Logging

Task

1. Open the Internet Information Services (IIS) Manager.

734 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

2. Under Connections, select the server.

3. Click the Advanced Logging icon.
4. When the installer displays the licensing information, select I Accept.
The remaining phases complete the installation automatically.
5. From the Advanced Logging menu, click Enable Advanced Logging on the right.
6. In the Name column, click the name of the server hosting the site to change the menu options on the right.
7. Select Edit Log Definition.
8. From the Log Definition menu, scroll down to Selected Fields, then click Select Fields.
9. In Select Logging Fields, select every field in the ID column. Scroll down to select all fields, then press OK.
10. From the Internet Information Services (IIS) Manager window, click Apply.
11. Done.

Microsoft Internet Information Service (IIS) - SMTP

Configure Microsoft Internet Information Services - SMTP

Set up a Microsoft Internet Information Services (IIS) Simple Mail Transfer Protocol (SMTP) to send data to McAfee ESM.

Before you begin

Make sure IIS Manager is installed in your system, for more information see Install Microsoft IIS Advanced Logging topic.

Task

1. Open the Internet Information Services (IIS) Manager (found in Administrative Tools in the Control Panel).
2. Open the SMTP Virtual Server Properties dialog box.
3. Select the Enable logging checkbox.
4. Select the W3C Extended Log File Format from the Active log format drop-down list.
5. Click Properties → Advanced and then select all checkboxes.
6. Click OK.

Add Microsoft IIS - SMTP

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 735
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Microsoft

Data Source Model Internet Information Services - SMTP

Data Format Default

Data Retrieval MEF

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

736 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 737
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft IIS - SMTP log format and field mapping

Log format
This is a log format from a device:

#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem
cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent)
cs(Cookie) cs(Referer)

Log sample
This is a sample log from a device:

2021-03-09 05:34:12 10.10.10.10 - SMTPSVC1 SMTP01 10.10.10.10 0 HELO - + 250 0 55 5 0 SMTP - - - -

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

WC3 Log fields McAfee ESM fields

Date Time (two fields) FirstTime,LastTime

s-ip Destination IP

cs-method Command

cs-uri-stem URL

s-port Destination Port

cs-username (domain section) Domain

738 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

WC3 Log fields McAfee ESM fields

cs-username Source User

c-ip Source IP

cs(User-Agent) User_Agent

cs-host Hostname

sc-status sid, message

sc-status(first number) Action

Microsoft Network Policy Server (NPS)

Configure Microsoft Network Policy Server (NPS)

Multiple modes of data delivery are supported for this file. All file delivery methods (SCP, HTTP, FTP, SFTP, NFS, and CIFS/Windows
File Share) are supported with this data source. Additional setup might be required on the NPS server to allow data to be sent to
the McAfee Event Receiver using these methods.

The recommended method for data delivery is to use the McAfee Collector to send the logs over Syslog. These agents have the
added benefit of being able to send only the logs that haven’t yet been sent, eliminating duplicates.

See the respective delivery method documentation for the method you chose to use.

Configure Microsoft NPS (Database Compatible)

Task

1. Open the Network Policy Server or the NPS Microsoft Management Console (MMC) snap-in.
2. In the console tree, click Accounting.
3. In the details pane under Log File Properties, click Change Log File Properties.

For Server 2008, click Configure Local file Logging under Local File Logging in the details pane.

4. In Log File Properties, enable the type of logging you want, then click Apply.
5. Click the Log File tab.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 739
5| Configuring 3rd-party data sources

6. Enter the path for log file storage in the Directory field. If you are not using the McAfee Collector, make sure that the path
is accessible to the McAfee Event Receiver.

The default path is systemroot/System32/LogFiles.

7. From the Format menu, select ODBC (Legacy).

For platforms earlier than Server 2008 R2, select IAS in the Format field.

8. To create a log file at specific intervals, select the interval that you want to use.
9. Click Apply, then OK.

Add Microsoft NPS (Database Compatible)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Internet Authentication Service – Database Compatible

Data Format Default

Data Retrieval The method used to retrieve data.

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

740 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 741
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft NPS (database compatible) log format and field

mapping
Log format
The expected format for this device is:

742 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

"ComputerName"," ServiceName", Record-Date, Record-Time, Packet-Type," User-Name"," Fully-Qualified-

Distinguished-Name"," Called-Station-ID"," Calling-Station-ID", Callback-Number, Framed-IP-Address," NAS-
Identifier"," NAS-IP-Address",NAS-Port, Client-Vendor,"Client-IP-Address"," Client-Friendly-Name", Event-
Timestamp, Port-Limit, NAS-Port-Type,Connect-Info,Framed-Protocol,Service-Type,Authentication-Type,"Policy-
Name",Reason-Code,"Class",Session-Timeout,Idle-Timeout,Termination-Action,EAP-Name,Acc-Status-Type,Acc-Delay-
Time,Acc-Input-Octets,Acc-Output-Octets,Acc-Session-ID,Acc-Authentic,Acc-Input-Packet,Acc-Output-packet,acc-
terminate-Cause,acc-multi-ssn-ID,acc-link-Count,Acc-Interim-Interval,tunnel-type,tunnel-medium-type,tunnel-
client-endpoint,tunnel-server-endpoint,Acc-tunnel-conn,tunnel-pvt-group-ID,"tunnel-assignment-id",Tunnel-
Preference,MS-acc-auth-type,MS-acc-EAP-Type,MS-RAS-Version,MS-RAS-Vendor,MS-CHAP-Error,MS-CHAP-Error,MS-CHAP-
Domain,MS-MPPE-Encryption-Types,MS-MPPE-Encryption-Policy,"Proxy-Policy-Name:MSG",Provider-Type,Provider-
Name,Remote-Server-IP,MS-RAS-CLient-Name,MS-RAS-Client-Version

Log sample
These are log samples from a Microsoft IAS device:

"TestHost","IAS",01/01/2016,00:00:00,4,"EXAMPLE
\Test.User",,"192.0.2.1","192.0.2.2",,"192.0.2.2","TestIdentifier","192.0.2.1",
1,9,"192.0.2.1","TestClient",,,,,,,,,0,,,,,,1,,,,,1,,,,,,,,13,6,,,,"110",,,,,,,,,,,"Use Windows
authentication for all users",,,,,

"TestHost","IAS",01/01/2016,00:00:001,"EXAMPLE\Test.User","EXAMPLE\Test.User","0F-0F-0F-0F-0F-0F:EXAMPLE-
Host","0A-0A-0A-0A-0A-0A",,,"TestIdentifier","192.0.2.1",1,9,"192.0.2.1","TestClient",,,
19,,,,11,,0,,,,,,,,,,,,,,,,,,13,6,,,,"190",,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Client Domain

username Source User

Record-Date+Record-Time First Time, Last Time

IAS Application

Hostname Host

Policy-Name Policy_Name

Packet-type Event Subtype

Tunnel-client-endpoint address Source IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 743
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Reason-Code Reason

Packet-Type+99+Reason-Code Signature ID

ComputerName Destination Host

ServiceName Service_Name

Event-Timestamp First Time, Last Time

Domain, FQ-Domain, MS-CHAP-DOMAIN Domain

User-Name, FQ-Distinguished-Name Source User

Called-Station-ID Destination MAC

Class (IP Address) Destination IP

NAS-Identifier External_Device_ID

NAS-IP-Address, Client-IP-Address Device_IP

Calling-Station-ID Source MAC

Framed-IP-Address Source IP

Calling-Station-ID (IP Address) Source IP

Connect-Info Message_Text

Acct-Session-Id Session

Configure Microsoft NPS (Formatted ASP)

744 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Open Network Policy Server (NPS) or the NPS Microsoft Management Console (MMC) snap-in.
2. Click Accounting in the console tree.
3. In the details pane under Log File Properties, click Change Log File Properties.

For Server 2008, click Configure Local file Logging.

4. On the Log File Properties page, enable the logging you want, then click Apply.
5. On the Log File tab, enter the path for log file storage in the Directory field. If you are not using the McAfee Collector, make
sure that the path is accessible to the McAfee Event Receiver.

The default path is systemroot/System32/LogFiles.

6. From the Format drop-down list, select IAS (Legacy).

For platforms earlier than Server 2008 R2, select IAS in the Format field.

7. To create a log file at specific intervals, select the interval that you want to use.
8. Click Apply, then click OK.

Add Microsoft NPS (Formatted ASP)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Network Policy Server

Data Format Default

Data Retrieval The method used to retrieve data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 745
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

746 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 747
5| Configuring 3rd-party data sources

Microsoft NPS (formatted ASP) log format and field mapping

Log format
The expected format for this device is:

NAS-IP-Address, User-Name, Record-Date, Record-Time, Service-Name, Computer-Name, AttributeNumber1,

ValueForAttributeNumber1, AttributeNumber2, ValueForAttributeNumber2, AttributeNumber3,
ValueForAttributeNumber3…

Log sample
This is a sample log from a Microsoft IAS device:

192.0.2.1,client,01/01/2012,00:00:00,UAS,CLIENTCOMP,44,2666,25,311 1 172.1.1.1 01/00/2012 00:00:00

2665,8153,0,8111,0,4130,server.example.com/Domain Users/service/folder/client,
4294967206,14,4294967207,2,6,2,28,14400,7,1,4149,VPN_Allow_user,
4120,0x0049532D48455243554C4553,4127,4,4154,Microsoft Routing and Remote Access Service Policy,
4155,1,4129,Domain\user.name,4136,2,4142,0

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Client Domain

User-Name Username

Date and Time Firsttime/Lasttime

Service-Name Application

Computer-Name (Radius/AD Server IP) Destination IP

NP-Policy-Name Object name

Packet-type Action

Framed-IP-Address Source IP

NAS-ID External Device Name

748 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

NAS-IP-Address Device IP

Called-Station-ID Destination MAC

Calling-Station-ID Source MAC

Application Application

Reason-Code Reason

Connection-Info Message_Text

Configuring Microsoft NPS (XML ASP)

DTS Compliant (XML) logging is not available on platform earlier than Server 2008 R2.

Task

1. Open the Network Policy Server or the NPS Microsoft Management Console (MMC) snap-in.
2. In the console tree, click Accounting.
3. In the details pane under Log File Properties, click Change Log File Properties.
4. In the Log File Properties window, enable the logging you want, then click Apply.
5. Click the Log File tab.
6. Enter the path for log file storage in the Directory field. If you are not using the McAfee Collector, make sure that the path
is accessible to the McAfee Event Receiver.

The default path is systemroot/System32/LogFiles.

7. From the Format drop-down list, select DTS Compliant.

8. To create a log file at specific intervals, select the interval that you want to use.
9. Click Apply, then click OK.

Add Microsoft NPS (XML ASP)

Add the data source to a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 749
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Internet Authentication Service – XML (ASP)

Data Format Default

Data Retrieval The method used to retrieve data.

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

750 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 751
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft NPS (XML ASP) log format and field mapping

Log format
The expected format for this device is:

<Event><Timestamp data_type="VALUE"> VALUE </Timestamp><Computer-Name data_type="VALUE"> VALUE </Computer-

Name><Event-Source data_type="VALUE"> VALUE </Event-Source><Class data_type="VALUE"> VALUE </Class><Session-
Timeout data_type="VALUE"> VALUE </Session-Timeout><Fully-Qualifed-User-Name data_type="VALUE"> VALUE
\userName</Fully-Qualifed-User-Name><SAM-Account-Name data_type="VALUE"> VALUE \userName</SAM-Account-
Name><Client-IP-Address data_type="VALUE"> VALUE </Client-IP-Address><Client-Vendor data_type="VALUE"> VALUE
</Client-Vendor><Client-Friendly-Name data_type="VALUE"> VALUE </Client-Friendly-Name><Proxy-Policy-Name
data_type="VALUE"> VALUE </Proxy-Policy-Name><Provider-Type data_type="VALUE"> VALUE </Provider-Type><Packet-
Type data_type="VALUE"> VALUE </Packet-Type><Reason-Code data_type="VALUE"> VALUE </Reason-Code></Event>

Log sample
This is a sample log from a Microsoft IAS device:

<Event><Timestamp data_type="4">01/01/2012 00:00:00.000</Timestamp><Computer-Name data_type="1">S0020222</

Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.0.2.10 01/01/2012
00:00:00 2</Class><Session-Timeout data_type="0">30</Session-Timeout><Fully-Qualifed-User-Name
data_type="1">COMPANY\userName</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1"> COMPANY\userName</
SAM-Account-Name><Client-IP-Address data_type="3">192.0.2.1</Client-IP-Address><Client-Vendor
data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">clientComputer</Client-Friendly-
Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type
data_type="0">1</Provider-Type><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</
Reason-Code></Event>

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

User-Name Domain

752 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

User-Name Username

Date and Time Firsttime/Lasttime

Calling Station ID Source MAC

Computer-Name Destination_Hostname

Called Station ID Destination MAC

Policy Name Message

Framed-IP-Address Source IP

Client-IP-Address Device IP

Class Destination IP

NAS-IP-Address Device IP

NAS-Identifier External Device ID

Reason-Code Reason

Microsoft Office 365

Configure Microsoft Office 365

Sending logs from Microsoft Office 365 using API requires access to the Microsoft Office Azure portal with administrator rights.

Before you begin

Configuring this data source requires:

• McAfee ESM version 10.1.0 or later

• Access to the Microsoft Office Azure portal with administrator rights

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 753
5| Configuring 3rd-party data sources

Task

1. In the Microsoft Azure portal, navigate to Azure Active Directory. If Azure Active Directory is not visible in the left menu,
click More Services then search for it.
2. From the Active Directory submenu, click the Properties tab.
3. Copy the Directory ID value to use as the Tenant ID when setting up McAfee ESM for the Microsoft Office 365 data source.
4. Navigate to App registrations.
5. Add an application.
a. Click New application registration.
b. Name the application.
c. Select the Web app/API type.
d. In Sign-on URL , enter http://localhost:1234
e. Click Create at the bottom of the screen.
6. Select the newly created application.
7. Copy and save the Application ID to use as the Client ID when setting up McAfee ESM for the Microsoft Office 365 data
source.
8. Enable McAfee ESM to pull event data.
a. Click Required permissions.
b. Click Add at the top of the screen.
c. From Add API Access, click Select an API.
d. Search for and select Office 365 Management APIs. Then click Select at the bottom of the screen.
e. In Required Permissions, select Office 365 Management APIs.
f. Enable all Application Permissions.
g. Enable all Delegated Permissions then click Save at the top of the screen.
h. Work with your administrator to grant the application new permissions by clicking Grant Permissions at the top of
the screen.
9. Set up a security key.
a. Click Keys on the application settings.
b. Enter a key description and select a duration.
c. Click Save.
d. On the next screen, save the secret key value to a secure location for future reference.

Note

The secret key value does not appear again. McAfee ESM requires the secret key to set up the Microsoft Office 365
data source.

10. To get collected data for Microsoft Office 365 subscriptions to specific content types, use a tool that can send API POST and
GET comments. Starting a subscription requires an access token to call the subscription API.
a. For the POST URL, enter https://login.microsoftonline.com/"insert tenant id here"/oauth2/token
b. For POST raw body of the request, enter grant_type=client_credentials&client_id="insert client id
here"&client_secret="insert secret key here"&resource=https://manage.office.com
c. In the header, set Key to 'Content-Type' and the value to 'application/x-www-form-urlencoded'

754 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

d. Send the post results in JSON and retrieve the access token from the response to use in the next request.

Note

For information about access tokens, see https://docs.microsoft.com/en-us/office/office-365-management-api/get-

started-with-office-365-management-apis#request-access-tokens-from-azure-ad.

11. Start subscriptions.

a. For the POST URL, enter https://manage.office.com/api/v1.0/"insert tenant id here"/activity/feed/
subscriptions/start?contentType="insert desired subscription content type"
b. In the header, set Key to 'Authorization' and the value 'bearer "insert accesss token here"'
JSON indicates that the content type is enabled.

Note

As of June 12, 2017, content types are Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General,
and DLP.All. For information about starting subscriptions, see https://docs.microsoft.com/en-us/office/office-365-
management-api/office-365-management-activity-api-reference#start-a-subscription.

12. Verify which content types are subscribed.

a. For the GET URL, enter https://manage.office.com/api/v1.0/"insert tenant id here"/activity/feed/
subscriptions/list
b. In the header, set Key to 'Authorization' and the value to 'bearer "insert accesss token here"'
JSON returns with a list of all content types that are enabled.

Note

For information about listings subscriptions, see https://docs.microsoft.com/en-us/office/office-365-management-

api/office-365-management-activity-api-reference#list-current-subscriptions.

Add Microsoft Office 365

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 755
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Microsoft

Data Source Model Office 365

Data Format Default

Data Retrieval API

Enabled Select options for processing events. Some options may not be available for your
data source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a
ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname manage.office.com

Authentication Hostname login.microsoftonline.com

Tenant ID Use the Directory ID saved in Configure Microsoft Office 365 as the Tenant ID.

Client Key Use the Application ID saved in Configure Microsoft Office 365 as the Client Key.

Client Secret Key Use the Secret Key saved in Configure Microsoft Office 365 as the Client Secret Key.

Use proxy Proxy, if required by installation

Proxy IP Address The IP address of the proxy

Proxy Username/Password Credentials for logging on to the proxy

Support Generic Syslogs Parse as generic syslog

756 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Generic Rule Assignment Office 365

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 757
5| Configuring 3rd-party data sources

Option Definition

Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft Office 365 log format and field mapping

Log format
The expected format for this device is:

<Date-Time> <Id> <Operation> <OrganizationId> <RecordType> <ResultStatus> <UserKey> <UserType>

<Version><Workload> <UserId> <ClientIPAddress> <ClientInfoString> <Client> <ExternalAccess>
<InternalLogonType> <LogonType> <LogonUserSid><MailboxGuid> <MailboxOwnerSid> <MailboxOwnerUPN>
<OrganizationName> <OriginatingServer> <Item>

Log sample
This is a sample Microsoft Office 365 log:

{"CreationTime":"2000-01-01T22:00:04","Id":"00000000-0000-0000-0000-000000000000","Operation":"Create","Organ
izationId":"00000000-0000-0000-0000-000000000000","RecordType":
2,"ResultStatus":"Succeeded","UserKey":"0000A0AA0A0000A0","UserType":2,"Version":
1,"Workload":"Exchange","UserId":"S-1-5-21-0000000000-0000000000-0000000000-0000000","ClientIPAddress":"10.10
.10.10","ClientInfoString":"Client=WebServices;ExchangeServicesClient/
00.00.0000.010;","ExternalAccess":false,"InternalLogonType":0,"LogonType":
1,"LogonUserSid":"S-1-5-21-0000000000-0000000000-0000000000-0000000","MailboxGuid":"00000000-0000-0000-0000-0
00000000000","MailboxOwnerSid":"S-1-5-21-0000000000-0000000000-0000000000-2026015","MailboxOwnerUPN":"user1@e
xample.com","OrganizationName":"server.example.com","OriginatingServer":"NEWSERVER (00.01.0000.001)\r
\n","Item":{"Attachments":"newfile.xls (000000)","Id":"AAAAAAAAAAAAA/
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","ParentFolder":
{"Id":"AAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","Path":"\\My Folders\\Personal
Folders - 2000\\Jan 2000"},"Subject":"AA00: RTF - AAA "}}

758 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

CreationTime first time, last time

ResultStatus action

Workload application

ClientIP, ClientIPAddress, ActorIpAddress source IP address

Operation sid, msg, sigid

UserId, MailboxOwnerUPN user name

RecordType request type

ua, UserAgent user agent

AzureActiveDirectoryEventType attribute type

UserType authentication type

ObjectID URL

ItemType object type

OrganizationName domain

Subject subject

ExternalAccess access privileges

ClientApplication process name

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 759
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

ChannelGuid instance GUID

Microsoft SharePoint

Configure Microsoft SharePoint

Set up SharePoint to send logs to ESM.

See Microsoft documentation to configure SharePoint to send logs to a Receiver. To enable logging, use a file share method.

Add Microsoft SharePoint

Add the data source to a receiver.

SharePoint log files are located at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\<version>\Logs\. The
log file naming convention is <computername><date><time>.

You can use syslog, SIEM Collector, CIFS to send logs from SharePoint to ESM.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add and configure the data source.

Note

Your environment and choice of data delivery method will dictate the settings you need to configure.

5. Roll out policy to the new data source.

6. Click Get events and flows .

7. Wait a few minutes and then verify that data appears on your dashboards and that it is parsed correctly.

Microsoft SharePoint log format and field mapping

Log format
The expected format for this device is:

760 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Timestamp Process TID Area Category EventID Level Message Correlation

Log sample
This is a sample log from an Alcatel-Lucent VitalQIP device:

09/15/2011 15:00:41.24* w3wp.exe (0x1460) 0x05A4 SharePoint Foundation General fbv6 Medium
...</soap:Envelope> 5d56fbd6-58b1-479c-90c1-5db6af03790d

Field mapping
This table shows the mapping between the data source and McAfee ESM fields. This data source may support fields not listed
here.

Log fields McAfee ESM fields

timestamp TimeStamp

process Process

tid TID

Area Area

category Category

eventID EventID

severity Level

message Message

correlation Correlation

Microsoft SQL

Add Microsoft MSSQL Error Log

Add the data source to a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 761
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model MSSQL Error Log

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source.

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Default>

Mask <Enable>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

762 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Support Generic Do nothing

Syslogs

Time Zone Time zone where the data source is physically located

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 763
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft Windows DHCP

Configure Microsoft Windows DHCP

Enable DHCP server audit logging.

Task

1. Open the DHCP Microsoft Management Console (MMC) snap-in.

2. In the console tree, select the DHCP server that you want to configure.

For Server 2008 and later, expand the navigation tree and select IPv4 or IPv6.

3. From the Action menu, select Properties.

4. On the General tab, select Enable DHCP audit logging, then click OK.
5. (Optional) Click the Advanced tab and enter the logging path in the Audit log file path.

Note

By default, the location of DHCP audit logs is %windir%\System32\dhcp.

764 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Add Microsoft Windows DHCP

This data source supports multiple modes of data delivery, including SCP, HTTP, FTP, SFTP, NFS, and CIFS/Windows File Share.
Additional setup might be required on the DHCP server to allow sending data to the McAfee Event Receiver using these methods.

The recommended method for data delivery is to use the McAfee Collector. These agents have the added benefit of being able to
send only the logs that haven’t yet been sent, eliminating duplicates.

See the respective delivery method documentation for setup and usage information.

Configure McAfee Collector for Microsoft Windows DHCP

This data source supports multiple modes of data delivery.

Option Definition

Name A unique name

Host ID Optional – A unique host ID

Data Source IP IP Address of data source

Log Directory Enter path to DHCP audit log files.

Log File Enter Dhcp*.log to gather all DHCP audit logs.

Tail Mode Beginning of file

Multi-line Events Unchecked

Event Delimiter None

Event Delimiter is a Regex None

Max Lines Per Max Event 1

Enabled Checked

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 765
5| Configuring 3rd-party data sources

Add Microsoft Windows DHCP

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Microsoft

Data Source Model Windows DHCP (ASP)

Data Format Default

Data Retrieval MEF

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Use encryption Enable to require the Receiver to communicate over TLS.

Syslog Relay None

Mask 32

766 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 767
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft Windows DHCP log format and field mapping

Log format
For platforms earlier than Windows Server 2008: the expected format for this device is:

ID,Date,Time,Description,IP Address,Host Name,MAC Address,

The expected format for this device is as follows for Windows Server 2008 and 2008 R2

ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name,

TransactionID,QResult,Probationtime,CorrelationID,

The expected format for this device is as follows for Windows Server 2012 and above:

768 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID,QResult,Probationtime,

CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation
,DnsRegError

Log sample
This is a sample log from a Windows Server 2003 DHCP device:

35,01/01/01,01:01:01,DNS update request failed,192.0.2.1,sampleHost,000000000000,

This is a sample log from a Windows Server 2008 DHCP device:

10,01/01/01,01:01:01,Assign,192.0.2.10,sampleHost1,000000000000,,17739,0,,,

This is a sample log from a Windows Server 2012 R2 DHCP device:

10,01/01/01,01:01:01,Assign,192.0.2.20,sampleHost2, 000000000000,,3096562285,0,,,,0x4D53465420352E30,MSFT
5.0,,,,0

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log Fields McAfee ESM Fields

ID Sid

IP Address Source IP

Host Name Host

MAC Address Source MAC

Date + Time First Time, Last Time

TransactionID Session ID

User Name Source User

QResult Return_Code

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 769
5| Configuring 3rd-party data sources

Log Fields McAfee ESM Fields

VendorClass(ASCII) External_Device_Name

DnsRegError DNS – Response_Code

Mimecast

Configure Mimecast
Set up Mimecast to send logs to ESM.

Task

Refer to Mimecast product documentation for instructions.

Add Mimecast
Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Mimecast

Data Source Model Mimecast

Data Format Default

Data Retrieval undefined

770 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your
data source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a
ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a
ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of the data source.

IP Address/Hostname The hostname of the login (for example, login-us.mimecast.com). Click Look up
to automatically fill in the IP address.

Field 1 (ESM 11.3.0 and 11.3.1) The Application ID. Get this from Mimecast.

Field 2 (ESM 11.3.0 and 11.3.1) The Application Key. Get this from Mimecast.

Application ID (ESM 11.3.2 and Get this from Mimecast.

later)

Application Key (ESM 11.3.2 Get this from Mimecast.

and later)

Username The user name used to log in to the Mimecast dashboard.

Client Key Access key for APIs. Get this from Mimecast.

Client Secret Key Secret key for APIs. Get this from Mimecast

Proxy Configure as required by your organization.

Support Generic Syslogs Do nothing.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 771
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

772 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Mimecast log format

Log sample - Audit log
An example log from the data source.

{"auditType": "Logon Authentication Failed", "category": "authentication_logs", "eventInfo": "Failed

authentication for user@mcafee.com <User>, Date: 2020-05-18, Time: 13:50:19 EDT, IP: 10.10.10.10,
Application: SMTP-MTA2, Reason: Account disabled", "eventTime": "2020-05-18T17:50:19+0000", "id":
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "user": "user@mcafee.com"}

Log sample - Message Processed

An example log from the data source.

{"data": [{"Act": "Acc", "Cphr": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "Dir": "Inbound", "IP":

"10.10.10.10", "MsgId": "<0000000000000000-11111111-2222-3333-4444-555555555555-000000@domain.com>", "Rcpt":
"user@domain.com", "Sender": "sender@domain.com", "SpamInfo": "[]", "SpamLimit": 0, "SpamScore": 11,
"Subject": "Email Subject", "TlsVer": "TLSv1.2", "aCode": "00000-1111111111111111", "acc": "Account",
"datetime": "2020-05-18T05:05:07-0400", "headerFrom": "no-reply@domain.com"}], "type": "MTA"}

Microsoft Windows Event Log WMI

Configure Microsoft Windows Event Log WMI

Use Microsoft Windows Event Log WMI to pull events directly using the McAfee Event Receiver.

Note

The size of an array in WMI to hold data source configurations is not more than 2000 data sources.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 773
5| Configuring 3rd-party data sources

Task

1. Do one of the following:

• For Windows XP, Server 2003, or later, create a user account added to the Administrators group.
• For Windows 8.1 or Server 2012 R2, use the Administrator user account or create a user account and add it to the
Administrators, Distributed COM Users, and Event Log Readers groups.

2. If using the second option, configure the data source to use RPC.

Add Microsoft Windows Event Log WMI

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Use System System Profiles are a way to use settings that are repetitive in nature, without having to enter
Profiles the information each time.

Data Source Microsoft (set by default if using profile)

Vendor

Data Source Windows Event Log WMI (set by default if using profile)
Model

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

774 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Name Name of data source

IP Address/ The IP address and host name associated with the data source device.
Hostname

NetBIOS Name The NetBIOS name (host name) associated with the data source device

Username The user name of the account being connected to on the data source device

Password The password of the account being connected to on the data source device

Event Logs The names of the Windows event logs to be collected

Interval How long the Receiver waits before checking for new data

Use RPC Use RPC – Whether to use Remote Procedure Calls (RPC) to connect to the data source device

Secure RPC Use a more secure connection via Remote Procedure Calls (RPC) that is required for Windows
Server, Professional, and Home versions after applying Microsoft Windows Update June 8,
2021-KB5003638 (OS Build 14393.4467).

For the list of WMI collection fails and results in DCOM errors, see WMI collection fails and
results in DCOM errors after applying Microsoft Windows Update (KB94640)

Connect Tests the connection to the data source device

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 775
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

776 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Microsoft Windows Event Log log format

Log format
The expected format for this device is:

<dsip>(%s)||<Log File>(%s)||<Record Number>(%u)||<Source Name>(%s)||<Event ID>(%d)||<Windows Version>(%d)||

<Time Generated>(%u)||<Event Type>(%u)||<Computer Name>(%s)||<User>(%s)||<Category>(%s)||<Number of
Insertion Strings>(%d)||<Insertion Strings>(%s)||<Message>(%s)

Log sample
This is a sample log from a WMI data source:

10.33.146.158||System||164812||NtServicePack||4377||52||1387354608||3||MYOFFICEPC||MYDOMAIN\MyUserName||||2||
Windows Server 2003||KB2892076||Windows Server 2003 Hotfix KB2892076 was installed.

Motorola AirDefense

Configure Motorola AirDefense

Task

1. Log on to the AirDefense user interface. The dashboard opens by default.

2. From the Tools menu, select Configuration. By default, the User Preferences section is displayed.
3. Click the Notification Manager tab.
4. To add a syslog destination, click Add.
5. In the Create Notification window, select Syslog as the type, and enter the IP address of the syslog server.
6. (Optional) Set the default intervals for the notification system, and enable or disable all syslog notifications. To log
everything, all syslog notifications must be enabled.

Add Motorola AirDefense

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 777
5| Configuring 3rd-party data sources

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Motorola

Data Source Model AirDefense

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

778 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 779
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Motorola AirDefense log format and field mapping

Log format
The expected format for this device is:

computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID

Log sample
This is a sample log from a Motorola AirDefense device:

SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log Fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

780 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

NetFort Technologies LANGuardian

Configure NetFort Technologies LANGuardian

Task

1. From the LANGuardian web interface, navigate to the Configuration page.

2. In the System section, click Configuration, set the IP address and SNMP collectors of the system.
3. On the Configuration page, find the field named [Beta] Splunk Syslog Collector.
4. Enter the IP address of the McAfee Event Receiver, then click Save.

Add NetFort Technologies LANGuardian

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor NetFort Technologies

Data Source Model LANGuardian (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 781
5| Configuring 3rd-party data sources

Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).

782 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

NetFort Technologies LANGuardian log format and field

mapping

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 783
5| Configuring 3rd-party data sources

Log format
The expected format for this device is:

<priority> <date> <time> LANGuardian event[<event ID>]: sen_id=<ID> app_id=<ID> src_ip=<IP address>
dest_ip=<IP address> host=<web host> uri=<URI>

Log sample
This is a sample log from a NetFort Technologies LANGuardian device:

<123>Jan 01 01:01:01 LANGuardian event[1234]: sen_id=1 app_id=1 src_ip=192.0.2.1 dest_ip=192.0.2.2

host=example.example.com uri=/directory/directory2/file

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

date, time First Time, Last Time

appname Application

src_ip Source IP

dest_ip Destination IP

host Domain

from_addr, username Source User

to_addr Destination User

subject, database Object

smb_action Command

784 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

NetFlow

Add NetFlow
Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor NetFlow

Data Source Model Generic NetFlow

Data Format Default

Data Retrieval Net Flow (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/ The IP address associated with the data source device

Port Define the port from the drop-down list

Enable Forwarding Select to enable forwarding

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 785
5| Configuring 3rd-party data sources

Option Definition

Forwarding IP Address The forwarding IP address

Forwarding Port Default

Interface Manage the network interface for the parent Receiver

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

786 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

NetFlow field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

xlate_dst_ip, xlate_src_ip NAT_Details.NAT_Address

xlate_dst_port, xlate_src_port NAT_Details.NAT_Port

nat_type NAT_Details.NAT_Type

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 787
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

app_name Application

fwd_status Forwarding_Status

if_desc Interface

code Reason

username Source Username

flow_id Session ID

src_mac Source MAC

dst_mac Destination MAC

vlan vlan

firsttime Firsttime

lasttime Lasttime

src_port Source Port

dst_port Destination Port

protocol Protocol

NetWitness Spectrum

Configure NetWitness Spectrum

Task

1. Browse to System settings Syslog Auditing.

788 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

2. Select CEF from the drop-down list.

3. Enter the IP address/host name and port of McAfee Event Receiver.

Add NetWitness Spectrum

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor NetWitness

Data Source Model Spectrum CEF (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 789
5| Configuring 3rd-party data sources

Option Definition

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

790 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

NetWitness Spectrum log format and field mapping

Log sample

Jun 1 18:28:57 NWAPPLIANCE12921 CEF:0|NetWitness|Spectrum|1.1.5.6|Suspicious Event|Detected suspicious

network event ID 69933879 session ID 201323609982|2|static=69.0 nextgen=35.0 community=2.0 sandbox=N/R
file.name=exe file.size=420.00 KB (430,080 bytes) file.md5.hash=220e976618d1e2e3e2525833a1e288b1
com.netwitness.event.internal.id=201323609982 com.netwitness.event.internal.uuid=564e2120-68e2-44c4-
b512-01cf4ca63fd5 country.dst.code=US city.dst=New York org.dst=The Nasdaq Omx Group payload=910876
packets=758 country.dst=United States time=Sat Jun 01 17:15:00 EDT 2013 tcp.srcport=49528
com.netwitness.event.internal.source=http://159.79.148.225:50103/sdk filetype=x86 pe latdec.dst=40.7082
eth.src=00:17:DF:4B:6C:00 tcp.flags=25 ip.proto=6 ip.src=10.85.0.32 tcp.dstport=80 eth.dst=00:1D:70:83:1B:80
lifetime=0 did=us01nwdecod02 sessionid=201323609982 HomeNet.src=HomeNet medium=1 size=952612
content=application/x-msdownload longdec.dst=-74.0132 rid=121375362485 eth.type=2048 ip.dst=198.55.130.62
service=80 ...

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 791
5| Configuring 3rd-party data sources

Log Fields McAfee ESM fields

file.name Destination_Filename.Destination_Filename

filetype File_Type.FileType

threat.category Category.Category

File.md5.hash File_Hash.File_Hash

domain.dst domain

ip.proto protocol

host hostname

ip.src src_ip

ip.dst dst_ip

tcp.srcport src_port

tcp.dstport dst_port

eth.src src_mac

eth.dst dst_mac

sessionid sessionid

time firsttime/lasttime

Niara

Configure Niara

792 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Set up Forwarding.
a. From the Niara Analyzer Interface, navigate to System Configuration → Syslog Destinations.
b. Fill in the Parameter Description, for example, McAfee ESM.
c. In the Syslog Destination field, enter the IP address or host name of the McAfee Event Receiver.
d. Set the protocol (default is UDP).
e. Set the port (default is 514).
2. Set up Notification.
a. From the Niara Analyzer Interface, navigate to System Configuration → Security Alerts/Emails.
b. Click Add New.
c. Select Enable Alert Syslog Forwarding.
d. Leave the default values for Query, Severity, and Confidence.
e. For Sending Notification, select As Alerts are produced.
f. For TimeZone, set as your local time zone.

Add Niara
Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Niara

Data Source Model Niara

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 793
5| Configuring 3rd-party data sources

Option Definition

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

794 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 795
5| Configuring 3rd-party data sources

Niara log format and field mapping

Log format
The expected format for this device is:

DATE TIME HOSTNAME KEY=VALUE KEY=VALUE KEY=VALUE…

Log sample
This is a sample log from a device:

Jan 1 01:01:01 example.hostname msg_type=alert detection_time="2001-01-01 01:01:01 -01:00"

alert_name=BitTorrent alert_type="P2P Application" alert_category="Policy Violation" alert_severity=40
alert_confidence=40 attack_stage=Infection user_name=unknown src_host_name=unknown src_ip=192.0.2.1
dest_ip=192.0.2.2 description="IP Address 192.0.2.1 downloaded BitTorrent application on Jan 01, 2001"
alert_id="bittorrent&192.0.2.1&BitTorrent&example.com"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

detection_time First Time, Last Time

alert_name Message

alert_type Threat_Name

alert_category Threat_Category

alert_severity Severity

alert_confidence Confidence

user_name Source Username

src_host_name Host

src_ip Source IP

796 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

dest_ip Destination IP

description Description

alert_id Message_Text

Nortel Networks Contivity

Configure Nortel Networks Contivity

Task

In the command line interface (CLI), enter these commands:

• enable password where password is your administrative password.

• config t
• logging ip address facility-filter all level all where ip address is the IP address of the McAfee Event
Receiver.
• exit

Add Nortel Networks Contivity

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Nortel Networks

Data Source Model Contivity (ASP)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 797
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

798 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 799
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Nortel Networks Contivity log format and field mapping

Log sample
This is a sample log from a Nortel Contivity device:

<131> 272 06/18/2014 10:33:00 tEvtLgMgr 0 : tIsakmp [03] No proposal chosen in message from 10.10.3.21
<134> 272 06/18/2014 10:33:00 tEvtLgMgr 0 : Security [06] Session: IPSEC[uname] attempting login

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Usernames Source Username

First IP address Source IP

Second IP address Destination IP

Groups Group_Name

File names Filename

Message type Category

800 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Severity mapping
Each log that contains the following severity format (in brackets) is mapped according to the following sample and table:

<134> 272 06/18/2014 10:33:00 tEvtLgMgr 0 : Security [06] Session: IPSEC[uname] attempting login

The following table shows the conversion from the severity level in the Nortel log to the severity level recorded in the ESM:

Nortel severity McAfee ESM severity

01 99 (Emergency)

02 75 (Critical)

03 60 (Error)

04 50 (Warning)

05 25 (Alert)

06 10 (Debug)

07 10 (Informational)

Nortel Networks Passport 8000 Series Switches

Configure Nortel Networks Passport 8000 Series Switches

This syslog configuration is done at the command line. See your product documentation for instructions about how to access
and use the command line.

Task

1. At the command line, enter this command:

config sys syslog host <ID>

where <ID> is the ID of the host that is sending syslog events. The ID can be a number from 1–10.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 801
5| Configuring 3rd-party data sources

2. Specify where to send syslog events:

address <IP address>

where <IP address> is the IP address of the McAfee Event Receiver.

3. Specify the facility:

host <ID> facility local0

Replace <ID> with the ID used in Step 1.

4. Enable the host:

host enable

5. Specify the severity level:

host <ID> severity info

Replace <ID> with the ID used in Step 1.

6. Enable the host to send syslog events:

state enable

Add Nortel Networks Passport 8000 Series Switches

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Nortel Networks

Data Source Model Passport 8000 Series Switches (ASP)

802 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 803
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

804 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Nortel Networks Passport 8000 Series Switches log format

and field mapping
Log format
The expected format for this device is:

<device> <date time> <log type> <severity> <message> <id> <port number> <MAC address>

Log sample
This is a sample log from a Nortel Networks Passport 8000 Series Switch device:

<123>DEVICE [01/01/01 01:01:01] SNMP INFO Spanning Tree Topology Change(StgId=123, PortNum=1234,
MacAddr=a1:b2:c3:d4:e5:f6)

Field mapping
This table shows the mapping between the data source and McAfee ESM.

Log fields McAfee ESM

Application Application

User Source User

IP Address Source IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 805
5| Configuring 3rd-party data sources

Log fields McAfee ESM

Station Source MAC

Interface Object

Novell eDirectory

Configuring Novell eDirectory

See the Novell eDirectory product documentation for setup instructions about sending syslog data to a remote server. Use the IP
address of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.

Add Novell eDirectory

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Novell

Data Source Model eDirectory (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.

806 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 807
5| Configuring 3rd-party data sources

Option Definition

• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Novell eDirectory log format and field mapping

808 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log format
The expected format for this device is:

<date time> <device name> <account> <domain> <user ID source> <domain ID> <SysAddr> <SysName> <target CN>
<target O> <action> <Event ID> <event class> <category> <severity>

Log sample
This is a sample log from a Novell eDirectory device:

Jan 01 01:01:01 eDirectory : INFO {"Source" : "eDirectory","Observer" : {"Account" : {"Domain" :

"ExampleDomain","Name" : "CN=ExampleName,O=domain"},"Entity" : {"SysAddr" : "192.0.2.1","SysName" :
"name"}},"Initiator" : {"Account" : {"Domain" : "domain"}},"Target" : {"Data" : {"Name" :
"CN=name,O=domain"}},"Action" : {"Event" : {"Id" : "1.2.3.4","Name" : "name","CorrelationID" :
"eDirectory","SubEvent" : "category"},"Time" : {"Offset" : 1359410152},"Log" : {"Severity" : 1},"Outcome" :
"1","ExtendedOutcome" : "1234"}}

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

SysName Hostname

SysAddr Source IP

NetAddress Destination IP, Destination Port

Attribute Name Object

Account: Name: CN
Source User

Target: Name: CN Destination User

Account: Name: O, Target: Name: O Domain

Event: Name Event_Class

Event ID Signature_Name

Subevent Category

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 809
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

ClassName Target_Class

Privileges Message_Text

Novell Identity and Access Management

Configure Novell Identity and Access Management

Task

1. From the application, select Auditing → Novell Auditing.

2. In the Sever field, enter the IP address or the FQDN of the McAfee ESM.
3. In the Port field, enter the listening port (default is 514).
4. Under Management Console Audit Events, specify the events you want to send.
5. Click OK.

Add Novell Identity and Access Management

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Novell

Data Source Model Identity and Access Management – IAM (ASP)

Data Format Default

810 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic <Default>

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 811
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

812 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Novell Identity and Access Management log format and

field mapping
Log format
The expected format for this device is:

<date time> <device IP> <device name> <date time> device name> <application> <hostname> <Source IP> <User
Identifier> <URL>

Log sample
This is a sample log from a Novell Identity and Access Management device:

<123>Jan 01 01:01:01 192.0.2.1 Novell Access Manager\AG\URL Acc:[wMon, 01 Jan 2001 01:01:01 +0100] [Novell
Access Manager\AG\URL Access]: AMDEVICEID#hostname: AMAUTHID#3authorizationID: AMEVENTID#eventID: Source IP
Address: [192.0.2.2] User Identifier: [cn=12345678,ou=unit,O=domain] Accessed URL [https://example.com]

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

AMDEVICEID Hostname

Application Application

Source ID Address, Remote Client IP Addr Source IP

User Identifier, cn Username

URL URL

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 813
5| Configuring 3rd-party data sources

Okta

Configure Okta
Set up Okta to send data to McAfee ESM.

Task

See Okta product documentation for instructions. The information on the developer site might be useful.

Add Okta
Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Okta

Vendor

Data Source Model Okta

Data Format Default

Data Retrieval undefined (Default)

Enabled Select options for processing events. Some options may not be available for your data source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Enter a name for the data source.

814 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

IP Address Clear this field.

Note: The IP Address is self-populated once you enter the Hostname.

Hostname This parameter gives the name of the host.

Set the DNS server:
a. On the menu, click Interface → Setup (Managment).
b. Make sure that the DNS Server IP is populated and then click OK.
Configure the host name:
a. Enter the Hostname.
b. Click Look up.

Note: The IP address gets populated.

System Token This is the API token you set up when you configured Okta to retrieve data.

Use Proxy If you use a proxy, type the IP address, port, and credentials for the proxy server.

Support Generic Do nothing

Syslogs

Time Zone Select the time zone offset applicable to the data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 815
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

816 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Oracle Audit (SQL)

Configure Oracle Audit (SQL)

Note

The supported parser queries the DB_Audit_Trail table within the database to pull events. As this table grows, performance
slows noticeably because two values must be pulled into the query: Timestamp and Transaction_ID. To alleviate impact on
performance, index the table. If there is still a considerable impact after indexing, use another option (Syslog, flat File, etc.) to
pull audit data.

Task

1. Enter db as the AUDIT_TRAIL parameter.

Example:

ALTER SYSTEM SET AUDIT_TRAIL=db;

2. Restart the service for the change to take effect.

3. Enable auditing for the appropriate tables.

Add Oracle Audit (SQL)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 817
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Oracle

Data Source Model Oracle Audit (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address and The IP address associated with the data source device and the credentials to log on.
credentials

Note: Don't use _ (underscore) in a host name field.

Port The port used to connect to the data source.

Database SID Unique name of the database instance.

Poll Frequency How often to check for new data.

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

818 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 819
5| Configuring 3rd-party data sources

Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Oracle Audit (SQL) log format and field mapping

Log format
The expected format for this device is:

AUDIT_TYPE="" SESSION_ID="" PROXY_SESSIONID="" STATEMENTID="" ENTRYID="" EXTENDED_TIMESTAMP="" GLOBAL_UID=""

DB_USER=" " CLIENT_ID="" ECONTEXT_ID="" EXT_NAME="" OS_USER="" USERHOST="" OS_PROCESS="" TERMINAL=""
INSTANCE_NUMBER="" OBJECT_SCHEMA="" OBJECT_NAME="" POLICY_NAME="" NEW_OWNER="" NEW_NAME="" ACTION=""
STATEMENT_TYPE="" AUDIT_OPTION="" TRANSACTIONID="" RETURNCODE="" SCN="" COMMENT_TEXT="" SQL_BIND=""
SQL_TEXT="" OBJ_PRIVILEGE="" SYS_PRIVILEGE="" ADMIN_OPTION="" OS_PRIVILEGE="" GRANTEE="" PRIV_USED=""
SES_ACTIONS="" LOGOFF_TIME="" LOGOFF_LREAD="" LOGOFF_PREAD="" LOGOFF_LWRITE="" LOGOFF_DLOCK=""
SESSION_CPU="" OBJ_EDITION_NAME="" DBID="”

Log sample
This is a sample log from an Oracle Audit device:

AUDIT_TYPE="Standard Audit" SESSION_ID="1" PROXY_SESSIONID="0" STATEMENTID="1" ENTRYID="1"

EXTENDED_TIMESTAMP="2015-01-01 00:00:00.000" GLOBAL_UID="" DB_USER="QA" CLIENT_ID="" ECONTEXT_ID=""
EXT_NAME="" OS_USER="root" USERHOST="exampleUser" OS_PROCESS="1000:1000" TERMINAL="unknown"
INSTANCE_NUMBER="0" OBJECT_SCHEMA="" OBJECT_NAME="" POLICY_NAME="" NEW_OWNER="" NEW_NAME="" ACTION="100"
STATEMENT_TYPE="LOGON" AUDIT_OPTION="" TRANSACTIONID="0013000D00AAFF2" RETURNCODE="0" SCN="0"
COMMENT_TEXT="Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.0.2.1)
(PORT=37063))" SQL_BIND="" SQL_TEXT="" OBJ_PRIVILEGE="" SYS_PRIVILEGE="" ADMIN_OPTION="" OS_PRIVILEGE="NONE"
GRANTEE="" PRIV_USED="CREATE SESSION" SES_ACTIONS="" LOGOFF_TIME="" LOGOFF_LREAD="0" LOGOFF_PREAD="0"
LOGOFF_LWRITE="0" LOGOFF_DLOCK="" SESSION_CPU="0" OBJ_EDITION_NAME="" DBID="1234567890"

This is a sample log from an Oracle Unified Audit device

AUDIT_TYPE="Standard Audit" SESSION_ID="1" PROXY_SESSIONID="0" STATEMENTID="1" ENTRYID="1"

EXTENDED_TIMESTAMP="2015-01-01 00:00:00.000" ACTION_NAME "ALTER USER" GLOBAL_UID=""
CLIENT_PROGRAM_NAME="sqlplus@hostname" DB_USER="TESTUSER" CLIENT_ID="" EXT_NAME="" OS_USER="root"
USERHOST="exampleUser" OS_PROCESS="1000:1000" TERMINAL="unknown" DBID="1234567890"
AUTHENTICATION_TYPE="(TYPE=(OS));(CLIENT ADDRESS=((ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=54526))))"
INSTANCE_NUMBER="0" OBJECT_SCHEMA="" OBJECT_NAME="" POLICY_NAME="" NEW_NAME="" AUDIT_OPTION=""
TRANSACTIONID="0013000D00AAFF2" RETURNCODE="0" SCN="0" COMMENT_TEXT="Text comment on the audit trail entry,
if any" SQL_BIND="" SQL_TEXT="SELECT SYS_CONTEXT(‘USERENV‘,‘CDB_NAME‘), SYS_CONTEXT(‘USERENV‘,‘CON_NAME‘)
FROM SYS.DUAL" OBJ_PRIVILEGE="" SYS_PRIVILEGE="" ADMIN_OPTION="" PRIV_USED="CREATE SESSION"
UNIFIED_AUDIT_POLICIES="ORA_SECURECONFIG, ORA_SECURECONFIG"

820 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Field mapping for DBA_COMMON_AUDIT_TRAIL

This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

RETURNCODE Action, Return_Code

AUDIT_TYPE Category

DBID Database_ID

OS_USER Destination User

EXTENDED_TIMESTAMP First Time, Last Time

USERHOST Host

STATEMENT_TYPE Action, Rule Message

OBJECT_NAME Object

POLICY NAME Policy Name

COMMENT_TEXT Protocol, Source IP, Source Port

SQL_TEXT SQL_Statement

SESSION_ID Session_ID

ACTION SID

DB_USER Source User

Field mapping for UNIFIED_AUDIT_TRAIL

This table shows the mapping between the data source and McAfee ESM fields.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 821
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

RETURN_CODE Action, Return_Code

AUDIT_TYPE Category

DBID Database_ID

OS_USERNAME Destination User

EVENT_TIMESTAMP First Time, Last Time

USERHOST Host

ADDITIONAL_INFO Message_Text

OBJECT_NAME Object

OBJECT_SCHEMA Database_Name

AUTHENTICATION_TYPE Protocol, Source IP, Source Port

FGA_POLICY_NAME Policy_Name

SESSIONID Session_ID

ACTION_NAME SQL_Command, sid

CLIENT_PROGRAM_NAME Application

UNIFIED_AUDIT_POLICIES Rule_Name

DBUSERNAME Source User

SQL_TEXT SQL_Statement

SYSTEM_PRIVILEGE_USED Command

822 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Oracle Audit (syslog)

Configure Oracle Audit (syslog)

Task

1. Enter OS as the AUDIT_TRAIL parameter.

Example:

ALTER SYSTEM SET AUDIT_TRAIL=OS;

2. Edit the initsid.ora configuration file and enter the facility and priority in the AUDIT_SYSLOG_LEVEL parameter.
Example:

AUDIT_SYSLOG_LEVEL=facility.priority

3. Log on to the server with the syslog configuration file, /etc/syslog.conf, with root permissions.
4. Add the audit file location to syslog.conf
5. Restart the syslog logger (example: /etc/rc.d/init.d/syslog restart).
6. Restart the database instance (example: CONNECT SYS / AS SYSOPER).

Add Oracle Audit (syslog)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Oracle

Data Source Model Oracle Audit (ASP)

Data Format Default

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 823
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

824 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 825
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Oracle Audit (syslog) log format and field mapping

Log format
The expected format for this device is as follows:

<Priority Number>Process Name[]: LENGTH: '' ACTION:[] SQLTXT DATABASE USER:[] PRIVILEGE:[] CLIENT USER:[]
CLIENT TERMINAL:[] STATUS:[] DBID:[]

Log sample
This is a sample log from an Oracle Audit device:

<133>Oracle Audit[8435]: LENGTH : '317' ACTION :[168] 'select decode(status, 'OPEN', 1, 0), decode(archiver,
'FAILED', 1, 0), decode(database_status, 'SUSPENDED', 1, 0) into :status, :archstuck, :dbsuspended from v
$instance' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[0] ''
STATUS:[1] '0' DBID:[10] '1234567890'

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

STATUS, RETURNCODE Action

DBID Database_ID

CLIENT USER, OS$USERID Destination User

EXTENDEDTIMESTAMP First Time, Last Time

USERHOST Host

826 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Message Message

OBJ$NAME, OBJECTNAME Object

POLICY NAME Policy Name

PRIVILEGE Privileged_User

PROTOCOL Protocol

RETURNCODE, STATUS Return_Code

Session ID Session ID

Signature ID Signature ID

HOST Source IP

PORT Source Port

DATABASE USER, USERID Source User

SQL TEXT, ACTION SQL_Statement

Oracle Audit (XML)

Configure Oracle Audit (XML)

Task

1. Enter XML as the AUDIT_TRAIL parameter.

Example: ALTER SYSTEM SET AUDIT_TRAIL=XML;
2. Restart the service for the change to take effect.
3. Enable auditing for the appropriate tables.
4. Optionally, change the directory in which audit trail files are written.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 827
5| Configuring 3rd-party data sources

Example: ALTER SYSTEM SET AUDIT_FILE_DEST = ‘/audit_trail’ DEFERRED;

5. Navigate to the file destination you set, and open the XML once it is generated. Ensure that the audit trail is being written
inside that file.

Add Oracle Audit (XML)

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Oracle

Data Source Model Oracle Audit – XML File Pull (ASP)

Data Format Default

Data Retrieval File (Default)

Enabled Select options for processing events. Some options may not be available for your
data source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a
ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address associated with the data source device.

Port 22

828 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Number of lines per record 1

File copy timeout 1 second

Login timeout 1 second

Interval 15 minutes

File Completion 60 Seconds

Delete processed file Unchecked

Path Path to file

Wildcard expression Wild card for log file (example: *.log)

Username Device user name

Password Device password

Transfer compression Unchecked

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 829
5| Configuring 3rd-party data sources

Option Definition

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

830 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Oracle Audit (XML) log format and field mapping

Log format
The expected format for this device is:

<AuditRecord><Audit_Type></Audit_Type><Session_Id></Session_Id><StatementId></StatementId><EntryId></
EntryId><Extended_Timestamp></Extended_Timestamp><DB_User></DB_User><Userhost></Userhost><OS_Process></
OS_Process><Terminal></Terminal><Instance_Number></Instance_Number><Returncode></Returncode><Scn></
Scn><OSPrivilege></OSPrivilege><DBID></DBID> <Sql_Text></Sql_Text></AuditRecord>

Log sample
This is a sample log from an Oracle Audit device:

<AuditRecord><Audit_Type>0</Audit_Type><Session_Id>0</Session_Id><StatementId>0</StatementId><EntryId>0</
EntryId><Extended_Timestamp>2015-01-01T00:00:00.0000000</Extended_Timestamp><DB_User>/</
DB_User><Userhost>HOST.COMPANY.COM</Userhost><OS_Process>12345</OS_Process><Terminal>UNKNOWN</
Terminal><Instance_Number>2</Instance_Number><Returncode>0</Returncode><Scn>0</Scn><OSPrivilege>NONE</
OSPrivilege><DBID>1234567890</DBID> <Sql_Text>select count(*), null, null from sys.default</Sql_Text> </
AuditRecord>

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

STATUS, RETURNCODE Action

DBID Database_ID

CLIENT USER, OS$USERID Destination User

EXTENDEDTIMESTAMP First Time, Last Time

USERHOST Host

Message Message

OBJ$NAME, OBJECTNAME Object

POLICY NAME Policy Name

PRIVILEGE Privileged_User

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 831
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

PROTOCOL Protocol

RETURNCODE, STATUS Return_Code

Session ID Session ID

Signature ID Signature ID

HOST Source IP

PORT Source Port

DATABASE USER, USERID Source User

SQL TEXT, ACTION SQL_Statement

Oracle Cloud Infrastructure (OCI)

Configure Oracle Cloud Infrastructure

Setup Oracle Cloud Infrastructure (OCI) data source to send data to McAfee ESM.

Before you begin

Make sure that you have read access to audit-events. For more information, see Viewing Audit Log Events.

Task

To generate an API key, see Oracle documentation.

Add Oracle Cloud Infrastructure

Add the data source to a receiver.

832 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Oracle

Data Source Model Oracle Cloud Infrastructure

Data Format Default

Data Retrieval API (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address IP address associated with the data source device.

Hostname Host name associated with the data source device, cloud.oracle.com. Click Look up to
automatically fill the IP field.

RSA Key The key generated in the OCI setup steps

User ID The user ID that applies to the key

Fingerprint The fingerprint of the RSA key

Tenant ID The ID of the tenancy that this key has access to

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 833
5| Configuring 3rd-party data sources

Option Definition

Zone One of the zones that this account has access to

Use Proxy Enable to use proxy

Proxy IP Address IP address of the proxy

Proxy Port Default

Proxy Username Username of the proxy

Proxy Password Password of the proxy

Support Generic Syslogs Do nothing

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

834 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

6. Click OK.

Oracle Unified Auditing (SQL)

Configure Oracle Unified Auditing (SQL)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 835
5| Configuring 3rd-party data sources

Oracle 12c introduced Unified Auditing. Previously, separate audit trails were kept for individual components. The Unified Audit
trail combines all auditing into a single audit trail. By default, Oracle 12c is in “Mixed Mode” and all log data is written to both the
traditional locations and the new location. Once Unified Auditing is explicitly enabled, all audit data are stored in the new location
exclusively.

Note

The minimum privileges for Oracle Unified Audit and Common Audit trail are CONNECT and AUDIT_VIEWER role.

Task

1. Verify whether Unified Auditing is enabled.

SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';

2. If this query returns the following, Unified Auditing has not been enabled.

PARAMETER VALUE
------------------ ----------
Unified Auditing FALSE

3. To enable Unified Auditing in Oracle 12c, first shut down your Oracle databases and listeners that are associated to the
Oracle Home.
4. Next, relink the Oracle executable to support Unified Auditing by doing the following:

Unix/Linux:

cd $ORACLE_HOME/rdbms/lib

make –f ins_rdbms.mk uniaud_on ioracle

Windows:

cd %ORACLE_HOME%\bin

mv orauniadu12.dll.dbl orauniaud12.dll

5. Start your Oracle databases and listeners associated to the Oracle Home.
6. Both ORA_SECURECONFIG and ORA_LOGON_FAILURES policies are enabled by default and can be configured as needed.
7. Enable auditing for the appropriate tables.

836 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Oracle Internet Directory Server

Configuring Oracle Internet Directory Server

Task

1. Log on to the Oracle Directory Manager as administrator.

2. In the Navigator pane, expand the server listing and select a server instance.
3. Click the Debug Flags tab.
4. Select Debug Flags.
5. Click Save.

Logs are stored in:

%ORACLE_HOME%/ldap/log

Add Oracle Internet Directory Server

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Oracle

Data Source Model Internet Directory Server

Data Format Default

Data Retrieval MEF (McAfee Event Format)

Enabled Select options for processing events. Some options may not be available for your data
source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 837
5| Configuring 3rd-party data sources

Option Definition

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).

838 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Oracle Internet Directory Server log format and field

mapping

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 839
5| Configuring 3rd-party data sources

Log format
The expected format for this device is:

[Timestamp][ServerType][ThreadIdentifier][Severity][FunctionName][Hostname][PID][ThreadID] :[[
BEGIN
ConnectionID MessageID OperationID OperationName ConnectionIP ConnectionDomain
Trace information
END
]]

Log sample
This is a sample log from an Oracle Internet Directory Server device:

LDAP Audit Logs:

[2015-06-09T20:07:18+00:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: example.oraclecloud.com] [pid: 29238]

[tid: 8] ServerWorker (REG):[[
BEGIN
ConnID:10578 mesgID:1 OpID:0 OpName:bind ConnIP:192.168.2.2 ConnDN:Anonymous
INFO : gslfbidbDoBind * Version=3 BIND dn="cn=orcladmin" method=128
ConnId = 10578, op=0, IpAddr=10.10.10.10
2015-06-09T20:07:18 * INFO:gsleswrASndResult OPtime=2112 micro sec RESULT=0 tag=97 nentries=0
END
]]

System Logs:

[2015-06-09T20:13:56+00:00] [OID] [NOTIFICATION:16] [] [OIDLDAPD] [host: example.oraclecloud.com] [pid:

29238] [tid: 0] Main:: Shutting down ... detaching shared memory

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Timestamp First Time, Last Time

OperationName Message

ConnectionIP Source IP

ConnectionDomain Domain

PID PID

840 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

ConnectionID External_Session_ID

OperationID External_Event_ID

Configure McAfee Collector for Oracle Internet Directory

Server
To configure the McAfee Collector to send events, edit the McAfee Collector configuration file.

Task

1. Open the configuration file at /opt/McAfee/siem/mcafee_siem_collector.conf.

2. Edit these values:
a. Set rec_ip to the IP address of the McAfee Event Receiver.
b. Set rec_port to 8082.
c. Set rec_encrypt to 0.
d. Set type to filetail.
e. Set ft_dir to the folder that contains the Oracle Internet Directory Server logs.
f. Set ft_filter to a wildcard expression that matches the log files.
g. Set ft_delim to the following regular expression:

\x5b\d{4}\x2d\d{2}\x2d\d{2}T(?:\d{2}\x3a){2}\d{2}(?:\x2b|\x2d)\d{2}\x3a\d{2}\x5d

h. Set ft_delim_end_of_event to 0.
i. Set ft_start_top to 1.
3. Save and close the file.

Palo Alto Networks PAN-OS

Configure Palo Alto Networks PAN-OS

See your version of PAN-OS Administrator’s Guide for the complete steps to set up a syslog server within the product.

Add Palo Alto Networks PAN-OS

Add the data source to a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 841
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Palo Alto Networks

Data Source Model Palo Alto Firewalls (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

842 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 843
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Palo Alto Networks PAN-OS log format and field mapping

Log format
The expected format for this device is:

Traffic Logs:

FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination
IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual
System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile,
FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port,
Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category,
FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets Sent,
Packets Received.

Threat Logs:

FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination
IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual
System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile,
FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port,
Flags, Protocol, Action, Miscellaneous, Threat ID, Category, Severity, Direction, Sequence Number, Action
Flags, Source Location, Destination Location, FUTURE_USE, Content Type

844 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log sample
This is a sample log from a Palo Alto PANOS device:

2001/01/01 01:01:01,0004A100455,THREAT,vulnerability,148,2001/01/01 01:01:01,

192.168.0.1,192.168.0.2,0.0.0.0,0.0.0.0,p-Main-Outbound-2,,,web-
browsing,vsys1,firewall,irouter,ethernet1/3,ethernet1/1,p-WeaselUrlLogging-Local4-NCR,2001/01/01
01:01:01,65534,1,80,1433,0,0,0x0,tcp,alert,"",HTTP JavaScript Obfuscation Detected(31825),any,low,

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Generation Time First Time, Last Time

Source IP Source IP

Destination IP Destination IP

Rule Name Signature_Name

Source User Source User

Subtype, Application Application

Hostname Host

Inbound Interface Interface

Source Zone Source_Zone

Destination Zone Destination_Zone

Message Message_Text

Category Category

Outbound Interface Interface_Dest

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 845
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Bytes Sent Bytes_Sent

Bytes Received Bytes_Received

Domain Domain

NAT NAT_Details

Direction Direction

File Path File_Path

MAC Source MAC

Command Command

Event ID Event_Class

External Host External_Hostname

OS Operating_System

Protocol Protocol

URL URL

Session ID Session ID

Proofpoint Messaging Security Gateway

Configure Proofpoint Messaging Security Gateway

Use the McAfee Event Receiver IP address for the address of the remote server.

846 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Add Proofpoint Messaging Security Gateway

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Proofpoint

Data Source Model Messaging Security Gateway (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 847
5| Configuring 3rd-party data sources

Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

848 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Proofpoint Messaging Security Gateway log format and field

mapping
Log format
Filter log format provided by Proofpoint:

date Loglevel s=<External SessionID> mod=<Application> cmd=Command file=<File Name>

Log samples
This is a sample log from a Proofpoint Message Security Gateway device:

[2015-06-17 16:51:00.354586 -0700] rprt s=1v3jen000d m=1 x=1v3jen000d-1

omime=text/plain oext=txt corrupted=0 protected=0 size=159 virtual=0 a=0
mod=mail cmd=attachment id=0 file=text.txt mime=text/plain type=txt

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 849
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Hostname

Instancename Severity

Serivcename|mod|module Application

Timestamp Firsttime | Lasttime

cmd Command

ip Source IP

Eid Event Class

Session-id (s=) External Session ID

Rule Rule Name

File Filename

Definitions Object

Sudo=yes Privileged User

Evt Reason

Stage Job Name

To Destination User

Delay Elapsed Time

850 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

port Device Port

Proofpoint Targeted Attack Protection

Configure Proofpoint Targeted Attack Protection

Set up Targeted Attack Protection to send network data to a Receiver.

Important

This procedure describes third-party software. The interface or associated processes might change without McAfee knowing
about it.

Task

1. Log on to Proofpoint.
2. Go to Settings and select the Connected Applications tab.
3. Click Create New Credential.
4. Type a name for the application and click Generate.
The Generated Service Credential window appears.
5. Note the Service Principal. You enter this in ESM as the user name.
6. Note the Secret. You enter this in ESM as the password.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 851
5| Configuring 3rd-party data sources

Add Proofpoint Targeted Attack Protection

Set up Targeted Attack Protection as an ESM data source.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Proofpoint

Data Source Model Targeted Attack Protection

Data Format Default

Data Retrieval API (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname Enter host name associated with the data source device, tap-api-v2.proofpoint.com and
click Look up beside Hostname to automatically fill the IP Address field.

Service Principal/ The API service credentials for authentication.

Secret

Use Proxy If you use a proxy, enter the IP address, port, and credentials for the proxy.

852 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitroFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 853
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Proofpoint Targeted Attack Protection log format and field

mapping
Map Targeted Attack Protection fields to McAfee ESM fields.

854 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log format

blocked_click
{
"data": {
"campaignId": "",
"classification": "",
"clickIP": "",
"clickTime": "",
"messageID": "",
"recipient": "",
"sender": "",
"senderIP": "",
"threatID": "",
"threatTime": "",
"threatURL": "",
"url": "",
"userAgent": ""
},
"message_type": ""
}

click_permitted
{
"data": {
"campaignId": "",
"classification": "",
"clickIP": "",
"clickTime": "",
"messageID": "",
"recipient": "",
"sender": "",
"senderIP": "",
"threatID": "",
"threatTime": "",
"threatURL": "",
"url": "",
"userAgent": ""
},
"message_type": ""
}

message_blocked
{
"data": {
"GUID": "",
"QID": "",
"ccAddresses": [],
"cluster": "",
"completelyRewritten": false,
"fromAddress": [
""
],
"headerFrom": "",
"headerReplyTo": null,
"impostorScore": 0,
"malwareScore": 0,
"messageID": "",
"messageParts": [
{
"contentType": "",
"disposition": "",
"filename": "",
"md5": "",
"oContentType": "",
"sandboxStatus": "",
"sha256": ""
},
{
"contentType": "",
"disposition": "",
"filename": "",
"md5": "",
"oContentType": "",
"sandboxStatus": "",
"sha256": ""
}
],
"messageSize": 44461,
"messageTime": "",
"modulesRun": [
"",
""
"urldefense"
],
McAfee "phishScore":
Enterprise Security
0, Manager Data Source Configuration Reference Guide 855
"policyRoutes": [
"",
5| Configuring 3rd-party data sources

Log sample

{
"data": {
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
"classification": "MALWARE",
"clickIP": "192.0.2.1",
"clickTime": "2016-06-24T19:17:44.000Z",
"messageID": "8c6cfedd-3050-4d65-8c09-c5f65c38da81",
"recipient": "bruce.wayne@pharmtech.zz",
"sender": "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz",
"senderIP": "192.0.2.255",
"threatID": "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
"threatTime": "2016-06-24T19:17:46.000Z",
"threatURL": "https://threatinsight.proofpoint.com/...",
"url": "http://badguy.zz/",
"userAgent": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"
},
"message_type": "blocked_click"
}

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

data.threatType Attribute_Type

data.cluster External_Device_ID

data.md5 File_Hash

data.filename Filename

data.sender From_Address

data.sender From

GUID Incoming_ID

data.GUID Incoming_ID

data.messageID Message_ID

data.recipient Recipient_ID

856 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

data.phishScore Reputation_Score

data.spamScore Spam_Score

data.threatStatus Status

data.subject Subject

data.threatUrl TC_URL

data.classification Threat_Category

data.threatID Threat_Name

data.threat Threat_Name

data.recipient.0 To_Address

data.recipient To_Address

data.url URL

message_type action

message_type msgdesc

message_type sigid

message_type msg

data.senderIP dst_ip

data.clickTime firsttime

data.messageTime firsttime

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 857
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

message_time firsttime

data.clickIP src_ip

data.senderIP src_ip

senderIP src_ip

Raytheon SureView

Configure Raytheon SureView

See documentation for information about how to send CEF events through syslog to a remote server or McAfee ESM, and use the
IP address of the McAfee Event Receiver for the address of the remote server.

Add Raytheon SureView

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Raytheon

Data Source Model SureView (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

858 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 859
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

860 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Raytheon SureView log format and field mapping

Log format
The expected format for this device is:

CEF:<version>|<device vendor>|<device product>|<device version>|<signature ID>|<name>|<severity>|<key=value>

<key=value> <key=value>…

Log sample
This is a sample log from a Raytheon SureView device:

CEF:0|Raytheon|SureView|6.6|{1A2B3C4D-5E6F-1A2B-3C4D-5E6F1A2B3C4D}:1234|SIEM Notification3|1|Event
={1A2B3C4D-5E6F-1A2B-3C4D-5E6F1A2B3C4D} fired at 1/1/01 1:1:01 PM coming from HOSTNAME

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

coming, AgentLabel, shost Host

proto Protocol

src Source IP

dst Destination IP

spt Source Port

dpt Destination Port

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 861
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

smac Source MAC

dmac Destination MAC

cnt Event Count

dproc Application

sntdom Domain

fname, spriv Object

UserLabel, suser Source User

duser Destination User

act Event Subtype

Raz-Lee Security iSecurity Suite

Configure Raz-Lee Security iSecurity Suite

Use the command line interface (CLI) to configure your IBM iSeries (or AS/400) system.

Task

1. Log on to your IBM iSeries (or AS/400) system from the command line.
2. Type STRAUD and press Enter.
3. From the audit menu, select System → Configuration.
4. From the System Configuration Menu, select SYSLOG → Definitions.

• Set the value of Send SYSLOG message to Yes.

• Set the value of Destination address to the IP address of your McAfee Event Receiver.
• Set the value of Facility to use to your preferred facility level.
• Set the value of Severity range to auto send to your preferred severity range.

5. Save your changes.

862 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Add Raz-Lee Security iSecurity Suite

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Raz-Lee Security

Data Source Model iSecurity Suite

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 863
5| Configuring 3rd-party data sources

Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

864 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Raz-Lee Security iSecurity Suite log format and field

mapping
Log format
The expected format for this device is:

Timestamp IP MsgID Object File User Command Job

Note

The expected format for this device depends on the logged event.

Log sample
This is a sample log from a Raz-Lee Security iSecurity Suite device:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 865
5| Configuring 3rd-party data sources

2016-03-01 03:31:47 Local6.Notice 192.0.2.0 AU RAZLEE Audit: MCA0100 *SECURITY Authority of *N/*N *SOCKET /
tmp/.ct_mc_0_srt929381427ac5388 changed for user profile *PUBLIC or authorization list . Type of command
used RPL. Access code (A-Added R-Removed N-None). Authorities marked by Y were changed: OBJOPUY-Y OBJLOIS-Y
*OBJOPR-Y *AUTLMGT- *AUTL- *READ-Y *ADD- *UPD- *DLT- *EXCLUDE- *EXECUTE-Y *OBJALTER-Y *OBJREF-Y. Job 6784/
QSYS/QYUSCMPOIU. DLO , folder , on behalf of Office user . Personal status changed . QOpenSyys/'root'
object .

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Timestamp First Time, Last Time

IP Source IP

File Filename

Program, Rcvr Application

Object Object

Source Port Source Port

Dest Port Destination Port

User Source User

New User Destination User

Job Mainframe_Job_Name

CMD/Command Command

Debug Message Message_Text

Destination Host Destination_Hostname

Group Group_Name

866 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Msg ID Message_ID

Token Type Authentication_Type

Library Facility

Job Type/IPC Type Job_Type

Renamed New_Value

Device External_Device_Name

Red Hat JBoss Application Server/WildFly 8

Configure Red Hat JBoss Application Server

By default, logs are stored locally in the installation directory for JBoss.

In a standalone system, that file is located in this directory: <INSTALL_PATH>/standalone/log/server.log

If JBoss is installed in a managed domain, the files are located in this directory: <INSTALL_PATH>/domain/servers/
<SERVER_NAME>/log/server.log

Where <INSTALL_PATH> is the directory where JBoss was installed and <SERVER_NAME> is the server instance to be monitored.

Syslog is not natively supported for logging on to JBoss. You can retrieve these files using a file-pull method (for example SCP or
SFTP) through the McAfee Event Receiver or Collector. You can also use a syslog program to send the information from the files
directly to the McAfee Event Receiver. See the relevant product documentation for more information.

Configure WildFly 8
Task

From the command line, run these commands:

/subsystem=logging/syslog-handler=syslog:add(syslog-format=RFC5424, level=INFO)
/subsystem=logging/root-logger=ROOT:add-handler(name=syslog)
/subsystem=logging/syslog-handler=syslog:write-attribute(name=hostname,value="<ReceiverIpAddress>")

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 867
5| Configuring 3rd-party data sources

where the <ReceiverIPAddress> is the IP address of the McAfee Event Receiver.

Add Red Hat JBoss Application Server/WildFly 8

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Red Hat

Data Source Model JBoss / WildFly v8

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

868 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 869
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Red Hat JBoss Application Server/WildFly 8 log format and

field mapping
Log format
The expected format for this device, which is the default logging format, is:

Date Time Severity Class Thread LogID: Message

It is defined by the following string:

870 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n

Log sample
This is a sample log from a Red Hat WildFly 8 device:

2017-05-15 02:22:20,825 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015876: Starting
deployment of "fiveseries.war"

The expected format for the server.log is:

2017-02-16 21:53:19,520 INFO [org.jboss.as] (Controller Boot Thread) JBAS015961: Http management interface
listening on http://127.0.0.1:9990/management

2014-02-16 21:53:19,523 INFO [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console listening on
http://127.0.0.1:9990

2017-02-16 21:53:19,525 INFO [org.jboss.as] (Controller Boot Thread) JBAS015874: WildFly 8.0.0.Final
\"WildFly\" started in 38820ms - Started 305 of 361 services (93 services are lazy, passive or on-demand)

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Date Time First Time, Last Time

LogID Signature ID, External_EventID

Class Target_Class

Severity Severity

RedSeal Networks RedSeal 6

Configure RedSeal Networks RedSeal 6

See documentation for information about how to send syslog events to a remote server or McAfee ESM. Use the IP address of
the McAfee Event Receiver for the IP address of the remote server.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 871
5| Configuring 3rd-party data sources

Add RedSeal Networks RedSeal 6

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor RedSeal Networks

Data Source Model RedSeal 6 (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

872 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 873
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

RedSeal Networks RedSeal 6 log format and field mapping

Log format
The expected format for this device is:

<date> - <key>=<value> | <key>=<value> | <key>=<value>…

Log sample
This is a sample log from a RedSeal Networks RedSeal 6 device:

Jan 01 1:01:01 - EventAction=Violation | EventDate=Jan 01, 2001 1:01:01 PM PDT |

EventName=BestPracticesCheckEvent | DeviceVendor=RedSeal Networks, Inc. | DeviceProduct=RedSeal 6 |
DeviceVersion=6.0.0 | RedSealServerName=example.net | RedSealServerIPAddress=192.0.2.1 |
EventSeverity=MEDIUM | HostName=hostname | HostRedSealID=1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d | Message=The SSH
system service allows protocol version 1 | CheckName=SSH Version 1 Enabled | FirstSeenDate=Jan 01, 2001
1:01:01 PM PDT | LastSeenDate= Jan 01, 2001 1:01:01 PM PDT | FileLines=config:123 | Description="

874 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

HostName Host

PrimaryService Protocol

PrimaryIp Source IP

RedSealServerIPAddress Destination IP

EventAction Application

PolicyName Command

RedSealServerName Domain

CheckName Object

AttackDepth, Exposure, ServicesCount, VulnerabilityCount, Risk, DownstreamRisk, Confidence URL

Message Message_Text

OperatingSystem Version

EventAction Event Subtype

EventSeverity, Value Severity

ReversingLabs N1000 Network Security Appliance

Configure ReversingLabs N1000 Network Security Appliance

See your product documentation for instructions about sending logs to a remote server. Use the McAfee Event Receiver IP
address for the IP address of the remote server.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 875
5| Configuring 3rd-party data sources

Add ReversingLabs N1000 Network Security Appliance

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor ReversingLabs

Data Source Model N1000 Network Security Appliance

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

876 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 877
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

ReversingLabs N1000 Network Security Appliance log

format and field mapping
Log format
The expected format for this device is:

CEF:0|deviceVendor|deviceProduct|deviceVersion|sig|eventName|severity|key value pairs

Log sample
This is a sample log from a ReversingLabs N1000 device:

CEF:0|ReversingLabs|N1000|1.0.0.0|detection|Threat detection|0|deviceDirection=0 proto=tcp app=HTTP spt=8080

cn1=38974 dpt=50953 cs1=suspicious cn1Label=occurrence cs3=CERTIFICATE dst=192.0.2.1 src=192.0.2.2
cs2Label=detectionName cs1Label=classification cs3Label=detectionReason cs2=Win32.Certificate.Invalid
start=2016-01-01 01:01:01.0+00:00 fileHash=01010101010101010101010101010101

878 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

start First Time, Last Time

CEF Severity Severity

proto Protocol

app Application

spt Source Port

dpt Destination Port

occurrence Count

classification Event_Class

detectionName Threat_Name

detectionReason Category

deviceDirection Direction

CEF DeviceProduct External_Device_Type

filehash File_Hash

fname Filename

fsize File_Size

fileType File_Type

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 879
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

fileHash File_Hash

oldFileHash Parent_File_Hash

requestMethod Method

dvc Device_IP

dvchost External_Device_Name

request URL

act Status

RioRey DDOS Protection

Configure RioRey DDOS Protection

See your product documentation for instructions about sending syslog events to a remote server. Use the McAfee Event Receiver
IP address for the IP address of the remote server.

Add RioRey DDOS Protection

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor RioRey

880 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Model DDOS Protection

Data Format SYSLOG (Default)

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 881
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

882 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

RioRey DDOS Protection log format and field mapping

Log format
The expected format for this device is:

TimeStamp Host %EventSource: Message

Log sample
This is a sample log from a RioRey DDOS Protection device:

2014-01-01 01:01:01+00:00 abc-123 %SYSTEM: %ACD: AlarmInfoGet -> sysAlrm was normal_ylw_off_red_off now
normal_ylw_on_red_off

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

TimeStamp First Time, Last Time

DeviceName Hostname

EventSource Application

Message Message

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 883
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

was <Old_Value> now <New_Value> Old_Value, New_Value

Victim IP Victim_IP

Command Command

Application Application

Destination IP Destination IP

Source IP Source IP

Threat Threat_Category

Riverbed Steelhead

Configure Riverbed Steelhead using the Management

Console
Task

1. From the Steelhead Management Console, click the Setup tab.

2. Click Logging to expand the logging menu.
3. Click Remote Log Servers.
4. In the Add Remote Syslog Server section, fill in the Server IP field with the IP address of the McAfee Event Receiver.
5. From the drop-down list, select a value for Minimum Severity of events to send to the McAfee Event Receiver.
6. Click Add Server.
7. Click Save.

Configure Riverbed Steelhead using the command line

This documentation assumes that you are already logged on to the command line interface (CLI) with administrative privileges.
See the product documentation from Riverbed Steelhead for more information about how to access and use the command line
interface.

884 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Set up remote logging.

logging <ip-address>

Replace <ip-address> with the IP address of the McAfee Event Receiver.

2. (Optional) Set the minimum severity of the events being sent.

logging <ip-address> trap <log level>

Where <ip-address> is the IP address of the McAfee Event Receiver, and <log level> is one of these settings:

Setting Definition

emerg Emergency

alert Alert

critical Critical

err Error

warning Warning

notice Notice (default)

info Informational

Add Riverbed Steelhead

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 885
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor Riverbed

Data Source Model Steelhead (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

886 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 887
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Riverbed Steelhead log format and field mapping

Log format
The expected format for this device is:

<priority><hostname>[<ID>]: [<service>/<name>] <Log ID> <message>…

Log sample
This is a sample log from a Riverbed Steelhead device:

<13>hostname[1234]: [splice/name.INFO] 1234567 {- -} sock 123 id 123456 client 192.0.2.1:12345 server

192.0.2.2:56789 remote inner port 1234 trpy TRPY_NONE

Filed mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

hostname Host

service Application

Server, Client Source IP

Remote Destination IP

888 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Server, Client Source Port

Remote Destination Port

Log ID Session ID

Command Command

host Domain

module Object

user Source User

RSA Authentication

Configure RSA Authentication Manager 8 and later from the

Security Console
Task

1. In the RSA Authentication Manager Security Console, navigate to Setup → System Settings.
2. In the Basic Settings section, select Logging.
3. Select the instance where you want to collect logs, then click Next.
4. In the Log Levels section:
a. Set Administrative Audit Log to Success
b. SetRuntime Audit Log to Success
c. Set System Log to Warning.
5. In Log Data Destination, set all three fields to Save to remote database and internal Syslog at the following hostname
or IP address, and enter the host name or IP address of the McAfee Event Receiver.
6. Click Save to save changes.

Configure RSA Authentication Manager 7.1 SP2 or later for

Linux

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 889
5| Configuring 3rd-party data sources

Task

1. Edit this file with a text editor: /usr/local/RSASecurity/RSAAuthenticationManager/utils/resources/ims.properties

2. Edit or add these lines in that file:

ims.logging.audit.admin.syslog_host = 192.0.2.1
ims.logging.audit.admin.use_os_logger = true
ims.logging.audit.runtime.syslog_host = 192.0.2.1
ims.logging.audit.runtime.use_os_logger = true
ims.logging.system.syslog_host = 192.0.2.1
ims.logging.system.use_os_logger = true

where 192.0.2.1 is the IP address of the McAfee Event Receiver.

3. Save and close the file.
4. Edit this file with a text editor: /etc/syslog.conf
5. Add this line:

*.* @192.0.2.1

where 192.0.2.1 is the IP address of the McAfee Event Receiver.

6. Restart the syslog daemon:

service syslog restart

Configure RSA Authentication Manager 7.1 SP2 or later for

Windows
Task

1. Edit this file with a text editor: \Program Files\RSASecurity\RSAAuthenticationManager\utils\Resources\ims.properties

2. Edit or add these lines in the file:

ims.logging.audit.admin.syslog_host = 192.0.2.1
ims.logging.audit.admin.use_os_logger = true
ims.logging.audit.runtime.syslog_host = 192.0.2.1
ims.logging.audit.runtime.use_os_logger = true
ims.logging.system.syslog_host = 192.0.2.1
ims.logging.system.use_os_logger = true

where 192.0.2.1 is the IP address of the McAfee Event Receiver.

3. Save and close the file.
4. Restart the RSA Authentication Manager by navigating to Start → Administrator Tools → Computer Management →
Services and Applications → Services.
5. Select RSA Authentication Manager.
6. Click Restart.

890 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

7. Open the Authentication Manager Security Console and select Setup → Instances.
8. Right-click the server instance and select Logging.
9. In the Log Data Destination section, select Send system messages to OS system log.

Add RSA Authentication Manager

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor RSA

Data Source Model Authentication Manager (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 891
5| Configuring 3rd-party data sources

Option Definition

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

892 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

RSA Authentication Manager field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Date Time First Time, Last Time

Severty Severity

1st listed IP Address Source IP

2nd listed IP Address Destination IP

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 893
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Event ID Signature ID

SafeNet Hardware Security Modules

Configure SafeNet Hardware Security Modules

See your product documentation for instructions about sending syslog logs to a remote server. Use the McAfee Event Receiver IP
address for the IP address of the remote server.

Add SafeNet Hardware Security Modules

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor SafeNet

Data Source Model Hardware Security Modules (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

894 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 895
5| Configuring 3rd-party data sources

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

SafeNet Hardware-Security-Modules log format and field

mapping
Log format
The expected format for this device is:

896 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

firsttime hostname application: [firsttime] INFO src_ip [-] payctrlusr ID Crypto payctrlprd:1 [op#1
ENCRYPTSTANDARD] - [action] [-]

Log sample
This is a sample log from a device:

<142>Apr 4 09:39:04 test.box.com testBox: [2016-04-04 09:39:04] INFO 172.0.0.1 [-] payctrlusr 0 Crypto
payctrlprd:3100660 [op#1 ENCRYPT AES] - [Success] [-]

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

firsttime First Time, Last Time

hostname Host

src_ip Source IP

action Event SubType

key name Object

application Application

SAP

Configure SAP
Add the data source in ESM.

Before you begin

Install the McAfee ESM SAP Modules. Transport scripts must be loaded into SAP using standard SAP procedures. See the SAP
user guide or FAQ for more details.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 897
5| Configuring 3rd-party data sources

The McAfee ESM SAP Module periodically queries the SAP tables and writes the events to a text file in a configurable directory or
file share. The McAfee Event Receiver then polls and processes the event logs.

Task

1. In the SAP module interface, select which data to collect.

• Read from SAP audit log - collects events from the SAP security audit log. Requires the audit log to be turned on.
• User authorization changes – collects events from SAP system tables related to users being added/deleted or
their profiles being changed. Does not require audit log to be turned on.
• User master data changes –this option also collects events from the SAP system tables. This option does not
require audit log to be turned on.

2. Click Save.
3. Select Since last execution and set the date.
4. Select Update runtime variable and click Save.

Add SAP
Collect SAP user, user role, and user authorizations events from SAP tables without requiring auditing to be turned on in SAP.
User logon and transaction events can be collected from the SAP Security Audit Log if auditing is turned on.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor SAP

Data Source Model Security Audit Log

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

898 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source.

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 899
5| Configuring 3rd-party data sources

Option Definition

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

900 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

SAP Enterprise Threat Detection

Add SAP Enterprise Threat Detection

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor SAP

Data Source Model Enterprise Threat Detection

Data Format Default

Data Retrieval API (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source.

IP Address/Hostname IP address and host name associated with the data source device

Client Kety The key associated with the data source device

Password The password for the data source device

Support Generic Syslog Do nothing

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 901
5| Configuring 3rd-party data sources

Option Definition

Time Zone Time zone where the data source is located

5. (Optional) Click Advanced and configure the settings.

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format

902 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

SAP Enterprise Threat Detection log format and field

mapping
Log sample

{"Version":"1.0","AlertCreationTimestamp":"2016-10-24T11:13:01.861Z","AlertId":
1,"AlertSeverity":"HIGH","AlertStatus":"NO_REACTION_NEEDED_T","AlertSource":\{"systemId":"ERP"}
,"AlertSystemIds":["ERP"],"HostNames":["null"],"Category":"Health
Checks","PatternId":"34A702410BB5164292C3B14AB6098FBA","PatternType":"FLAB","PatternName":"ABAP System Ping
Failed Health Check","PatternNameSpace":"http://sap.com/secmon","PatternDescription":"Checks if the ABAP
system is reachable via system ping. An alert is raised in case subsequent system ping attempts are
failing.","MinTimestamp":"2016-10-24T11:09:00.000Z","MaxTimestamp":"2016-10-24T11:13:00.000Z","Text":"Measure
ment 5 exceeded threshold 2 for 'System ID' = 'ERP'","Score":75,"UiLink":"http://34.200.66.55:8002/sap/
hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show?alert=EE65CA8D134AAD47AD41C73D64A6FE7D"}

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

AlertCreationTimestamp firsttime, lasttime

AlertSource.EventSemantic msg, sigid

PatternName msg, sigid

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 903
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Category msg, sigid

AlertStatus Status

AlertSeverity severity

AlertSource.NetworkHostnameInitiator HostID

AlertSource.NetworkHostnameActor HostID

AlertSource.NetworkHostnameTarget Destination_Hostname

AlertSource.NetworkHostnameReporter Destination_Hostname

AlertSource.ServiceExecutableName Service_Name

AlertSource.ServiceProgramName Service_Name

AlertSource.ServiceFunctionName Service_Name

AlertSource.SystemIdInitiator External_Hostname

AlertSource.SystemIdActor External_Hostname

AlertSource.UserPseudonymInitiator.Pseudonym Source_UserID

AlertSource.UserPseudonymActing.Pseudonym Source_UserID

AlertSource.UserPseudonymTargeted.Pseudonym Destination_UserID

AlertSource.UserPseudonymTargeting.Pseudonym Destination_UserID

904 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Skycure Enterprise

Configuring Skycure Enterprise

Task

1. From the Skycure Management Console, go to Dashboard → Configuration and select Configuration next to SIEM
Integration.
2. In the IP Address field, enter the IP address of the McAfee Event Receiver.
3. In the Port field, enter 514 (the default port for syslog).
4. In the Protocol field, select UDP from the drop-down list.
5. In the Format field, select McAfee ESM from the drop-down list.
6. Click Save.

Add Skycure Enterprise

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Skycure

Data Source Model Skycure Enterprise

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 905
5| Configuring 3rd-party data sources

Option Definition

• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.

906 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Skycure Enterprise log format and field mapping

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 907
5| Configuring 3rd-party data sources

Log format
The expected format for this device is:

<priority> <date> <time> <host> CEF:0|Skycure|Skycure|<version>|<event type>|<event name>|<severity>|

<key>=<value> <key>=<value> <key>=value>

Log sample
This is a sample log from a Skycure Enterprise device:

<123>Jan 01 2001 01:01:01 ip-192-0-2-1 CEF:0|Skycure|Skycure|1.0|suspicious_app_removed|Suspicious App

Removed|0|duid=123456789 duser=user@example.com msg=app was removed from device #123456789
shost=ip-192-0-2-1 end=2001-01-01 01:01:01 UTC

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

shost Host

Severity Severity

EVENT_NAME Message

end First Time, Last Time

hotspot/ SSID Object

User Source User

duser Destination User

version Version

duid External_Device_Name

from Old_Value

to New_Value

908 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Sophos Web Security and Control

Configure Sophos Web Security and Control

Task

1. From the web interface for Sophos Web Security and Control, navigate to Configuration → System → Alerts →
Monitoring.
2. Click the Syslog tab.
3. Make sure that Enable syslog transfer of web traffic is selected.
4. In the Hostname/IP field, type in the IP address or host name of the McAfee Event Receiver.
5. In the Port field, enter the standard syslog port of 514.
6. In the Protocol drop-down list, select UDP.
7. Click Apply to save the settings.

Add Sophos Web Security and Control

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Sophos

Data Source Model Web Security and Control (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 909
5| Configuring 3rd-party data sources

Option Definition

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

910 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 911
5| Configuring 3rd-party data sources

Sophos Web Security and Control log format and field

mapping
Log format
The expected format for this device is:

h=<remote host> u=<remote user> s=<HTTP status> X=<connection status> t=<timestamp> T=<request time
microseconds> Ts=<request time seconds> act=<action> cat=<URI category> rsn=<reason> threat=<threat name>
type=<MIME type> ctype=<content type> sav-ev=<engine version> sav-dv=<data version> uri-dv=<URI list
version> cache=<cache> in=<data in bytes> out=<data in bytes> meth=<HTTP request method> ref=<HTTP referrer>
ua=<User-Agent> req=<HTTP request> dom=<web domain> filetype=<filetype category> rule=<policy rule ID>
filesize=<size of file> axtime=<time for access check> fttime=<time for file-typing> scantime=<scan time>
src_cat=<internal use> labs_cat=<internal use> dcat_prox=<internal use> target_ip=<resolved IP>
labs_rule_id=<internal use> reqtime=<request queue time> adtime=<Active Directory time> ftbypass=<internal
use>

Log sample
This is a sample log from a Sophos Web Security and Control device:

h=192.0.2.1 u="domain\\user" s=123 X=+ t=978310861 T=12345 Ts=0 act=1 cat="0x2300000123" rsn=- threat="-"
type="-" ctype="text/html" sav-ev=- sav-dv=- uri-dv=- cache=MISS in=123 out=123 meth=GET ref="-"
ua="details" req="GET http://www.example.com/" dom="example.com" filetype="-" rule="-" filesize=-
axtime=0.000123 fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="192.0.2.2"
labs_rule_id="-" reqtime=- adtime=- ftbypass=-

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

u Source User

dom Domain

h Source IP

target_ip Destination IP

req URL

threat Object

rsn Command

912 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

cat Severity

act Event Subtype

SS8 BreachDetect

Configure SS8 BreachDetect

Configure SS8 DataBreach to send data to McAfee ESM.

Task

1. In the DataBreach interface, locate the configuration file SA.properties file and open it.
2. Remove the comment characters from the SA_SIEM_INTEGRATION = ESM entry at the end of the file.
3. At the prompt, type security-analytics restart to restart all SA components.

Add SS8 BreachDetect

Add the data source to the McAfee ESM receiver.

Task

1. From the McAfee ESM dashboard, select the receiver and click the Add Data Source icon.
2. Configure the data source.

Option Definition

Data Source Vendor SS8

Data Source Model BreachDetect

Data Format Default

Data Retrieval SCP File Source

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 913
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your
data source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a
ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name <name of data source>

IP Address/Host Name <IP address and host name of the SA server>

Port 22

Number of lines per record 1

Delete processed files Selected

Path /home/sa/esm

Username sa

Password Password for the "sa" account on SA

Wildcard expression *.json

3. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

914 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 915
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

SS8 BreachDetect log format and field mapping

Raw event log sample

"Pname":"pop-1",

"FCBytes":1733,

"RepSrc":"threatintel",

"Long":112.5603,

"EventTime":"2017-09-27T22:50:55.0Z",

"Country":"cn",

"App":"ssh",

"FCMinTTL":64,

"RepURL":127,

"FCTotPkts":21,

"FEndTm":"2017-09-27T22:50:55.0Z",

"FBytes":6334,

"PHostID":"+37.4118175:-121.9203741",

"FSTCPFlags":27,

"FSAvgIntpktTm":521578,

"EIP":0,

"PIP":"10.0.156.239",

916 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

"RepIP":65,

"Family":"encrypted",

"FCAvgIntpktTm":443346,

"FSBytes":2007,

"Sport":22,

"EventType":"flow",

"FCTCPFlags":27,

"SST":0,

"Cport":58432,

"Lat":37.8694,

"FSMaxTTL":64,

"PS":"base.eth.ip.tcp.ssh",

"ThreatTs":0,

"FSMinTTL":64,

"Mail ET":"1969-12-31T16:00:00.0Z",

"FCMaxTTL":64,

"FSTotPkts":18,

"City":"taiyuan",

"CIP":"10.0.100.61",

"FSMaxIntpktTm":5014062,

"FTOS":0,

"SID":"1_1425475393_1504900255.980007",

"FCMaxIntpktTm":5053752,

"FS":0,

"IPProto":"6",

"FCTotBytes":3131,

"SIP":"223.12.54.36",

"UID":"ss8\\hazelfletcher",

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 917
5| Configuring 3rd-party data sources

"MacID":"124b13b318b0",

"FSTotBytes":3203,

"CallST":"1969-12-31T16:00:00.0Z",

"FPkts":39,

"KEY":"2.85"

Alert event log sample

"assetDetails":{

"browsers":[],

"fPrintFlags":[0],

"linkType":[],

"macIDs":[],

"osType":[],

"userAgents":["10.0.100.124"],

"userIDs":[]

},

"assetID":"10.0.100.124",

"assetScore":19.073617935180664,

"assetType":"ClientIP",

"behaviorURL":"clientip/10_0_100_124/behavior.json",

"dataURL":"clientip/10_0_100_124/raw.json",

"dateFlagged":"2017-08-03T14:33:48.277Z",

"deviceStatus":1,

"iocFound":[],

"version":"3"

918 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Behavior event log sample

"name":"bad_reputation_url",

"type":3,

"killChain":"Delivery",

"impact":1,

"deviceStatus":1,

"numOfEvents":1,

"threatSource":"webroot",

"rowIDs":[

"3.8"

],

"startTime":"2017-08-03T14:33:30.0Z",

"endTime":"2017-08-03T14:33:30.0Z",

"data":{

"Server":"www.google.com",

"RepSrc":"webroot",

"Country":"us",

"App":"blogspot",

"RepURL":26,

"FCTotPkts":1,

"CatURL":"sports",

"EIP":2,

"RepIP":26,

"Sport":80,

"Cport":10,

"ThreatTs":393,

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 919
5| Configuring 3rd-party data sources

"FSTotPkts":2,

"CIP":"10.0.100.124",

"FS":0,

"IPProto":"6",

"FCTotBytes":378,

"SIP":"74.125.141.104",

"FSTotBytes":1386

Field mapping

Log fields McAfee ESM fields

App AppID, application

assetID src_ip

assetScore Reputation_Score

assetType Object_Type

behaviorURL URL

browsers AppID

CIP src_ip

Cookie Message_Text

Cport src_port

deviceStatus Sub_Status

920 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

EventTime firsttime, lasttime

EventType Subcategory

Family Category

FCTotBytes Bytes_Sent

FN Filename

fPrintFlags Device_Action

FS File_Size

FSTotBytes Bytes_Received

FT File_Type

HostName HostID

iocFound Signature_Name

IPProto protocol

linkType Job_Type

MacID src_mac

osType Operating_System

Pname External_Device_Type

PS CommandID

RepIP Reputation

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 921
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

RespCode Response_Code

SCN Description

Sender From

Server External_Device_Name, HostID

SIP dst_ip

Sport dst_port

StartTime firsttime,lasttime

SUA User_Agent

threatSource SWF_URL

UID username

URL URL

URLQuery Search_Query

userAgents User_Agent

SS8 DataBreach JSON Keys

SSH Communications Security CryptoAuditor

Configure SSH Communications Security CryptoAuditor

Task

1. Log on to the web interface for CryptoAuditor as administrator.

922 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

2. Navigate to Settings → External Services → External Syslog Servers → Add Syslog Server.
a. Enter the IP address of the McAfee Event Receiver and port 514 (the default port for syslog).
b. Save and apply the changes.
3. Navigate to Settings → Alerts → Add Alert Group.
a. Enter a name for the group in the Name field.
b. In the External Syslog server drop-down list, select the IP address of the McAfee Event Receiver.
c. Save and apply the changes.
d. Under Requests, click the + icon next to each alert you want to add them to the newly created alert group.
e. Save and apply the changes.

Add SSH Communications Security CryptoAuditor

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor SSH Communications Security

Data Source Model CryptoAuditor

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 923
5| Configuring 3rd-party data sources

Option Definition

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

924 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

SSH Communications Security CryptoAuditor log format and

field mapping
Log format
The expected format for this device is:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 925
5| Configuring 3rd-party data sources

<facility>dateTime hostname CEF:0|Vendor|Product|Version|sigId|severity|rt=date outcome=action

Log sample
This is a sample log from a CryptoAuditor device:

<189>Aug 18 16:17:47 auditor CEF:0|SSH|CryptoAuditor|1.5.2|4050|Admin_login|4|rt=Aug 18 2015 16:17:47

outcome=failure

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

sigID Signature ID

rt First Time, Last Time

externalID External_EventID

src Source IP

spt Source Port

shost Host

duser Destination User

dst Destination IP

dpt Destination Port

dhost Destination_Hostname

outcome Event Subtype

severity Severity

926 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

msg Rule Message

suser, SshAuditorAdminname Source User

SshAuditorReason Reason

SshAuditorRule Policy_Name

STEALTHbits StealthINTERCEPT

Configure STEALTHbits StealthINTERCEPT

Task

1. Log in to StealthINTERCEPT.
2. Open the Administration Console.
3. From the menu bar, select Configuration → Alerts.
4. Click the SIEM tab and click Configure in the SI System Alerting window.
5. Enter the IP address of the Receiver in the Host Address field.
6. In the Port field, enter 514.
7. From the Mapping File drop-down lists, select the McAfee ESM SIEM format.
8. Click Events and select the event types that you want for SIEM reporting.
9. Click OK to apply the new configuration.

Add STEALTHbits StealthINTERCEPT

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 927
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor STEALTHbits

Data Source Model StealthINTERCEPT

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

928 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 929
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

STEALTHbits StealthINTERCEPT log format and field

mapping
Log format
The expected LEEF Log format for this device is:

LEEF:1.0|Device Vendor|Device Product|Device Version|Signature

ID|Key value pairs

The expected CEF format for this device is:

CEF:Version|Device Vendor|Device Product|Device Version|Signature

ID|Name|Severity|Key value pairs

Log sample
This is a sample log from a device:

Oct 01 16:14:03 2008R264BITSRVR CEF:0|STEALTHbits|StealthINTERCEPT|3.1.262.1|Active DirectoryuserObject

ModifiedFalseTrue|Lockdown Disabled Users OU|3|rt=2014-10-01 10:14:02.258 sntdom=2008R264BITDOM suser=CN
\=Administrator,CN\=Users,DC\=2008R264BitDomain,DC\=com src=LDAP:[192.0.2.1]:5545 duser=CN\=DisabledUser2,OU
\=Disabled OU,DC\=2008R264BitDomain,DC\=com shost=2008R264BITDOM\2008R264BITSRVR msg=Policy_Name= Lockdown
Disabled Users OU Object_Class= user Success= False Blocked= True Attribute_Name= userAccountControl
New_Attribute_Value= Password is not required, Normal account Old_Attribute_Value= Account is disabled,
Password is not required, Normal account Operation= Change Attribute

Sep 19 15:26:08 2008R264BITSRVR LEEF:1.0|STEALTHbits|StealthINTERCEPT|3.1.233.1|Active DirectoryuserObject

ModifiedFalseTrue|cat=Object Modified devTimeFormat=yyyy-MM-dd HH:mm:ss.SSS devTime=2014-09-19
09:26:07.400 SettingName=Protected OU Lockdown domain=2008R264BITDOM usrName=NT AUTHORITY
\ANONYMOUS LOGON src=192.0.2.1 dst=192.0.2.2
DistinguishedName=CN=Brad,OU=ProtectedOU,DC=2008R264BitDomain,DC=com AffectedObject=Brad
ClassName=user OrigServer=2008R264BITDOM\2008R264BITSRVR Success=False Blocked=True
AttrName=lastLogonTimestamp AttrNewValue={ 2014-09-19 09:26:07.4001154Z UTC } AttrOldValue=
Operation=Change Attribute

930 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

CEF Event Message Message

CEF Severity Severity

Rt First Time, Last Time

suser Source User

shost Hostname

src Source IP, Source Port

Policy_Name Policy_Name

Blocked Action / Event Subtype

Success Action / Event Subtype (Fallback)

Old_Attribute_Value Old_Value

New_Attribute_Value New_Value, Filename (when applicable)

Attribute_Name Attribute_Type

duser Object, Filename (when applicable)

Object_Class Object_Type

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 931
5| Configuring 3rd-party data sources

Symantec Data Loss Prevention

Configure Symantec Data Loss Prevention

For successful integration of Symantec Data Loss Prevention with McAfee ESM, you must first enable syslog functionality. Once
syslog is enabled, you must also add Response Rules in the Symantec Data Loss Prevention user interface.

Task

1. For Windows – Go to the directory \Vontu\Protect\config.

For Linux – Go to the directory /opt/Vontu/Protect/config.
2. Open the file Manager.properties for editing.
3. Edit these three lines:

#systemevent.syslog.host=
#systemevent.syslog.port=
#systemevent.syslog.format=

a. Remove the symbol ‘#’ from these the beginning of each line.
b. Set the value for systemevent.syslog.host= to the IP address of the McAfee Event Receiver.
c. Set the value for systemevent.syslog.port= to the port where the McAfee Event Receiver is listening (default is 514).
d. Set the value for systemevent.syslog.format= to [{0}] {1} - {2}.
The three original lines should now look similar to this:

systemevent.syslog.host=192.0.2.1
systemevent.syslog.port=514
systemevent.syslog.format=[{0}] {1} - {2}

4. Save these changes and restart the Vontu Server (Symantec Data Loss Prevention server).

Configure Symantec Data Loss Prevention for common

event format (CEF)
Task

1. Log on to the Symantec DLP server with the appropriate permissions.

2. Navigate to Manage → Policies → Response Rules → Add Response Rule.
3. Select Automated Response in the new window, then click Next.
4. Configure the rule by completing these fields.
a. Rule Name – Enter a rule name.
b. Description – Enter a description for the rule name.
5. In the Actions section, click the drop-down list and select Log to a Syslog Server.

932 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

6. Click Add Action.

7. Configure the actions by completing these fields.
a. Host – Enter the IP address of the remote log collector.
b. Port – Enter 514.
c. Message – Enter the following:
CEF:0|Symantec|DLP|12.5.0|ruleID|$POLICY$|5|BLOCKED=$BLOCKED$ INCIDENT_ID=$INCIDENT_ID$
INCIDENT_SNAPSHOT=$INCIDENT_SNAPSHOT$ MATCH_COUNT=$MATCH_COUNT$ PROTOCOL=$PROTOCOL$ RECIPIENTS=
$RECIPIENTS$ SENDER=$SENDER$ SUBJECT=$SUBJECT$ SEVERITY=$SEVERITY$ FILE_NAME=$FILE_NAME$

Add Symantec Data Loss Prevention

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Symantec

Data Source Model Symantec Data Loss Prevention (ASP)

Data Format (Default)

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 933
5| Configuring 3rd-party data sources

Option Definition

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

934 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Symantec Data Loss Prevention CEF log format and field

mappings
Log format
The expected format for this device is:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 935
5| Configuring 3rd-party data sources

CEF:0|Symantec|DLP|12.5.0|ruleID|$POLICY$|5|BLOCKED=$BLOCKED$ INCIDENT_ID=$INCIDENT_ID$ INCIDENT_SNAPSHOT=

$INCIDENT_SNAPSHOT$ MATCH_COUNT=$MATCH_COUNT$ PROTOCOL=$PROTOCOL$ RECIPIENTS=$RECIPIENTS$ SENDER=$SENDER$
SUBJECT=$SUBJECT$ SEVERITY=$SEVERITY$ FILE_NAME=$FILE_NAME$

Log sample
This is a sample log from a Symantec DLP (Vontu DLP) device:

<13>Sep 5 08:22:01 data.example.com CEF:0|Symantec|DLP|12.5.0|ruleID|Policy|5|BLOCKED=Passed

INCIDENT_ID=204529 INCIDENT_SNAPSHOT=https://main.example.com/Path/Address MATCH_COUNT=3 PROTOCOL=SMTP
RECIPIENTS=email@example.com SENDER=sender@example.com SUBJECT=Sensitive Data (attachment included)
SEVERITY=1:High FILE_NAME=myfile.xml

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

POLICY Policy_Name, Message

BLOCKED Event Subtype

INCIDENT_ID Incident_ID

INCIDENT_SNAPSHOT URL

MATCH_COUNT Count

PROTOCOL Application_Protocol

RECIPIENTS Destination IP, To_Address

SENDER Source IP, From_Address

SUBJECT Subject

SEVERITY Severity

FILE_NAME Filename

936 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Symantec Data Loss Prevention log format and field

mapping
Log format
The expected format for this device is:

<pri>Date Time Application: sessionNumber|[HostName]|Message|Source|E-MailAddress|WebAddress|

Log sample
This is a sample log from a Symantec Data Loss Prevention (Vontu) device:

<20>Jan 01 01:01:01 admin Incident: 12345|US_GBM_COLLECT_BUSINESS_SOURCECODE|192.168.2.1|HTTP incident|

https://main.website.com/folder/thing.do=12345|http://main.website.com/aspfile.asp

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Application Application

SessionNumber Session ID

Source Source IP

Hostname Host

Message Message

E-mailAddress To

WebAddress URL

Symantec Endpoint Protection

Configure Symantec Endpoint Protection

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 937
5| Configuring 3rd-party data sources

Task

1. Log on to the Symantec Endpoint Protection Manager Console as administrator.

2. Navigate to Admin → Servers → Local Site → Configure External Logging, then select any Update Frequency.
3. Select Enable Transmission of Logs to a Syslog Server.
4. In the Syslog Server field, enter the IP address of the McAfee Event Receiver.
5. In the Destination Port field, enter the port used for receiving syslog on the McAfee Event Receiver (default is 514).
6. In the Log Facility field, enter any facility number according to your preference.
7. On the Log Filter tab, select any of the files you want to export.
8. Click OK to save and exit.

Add Symantec Endpoint Protection

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Symantec

Data Source Model Endpoint Protection (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

938 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay <Enable>

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 939
5| Configuring 3rd-party data sources

Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Symantec Endpoint Protection log format and field mapping

Log format
The expected format for this device is:

940 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

<date> [<device IP>] <date> SymantecServer <hostname>: <message>

Log sample
This is a sample log from a Symantec Endpoint Protection device:

Jan 01 01:01:01 [192.0.2.1] Jan 01 01:01:01 SymantecServer servername:,Category: 1,Symantec

AntiVirus,Symantec Endpoint Protection services startup was successful.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Hostname Host

Client Hostname Destination_Hostname

Protocol Protocol

IP Source IP

Remote IP Destination IP

Port Source Port

Remote Port Destination Port

MAC Source MAC

Remote MAC Destination MAC

Session Session ID

Application name Application

Command Command

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 941
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Domain Domain

Occurrences Count

File Filename

User Source User

Rule Rule_Name

Source Detection_Method

Operating System Operating_System

Remote File Path File_Path

Application type Category

Risk Name Threat_Name

Application hash File_Hash

Management Server Management_Server

Symantec Messaging Gateway

Configure Symantec Messaging Gateway

Task

1. Log on to the Symantec Message Gateway Control Center as administrator.

2. Navigate to Administration → Settings → Logs, then select the Remote tab.
3. Select Enable Syslogs for the following host, then select the host to send syslog data from.
4. In the Host field, enter the IP address of the McAfee Event Receiver.
5. Enter the port where the McAfee Event Receiver is listening (default is 514).

942 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

6. Set the Protocol field to UDP.

7. Set the Component Remote Log Levels to the level you want.
8. Select Enable Message Logs so that message logs are sent to the McAfee Event Receiver.
9. Set the Message log facility to the level you want.
10. Save changes.

Add Symantec Messaging Gateway

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Symantec

Data Source Model Symantec Message Gateway

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 943
5| Configuring 3rd-party data sources

Option Definition

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

944 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Symantec Messaging Gateway log format and field mapping

Log format
The expected format for this device is:

<pri> Date Time Application: [Hostname] (Severity.Reference.Number): [EventIDNumber] <Source Username>

<Destination Username> SrcIP|SrcPort|DstIP|DstPort| Message Filepath/Filename

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 945
5| Configuring 3rd-party data sources

Log sample
This is a sample log from a Symantec Message Gateway device:

<23>Jan 1 01:01:01 antispam conduit: [Brightmail] (INFO:1234.12345678): [12345] Spamhunter module: loaded
rulefile /data/rules (file ver 1, type 1; module ver 1): 100000 rules loaded.

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Application Application

Hostname Hostname

Severity Severity

EventIDNumber Signature ID

Filepath/Filename Filename

Source Username Source User

Destination Username Destination User

SrcIP Source IP

DstIP Destination IP

Message Message_Text

Symantec PGP Universal Server

Configure Symantec PGP Universal Server

946 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Task

1. Log on to the Symantec PGP Universal Server Device with a web browser.
2. Click Settings.
3. Select Enable External Syslog.
4. Set the Protocol to UDP.
5. Set the Hostname to the IP address of the McAfee Event Receiver.
6. Set the Port to 514 (the default port for receiving syslog on the McAfee Event Receiver).
7. Click Save.

Add Symantec PGP Universal Server

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Symantec

Data Source Model PGP Universal Server

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 947
5| Configuring 3rd-party data sources

Option Definition

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

948 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Symantec PGP Universal Server log format and field

mapping
Log format
The expected format for this device is:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 949
5| Configuring 3rd-party data sources

Date Time service[pid]: Message CLIENT USER from

Log sample
This is a sample log from a Symantec PGP Universal Server device:

2001/01/01 01:23:45 -00:00 NOTICE pgp/admin[2002]: Administrator [UNAUTHENTICATED USER] from 192.0.2.2 Using
Passphrase login successfully for Administrator "admin_bt" from 192.0.2.1

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Service Severity/Application

Message Command

Client Source IP

User Source User

From Destination IP

Symantec Web Gateway

Configure Symantec Web Gateway

Task

1. Log on to your Symantec Web Gateway device through a web browser.

2. Navigate to Administration → Configuration → Syslog.
3. Set the Syslog Server value to the IP address of the McAfee Event Receiver.
4. Set Facility according to your preference.
5. Save changes.

Add Symantec Web Gateway

950 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Symantec

Data Source Model Symantec Web Gateway (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 951
5| Configuring 3rd-party data sources

Option Definition

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

952 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Symantec Web Gateway log format and field mapping

Log format
The expected format for this device is:

<pri>Alert type: [Alert Name] (Description), (Host), (Detection Type), (Threat Name), (Threat Category),
(Severity), (Threat Description)

Log sample
This is a sample log from a Symantec Web Gateway device:

<185>Symantec Web Gateway Alert: [Alert Name - Name] (Description: Alert events sent to syslog), (Count: 1),
(Host: 192.0.2.1), (Detection Type: 1), (Threat Name: Instant Buzz), (Threat Category: Adware), (Severity:
1), (Threat Description: Instant Buzz is an adware application which installed as an Internet Explorer
advertising toolbar. It changes a user's Internet Explorer settings unexpectedly and delivers targeted
advertisements to the user.)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 953
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Host Host, Source IP

Threat Name Message

Threat Type Application

Severity Severity

Tenable Nessus

Configure Tenable Nessus

Set up the data source to send events and flows to ESM

Task

See Tenable product documentation for instructions.

Add Tenable Nessus

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Tenable

Data Source Model Nessus

954 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Enter a name for the data source.

IP Address/Host Name Enter the IP address and host name.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 0

Require syslog TLS Select to require TLS.

Port Select the port number.

Support Generic Syslogs Do nothing

Generic Rule Assignment Accept default.

Time Zone Select the time zone offset applicable to the data being sent.

5. (Optional) Click Advanced and configure the settings.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 955
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

956 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

ThreatConnect Threat Intelligence Platform

Add ThreatConnect Threat Intelligence Platform

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor ThreatConnect

Data Source Model Threat Intelligence Platform

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 957
5| Configuring 3rd-party data sources

Option Definition

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

958 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 959
5| Configuring 3rd-party data sources

ThreatConnect Threat Intelligence Platform log format and

field mapping
Log format
The expected format for this device is:

CEF:0|threatconnect|threatconnect|<version>|<event class id>|<name>|<severity>|<key value pairs>

Log sample
This is a sample log from a device:

CEF:0|threatconnect|threatconnect|3|14936758|McAfee ESM Demo Source Email|8|cs5Label=Indicator cs3=This is

one bad dude. cs2=McAfee ESM Demo Source cs5=superduperbadguy@evil.com cs4=https://app.threatconnect.com/
auth/indicators/details/emailaddress.xhtml?

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

cat sid

CEF.Severity Severity

Confidence Confidence

cat Category

CEF.SignatureID, spid External_EventID

Indicator, oldFileHash Threat_Name

fileHash New_Value

ThreatConnect URL Device_URL

cfp1 Reputation_Score

960 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

cfp2 Device_Confidence

deviceCustomDate1 firsttime,lasttime

Configure ThreatConnect Threat Intelligence Platform

See the ThreatConnect Threat Intelligence Platform product documentation for setup instructions about sending Remote Syslog
to an external server. Use the McAfee Event Receiver’s IP address as the destination IP address and port 514 as the destination
port.

TippingPoint SMS

Configure TippingPoint SMS

Task

1. From the Device Configuration screen, select Server Properties → Management tab.
2. At the bottom of the page, find Remote Syslog for Events:

• For a new configuration, click New.

• For an existing configuration, click Edit.

3. Enter the IP address for the McAfee Event Receiver.

4. Enter 514 for the port.
5. For Alert Facility, select None.
6. For Block Facility, select None.
7. For Delimiter, select Tab.
8. Click Apply to save changes.

Add TippingPoint SMS

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 961
5| Configuring 3rd-party data sources

4. Click Add.

Option Definition

Data Source Vendor TippingPoint

Data Source Model SMS (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do Nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

962 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 963
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

TippingPoint SMS log format and field mapping

Log format

<Syslog category> Action Type Severity Policy UUID Signature UUID Signature Name Signature Number Signature
Protocol Source Address Source port Destination Address Destination Port Hit Count Source Zone Name
Destination Zone Name Incoming Physical Port VLAN ID Device Name Tipping Point Taxonomy ID – Category Id
assigned to Signature Event timestamp in Milliseconds

Log sample
Attention

The fields in this log are separated by tabs. If you copy and paste this log, the tabs may not copy correctly and you may need
to add them manually.

<34>8 4 00000002-0002-0002-0002-000000001026 00000001-0001-0001-0001-000000001026 1026: HTTP:

cgiwrap Vulnerability 1026 http 1.2.3.4 49725 2.3.4.5 80 1 1-1A 1-1B 2 0
TESTHOST 17107965 1406251768046 1117542384

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Action Type Event Subtype

Severity Severity

Signature UUID External_EventID

964 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Signature Name Message

Signature Number Signature ID

Signature Protocol Protocol

Source Address Source IP

Source Port Source Port

Destination Address Destination IP

Destination Port Destination Port

Hit Count Count

Source Zone Name Interface

Source Destination Name Interface_Dest

Device Name Host

Event timestamp in milliseconds First Time, Last Time

Tofino Firewall LSM

Configure Tofino Firewall LSM

Task

1. Ensure that the Event Logger Module is installed on the Tofino Firewall LSM.
2. Open the Tofino Configurator tool.
3. Under Package Explorer, navigate to the Event Logger and select it.
The right frame refreshes with the configuration settings for the Event Logger.
4. Set the Syslog Server IP Address to the IP address of the McAfee Event Receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 965
5| Configuring 3rd-party data sources

5. Set the Destination Port to the port set up on the McAfee Event Receiver for receiving syslog (default is 514).
6. Set the Lowest Priority Logged according to your preference.

Add Tofino Firewall LSM

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Tofino

Data Source Model Tofino Firewall LSM

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

966 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 967
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Tofino Firewall LSM log format and field mapping

Log format
The expected format for this device is:

Firewall Name and Version: Message

Log sample
This is a sample log from a 3.1 Tofino Security – Tofino Firewall LSM Configuration device:

968 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Tofino Firewall LSM: MAC_SRC=00:11:22:33:44:55 MAC_DST=55:44:33:22:11:00 IP_SRC=192.168.1.2

IP_DST=192.168.2.1 PROTO=FTP PORT_SRC=21 PORT_DST=11111

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

PORT_DST Destination Port

PROTO Protocol

DST_MAC Destination Mac

DST_IP Destination IP

SRC_MAC Source Mac

SRC_IP Source IP

SRC_PORT Source Port

Topia Technology Skoot

Configure Topia Technology Skoot

See documentation for information about how to send syslog events to a remote server or McAfee ESM. Use the IP address of
the McAfee Event Receiver for the IP address of the remote server.

Add Topia Technology Skoot

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 969
5| Configuring 3rd-party data sources

3. From the Receiver Properties window, select Data Sources.

4. Click Add.

Option Definition

Data Source Vendor Topia Technology

Data Source Model Skoot (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

970 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 971
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Topia Technology Skoot log format and field mapping

Log format
The expected format for this device is:

<severity> <date> User=<username;

workspaceGUID=<GUID>;workspaceName=<name>;action=<action>;fileId=<IDnumber>;fileName=<filename>;status=<actio
n>

Log sample
This is a sample log from a Topia Technology Skoot device:

INFO 2001-01-01 01:01:01,001 - User=user@domain.com;workspaceGUID=a1b2c3d4-e5f6-a1b2-c3d4-

e5f6a1b2c3d4;workspaceName=ExampleName;action=fileupload;fileId=12;fileName=fileName.png;status=Success

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM Fields

cat sid

CEF.Severity Severity

Confidence Confidence

cat Category

972 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM Fields

CEF.SignatureID, spid External_EventID

Indicator, oldFileHash Threat_Name

fileHash New_Value

ThreatConnect URL Device_URL

cfp1 Reputation_Score

cfp2 Device_Confidence

deviceCustomDate1 First Time, Last Time

TrapX Security DeceptionGrid

Configure TrapX Security DeceptionGrid

Task

1. Open up the device management screen and click the Configuration tab.
2. Edit the Syslog server property.
3. In the Configure Syslog Service Settings window, select Enable Syslog Service.
4. In the Syslog server configuration IP field, enter the IP address of the McAfee Event Receiver.
5. Click Apply.

Add TrapX Security DeceptionGrid

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 973
5| Configuring 3rd-party data sources

Option Definition

Data Source Vendor TrapX Security

Data Source Model DeceptionGrid

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

974 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 975
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

TrapX Security DeceptionGrid log format and field mapping

Log format
The expected format for this device is:

<PRI>DATE TIME HOSTNAME DATE: TIME HOSTNAME MESSAGE

Log sample
This is a sample log from a device:

<123>Jan 01 01:01:01 localhost 20010101-1: 01:01.001 localhost connections['tcp' : 978310861 : '192.0.2.1' :

123 : '192.0.2.1' : 456]: 123

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Source IP Source IP

Destination IP Destination IP

Source Port Source Port

Destination Port Destination Port

976 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Protocol Protocol

app Application

class Threat_Category

Hash File_Hash

Trend Micro Control Manager

Add Trend Micro Control Manager

Add Control Manager as a data source.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Trend Micro

Data Source Model Control Manager

Data Format Default

Data Retrieval SQL Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 977
5| Configuring 3rd-party data sources

Option Definition

• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address The IP address of the data source device.

Instance Name The instance name of the SQL database.

User ID/Password Credentials for logging into the SQL database.

Port The port assigned for the connection. Port 1433 is the default.

Database Name The name that will appear in lists of available databases.

Time Zone Time zone where the data source device is physically located.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

978 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Trend Micro Deep Security

Configure Trend Micro Deep Security

Follow the documentation for the version of Deep Security you have installed.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 979
5| Configuring 3rd-party data sources

Add Trend Micro Deep Security

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Trend Micro

Data Source Model Deep Security

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Hostname The host name of the device

Syslog Relay None

Mask 32

980 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Port 514

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 981
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Trend Micro Deep Security log format and field mapping

Log format
The expected format for this device is:

date time hostname CEF:0|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension|...

Log sample
This is a sample log from a Trend Micro Deep Security device:

Jan 01 01:01:01 SampleServer CEF:0|Trend Micro|Deep Security Manager|8.0.1046|600|User Signed In|3|

src=1.2.3.4 suser=admin target=admin msg=User signed in from fe80:0:0:0:2d02:6060:bebe:fd41

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

982 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Computer Hostname

IP Protocol Protocol

Source Source IP

Destination Destination IP

suser Source User

duser Destination User

msg Message

dmac Destination MAC

dpt Destination Port

dst Destination IP

proto Protocol

smac Source MAC

spt Source Port

src Source IP

Time First Time, Last Time

TrendMicroDsFrameType Application

shost Host

request URL

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 983
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Host ID Server_ID

Trend Micro Deep Security Manager

Configure Trend Micro Deep Security Manager

Follow the documentation for the version of Deep Security Manager you have installed.

Add Trend Micro Deep Security Manager

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Trend Micro

Data Source Model Deep Security Manager

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

984 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Host Name The host name of the device

Syslog Relay None

Mask 32

Require Syslog TLS 514

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 985
5| Configuring 3rd-party data sources

Option Definition

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Trend Micro Deep Security Manager log format

Log format
The expected format for this device is:

Date time CEF:0|Company|Product|Version|EventID|Title|#|Message

986 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log sample
This is a sample log from a Trend Micro – Deep Security Manager device:

<134>Jan 01 00:00:00 AAAA01 CEF:0|Trend Micro|Deep Security Manager|8.0.0000|999|Contact by Unrecognized

Client|6|src=10.0.0.1 suser=System msg=A connection to Deep Security Manager was initiated by a client not
identifiable as a managed computer: 10.0.0.1:5500. Either the client is not a managed Deep Security
component, or a secure communication channel could not be established.

Trend Micro OfficeScan

Configure Trend Micro OfficeScan

See documentation for information about how to send syslog events to a remote server or McAfee ESM. Use the IP address of
the McAfee Event Receiver for the IP address of the remote server.

Add Trend Micro OfficeScan

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Trend Micro

Data Source Model OfficeScan (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 987
5| Configuring 3rd-party data sources

Option Definition

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

988 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 989
5| Configuring 3rd-party data sources

Trend Micro OfficeScan log format and field mapping

Log format
The expected format for this device is:

<computer name> <domain> <device name> <epoch time> <threat name> <infected file> <file location>

Log sample
This is a sample log from a Trend Micro OfficeScan device:

COMPUTERNAME Domain 1 Device.Name 978310800 Threat_Name ~filename.tmp C:\Users\filelocation\ 0 0 0

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Name Host

Domain Domain

Device Name Object

URL URL

Infected Filename Destination_Filename

Operating System Operating_System

Location File_Path

Threat Name Threat_Name

GUID Instance_GUID

Time First Time, Last Time

990 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

IP Address Source IP

Port Source Port

Trustwave Data Loss Prevention

Configure Trustwave Data Loss Prevention

See documentation for information about how to send CEF-formatted syslog events to a syslog server or McAfee ESM. Use the IP
address of the McAfee Event Receiver for the IP address of the remote server.

Add Trustwave Data Loss Prevention

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Trustwave

Data Source Model Data Loss Prevention

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 991
5| Configuring 3rd-party data sources

Option Definition

• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.

992 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 993
5| Configuring 3rd-party data sources

Trustwave Data Loss Prevention log format and field

mapping
Log format
The expected format for this device is:

<date time> < host > CEF:<version>|<device vendor>|<device product>|<device version>|<signature ID>|<name>|
<severity>|rt=<receipt time> scr=<source IP> dst=<destination IP> sport=<source port> dport=<destination
port> app=<application> shost=<source host> dhost=<destination host> externalId=<external ID>

Log sample
This is a sample log from a Trustwave Data Loss Prevention device:

Jan 1 01:01:01 abcde12345 CEF:0|Trustwave|DLP|8.14|sigid|name|5|rt=978310861000 src="192.0.2.0"

dst="5.6.7.8" sport=1234 dport=5678 app="appname" shost="198.51.100.0" dhost="example.com"
externalId="a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

dhost Host

suser Source User

duser Destination User

cs6 Domain

app Application

src Source IP

dst Destination IP

sport Source Port

dport Destination Port

994 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

proto Protocol

smac Source MAC

dmac Destination MAC

cnt Event Count

shost Object

fname File_Path

externalId Message_Text

Trustwave Network Access Control

Configure Trustwave Network Access Control

See documentation for information about how to send syslog events to a remote server or McAfee ESM. Use the IP address of
the McAfee Event Receiver for the IP address of the remote server.

Add Trustwave Network Access Control

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Trustwave

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 995
5| Configuring 3rd-party data sources

Option Definition

Data Source Model Network Access Control (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

996 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 997
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Trustwave Network Access Control log format and field

mapping
Log format
The expected format for this device is:

<date time> <device IP> <state> <date> <device name> <action> <priority> <hostname>

Log sample
This is a sample log from a Trustwave Network Access Control device:

Jan 01 01:01:01 [1.2.3.4] Jan 01 01:01:01 applianceReady: Date=2001/01/01

01:01:01,ReportingAppliance=device,Action=applianceReady,Priority=critical,SourceAppliance=hostname

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Source Appliance Host

Priority Severity

Managed Device Source MAC

998 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Domain Domain

IP Address Source IP

Action Message

Tychon

Add Tychon
View events from Tychon in ESM Scorecard. Tychon is an Enterprise Detection and Response (EDR) product that lets you collect
additional data needed to populate Scorecard. In combination with McAfee Policy Auditor and Tychon, customers can use ESM to
visualize the 10 assessment items in the US DoD CyberSecurity Scorecard.

Note

This data source is supported in McAfee ESM 10.3 and higher.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Tychon

Data Source Model Tychon

Data Format Default

Data Retrieval SQL (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 999
5| Configuring 3rd-party data sources

Option Definition

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address The IP address of the McAfee ePO database.

User ID/Password Credentials for the Tychon server.

Port The McAfee ePO database port (default is 1433).

Database Name The name of the Tychon database.

Database Instance The Tychon database instance (optional).

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

1000 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Tychon log format and field mapping

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1001
5| Configuring 3rd-party data sources

Log format

lastLogon="2017-12-03 19:59:11.557" lastUpdate="2017-11-29 19:59:55.750" AgentAssetGUID="f008c5f4-1edf-4212-

bfdb-ae3c616a6c29" CHSHostname="WINAGENT127" username="user" domain="0" domainName="WINAGENT127"
userSid="S-1-5-21-3501650071-386321515-3779612984-1000" logonType="password" assignedGroups="Administrators"
userAdmin="1" isException="1" Compliant="1"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Tychon McAfee

lastLogon Firsttime, lasttime

AgentAssetGUID Source GUID

CHSHostname Hostname

username Source Username

domainName Domain

userSid User_Nickname

logonType Logon_Type

assignedGroups Group_Name

userAdmin Privileged_User

isException Sub_Status

Compliant Status

Type80 Security Software SMA_RT

Configure Type80 Security Software SMA_RT

1002 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

See the Type80 Security Software SMA_RT product documentation for setup instructions about sending syslog data to a remote
server. Use the IP address of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.

Add Type80 Security Software SMA_RT

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Type80 Security Software

Data Source Model SMA_RT (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1003
5| Configuring 3rd-party data sources

Option Definition

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

1004 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Type80 Security Software SMA_RT log format and field

mapping
Log format
The expected format for this device is:

<date time> <IP address> <device name> <date time> <severity> <object> <user> <group> <name> <terminal name>

Log sample
This is a sample log from a Type80 Security Software SMA_RT device:

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1005
5| Configuring 3rd-party data sources

Jan 01 01:01:01 192.0.2.0 DEVICE |||2001010101010101|||||YELLOW ALERT |ABC12345 USER(username)

GROUP(groupname) NAME(name) terminalname

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Terminal name Hostname

Object Object

IP Address Source IP

Terminal Address Destination IP

User Username

Name Source Username

Group Group_Name

Unix Linux

Configure Unix Linux

Task

1. Edit the /etc/syslog.conf file.

2. Add this line to the file:

*.*; @<ip_address>:514

where <ip_address> is the IP address of your McAfee Event Receiver, and 514 is the default port for syslog/.
3. Run this command:

service syslog restart

1006 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Add Unix Linux

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Unix

Data Source Model Linux

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1007
5| Configuring 3rd-party data sources

Option Definition

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

1008 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Verdasys Digital Guardian

Configure Verdasys Digital Guardian

Task

1. Log on to the Digital Guardian Management Console.

2. Select Workspace → Data Export → Create Export.
a. From the Data Sources list box, select Alerts or Events as the data source.
b. From the Export type list box, select ArcSight CEF.
c. From the Type list box, select UDP or TCP as the transport protocol.
d. In the Server Name field, type the IP address of your ArcSight server.
e. In the Port field, type 514.
f. From the Syslog Severity Level list box, select a severity level.
g. Select Is Active.
3. Click Next.
4. From the list of available fields, select the Alert or Event fields for your data export.
5. Select a criteria for the fields in your data export, then click Next.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1009
5| Configuring 3rd-party data sources

6. Select a group for the criteria, then click Next.

7. Click Test Query, then click Next.
8. Save the data export.

Add Verdasys Digital Guardian

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Verdasys

Data Source Model Digital Guardian

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

1010 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time Zone – Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1011
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Verdasys Digital Guardian log format and field mapping

Log sample

Jan 01 2014 01:01:01 APPSERVER.domain.com CEF:0|Verdasys|Digital Guardian|6.1.2.0464|File Write|File Write|

10|cat=alerts msg=File DG_AgentUTCDate=10/13/2013 sproc=updates.exe deviceProcessName=updates.exe
dvchost=workgroup/username-PC shost=workgroup/username-PC dst= cs1=[APT-TEST01] - Processes Creating
Binaries cs1Label=Rule cs2=False cs2Label=WasBlocked suser=username-PC\\hostname
fname=836d52c28e6cc389f3eaa0d46bbcecff.txt DG_SourceDriveType=CDROM

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

1012 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

DG_SourceDriveType Object_Type

fname Filename

Custom field: Rule Rule_Name

Custom field: WasBlocked Process_Name

VMware

Configure VMware
See the specific product documentation of VMware for instructions about sending syslog events.

Add VMware
Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor VMware

Data Source Model VMware (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1013
5| Configuring 3rd-party data sources

Option Definition

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

1014 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1015
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

VMware log format and field mapping

Log sample
This is a sample log from a VMware device:

<166>Jan 1 12:34:56 Hostd: [2015-01-01 12:34:56.123 ABCD1234 severity service] Example Message

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

User Source User

IP Address Source IP

Virtual Machine Name Object

Destination Destination IP

Host Hostname

Application Application

Command Command

Changed Filename Destination Filename

Method Method

1016 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Severity Severity

File Filename

VMware AirWatch

Configure VMware AirWatch

Task

1. Log on to Admin Console and navigate to Groups → Settings → All Settings → System → Enterprise Integration →
Syslog.
2. Enter the host name or IP address of the McAfee Event Receiver in the Host Name field.
3. Select UDP for Protocol.
4. Enter 514 in the Port field.
5. Select UserLevelMessages for Syslog Facility.
6. For Event Types Logged, select Console and Device.
7. Enter Airwatch in the Message Tag field.
8. Make sure that the Message Content field follows the default format.

Add VMware AirWatch

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor VMware

Data Source Model AirWatch

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1017
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

1018 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1019
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

VMware AirWatch log format and field mapping

Log format
The expected format for this device is:

AirWatch Syslog Details are as follows Event Type: {EventType}Event: {Event}User: {User}Event Source:
{EventSource}Event Module: {EventModule}Event Category: {EventCategory}Event Data: {EventData}

Log sample
This is a sample log from a device:

<101> October 11 11:12:22 AirWatch AirWatch Syslog Details are as follows Event Type: DeviceEvent:
SecurityInformationUser: sysadminEvent Source: Event Module: DevicesEvent Category: DeliveryEvent Data: 747

Field mapping
This table shows the mappings between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

EventType Event_Class

Event Message

User Source User

EventSource Subcategory

1020 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

EventModule Category

EventCategory Message_Text

Application Filename

Method Method

Destination User Destination User

OS Version Version

OS Operating_System

Status Status

Device Type External_Device_Type

Session External_SessionID

Event Source Object_Type

VMware Horizon

Configure VMware Horizon

Set up VMware Horizon to send logs to ESM.

Task

Refer to VMware product documentation for instructions.

Add the data source to a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1021
5| Configuring 3rd-party data sources

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor VMware

Data Source Model Horizon

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of the data source.

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 0

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

1022 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Port 514

Support Generic Syslogs Do nothing.

Generic Rule Assignments User Defined 1

Time Zone Time zone where the sending device is located.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1023
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

VMware Horizon log format and field mapping

Log sample
An example log from the data source.

<150>AP:ESMANAGER 04/07 12:41:37,739[nioEventLoopGroup-18-1]INFO utils.SyslogManager[terminateSession: 386]

[083c95ce-e1b1-4fe8-b774-c89b962f970e] - HORIZON_SESSION:TERMINATED:Horizon Session terminated - Session
count:19999, Authenticated sessions: 557

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

1024 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Sys_action Action

Severity Severity

Application AppID

Host HostID

User UserIDSrc

UserGUID Src_Guid

AuthType Authentication_Type

Session Session_ID

VMware vCenter Server

Configure VMware vCenter Server

Task

1. Log on to the vSphere web client.

2. Browse to the vCenter Server where you want to collect events.
3. Select Manage → Permissions → Add Permission.
4. Add minimum read-only permission to a user, then select Propagate to children.
Use an existing permission if one was created.

Add VMware vCenter Server

Add the data source to a receiver.

Task

1. Select a receiver.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1025
5| Configuring 3rd-party data sources

2. Click the Properties icon.

3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor VMware

Data Source Model vCenter Server (ASP)

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name User-defined name of data source

IP Address/Hostname The IP address associated with vCenter Server.

Username User name associated with the read-only permission

Password Password associated with the user name

Port Default is 443

Use SSL Selected by default

Event Timeframe The desired timeframe to use when pulling events. For vCenter hosts that are overloaded
a higher Event Timeframe value is recommended.

Default Value: 5

Min value: 5

1026 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Max value: 120

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1027
5| Configuring 3rd-party data sources

Option Definition

Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

VMware vCenter Server log format and field mapping

Log format
The expected format for this device is:

computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID

Log sample
This is a sample log from a VMware vCenter Server device:

SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Computer Hostname

1028 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

IP Protocol Protocol

Source Source IP

Destination Destination IP

Vormetric Data Security Manager

Configure Vormetric Data Security Manager

Task

1. From the DSM product, select Log → Syslog and add the required information.
2. Select Syslog Enabled via System → General Preferences on the System tab.
3. Configure the Syslog server for DSM logging for each domain.

Add Vormetric Data Security Manager

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Vormetric

Data Source Model Data Security (ASP)

Data Format Default

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1029
5| Configuring 3rd-party data sources

Option Definition

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

1030 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1031
5| Configuring 3rd-party data sources

Vormetric Data Security Manager log format and field

mapping
Log format
The expected format for this device is not available.

Log sample
These are sample logs from a Vormetric Data Security device:

<30>1 2013-06-29T18:44:42.420Z 10.10.10.1 vee-FS 0 CGP2601I [CGP@21513 sev="INFO" msg="Audit access"

cat="[AUDIT]" pol="aria256_on_host" uinfo="cfd,uid=100,gid=10{staff}" sproc="/opt/VRTSfssdk/5.0/src/vxfsio/
cache/obj64/cache_advisory" act="write_app" gp="/vor/guard" filePath="/symtest" key="aria256_on_host"
denyStr="PERMIT" showStr="Code (1M)"]

<14> Jan 06 05:31:03 cpu.mydom.com CEF:0|Vormetric, Inc.|dsm|5.2.0.1|DAO0048I|update host|3|cs4Label=logger

cs4=DAO spid=4322 rt=1388986263954 dvchost=cpu.mydom.com suser=USER_1 shost=test_cpu

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

filePath Destination_Filename

cat Category

url URL

Message ID Signature ID

sev Severity

msg, Action Message

user, suser, admin, uinfo Source User

shost Host, Source IP

dvchost Destination_Hostname

1032 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

sproc, Process Application

act Event Subtype, Command

denyStr Event Subtype

spt Source Port

count Event Count

cs1_policy, policy, pol Policy_Name, Command

“faked as USERNAME” from suser User_Nickname

showStr, reason Reason

rt First Time, Last Time

key Registry_Key

Res Object

WatchGuard Technologies Firebox

Configure WatchGuard Technologies Firebox

Task

1. From the Fireware web interface, go to System → Logging.

2. Click the Syslog Server tab.
3. Select Enable Syslog output to this server and enter the IP address of the McAfee Event Receiver in the adjacent textbox.
4. In the Settings section, use the drop-down lists to select the syslog facility for each type of log message.
5. Click Save.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1033
5| Configuring 3rd-party data sources

Add WatchGuard Technologies Firebox

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor WatchGuard Technologies

Data Source Model Firebox and X Series (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

1034 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1035
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

WatchGuard Technologies Firebox log format and field

mapping
Log format
The expected format for this device is:

<priority> <time> <date> <hostname> (<time> <date>) <process>[<process id>]: <key>=<value> <key>=<value>
<key>=<value>…

Log sample
This is a sample log from a WatchGuard Technologies Firebox device:

<123>Jan 01 01:01:01 HOSTNAME (2001-01-01T01:01:01) http-proxy[1234]: msg_id="1A2B-3C4D" Allow 1-Trusted 6-

External tcp 192.0.2.1 192.0.2.2 12345 67890 msg="ProxyAllow: HTTP Request URL match" proxy_act="Outgoing
HTTP Proxy" rule_name="Default" dstname="download.example.com" arg="arguments" (HTTP-proxy-Out)

1036 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Host, server Host

protocol Protocol

source IP Source IP

destination IP Destination IP

source port Source Port

destination port Destination Port

mac Source MAC

destination mac Destination MAC

message Message

msg_id Message_ID

action Event Subtype

socket ID, process ID, pid, Session ID

VLAN ID VLAN

Severity Severity

date, time First Time, Last Time

application Application

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1037
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

domain Domain

filename Filename

detail name Object

Authentication Method Method

src_user Source User

interface Interface

external interface Interface_Destination

domain name, GET URL

Group Group_Name

member External_Device_Name

member External_Device_ID

diagnostic file location External_Device_Type

session number External_Session_ID

Cluster ID External_Event_ID

Proxy Action Device_Action

Ruleset Rule_Name

Task UUID UUID

path File_Path

1038 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Policy Name Policy_Name

Service Service_Name

Websense Enterprise SQL Pull

Configure Websense Enterprise SQL Pull

Task

1. Make sure that you have the credentials for a user with the necessary permissions to the database.
2. Make sure that you have your database’s open port and IP address to set up the McAfee Event Receiver.

Add Websense Enterprise SQL Pull

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Websense

Data Source Model Websense Enterprise – SQL Pull

Data Format Default

Data Retrieval SQL (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1039
5| Configuring 3rd-party data sources

Option Definition

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Instance Name Enter the database Instance Name.

User ID/Password User ID and password to log on to the database.

Port 1433

Database Name Name of database.

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).

1040 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Websense Enterprise SQL Pull log format and field mapping

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1041
5| Configuring 3rd-party data sources

Log format
The log format is specific to this data source.

Log sample
This is a sample log from a Websense Enterprise - SQL Pull device:

record_number="100000034293" first_time="1323776050" last_time="1323776050" ip_src="10.0.2.231"

ip_dst="10.0.66.80" dport="80" protocol="HTTP" command="Miscellaneous:" domain="10.0.66.80"
username_src="10.0.2.231" username_dst="Samuel" sig_desc="Custom URL, category permitted"
Url.Url="10.0.66.80" source_server_ip_int="10.0.2.231" disposition_code="1028" bytes_sent="601"
bytes_received="749" action="Permitted"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

action Action

protocol Protocol

ip_src Source IP

ip_dst Dest. IP

First Time | Last Time

dport Dest. Port

username_src Source User

username_dst Destination User

Url.Url URL

domain Domain

sig_desc Rule Message

disposition_code Signature ID

1042 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

bytes_sent Bytes_Sent

bytes_received Bytes_Received

Command Category

WurldTech OpShield

Configure WurldTech OpShield

Task

1. In top right corner of the interface, hover over username.

2. When the menu appears, select Configuration.
3. Go to Syslog Settings and Syslog servers.
4. Select Enable.
5. From the Protocol menu, select UDP or TCP.
6. Enter the IP address of the McAfee Event Receiver in the IP Address field.
7. Set Port to 514 or another port as needed.
8. Select the logging level you want.
9. Click Save.

Add WurldTech OpShield

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Wurldtech

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1043
5| Configuring 3rd-party data sources

Option Definition

Data Source Model OpShield

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Enter the desired name for the data source.

IP Address/Hostname Enter the IP address and host name (optional) associated with OpShield.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 32

Require Syslog TLS Unchecked

Support Generic Syslogs Do nothing

Time Zone Select the time zone offset applicable to the data being sent.

5. (Optional) Click Advanced and configure the settings.

1044 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1045
5| Configuring 3rd-party data sources

Option Definition

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

WurldTech OpShield field mapping

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

Channel Category

Incident Type Subcategory

NGFW Device Name Device Name

Source IP Source IP

Destination IP Destination IP

protocol Protocol, Application

Source Port Source Port

Destination Port Destination Port

signatureName Policy Name

1046 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

class Event_Class

methodName Method

privilege Access_Privileges

errorMessage Message_Text

incidentAction Device_Action, Action

deviceSN External_Device_ID

Ximus Wi-Fi Arrays

Configure Xirrus Wi-Fi Arrays

The syslog configuration is done at the command line. See your product documentation for more information about how to
access and use the command line.

Task

1. At the command line, turn on syslog:

syslog enable

2. Send syslog to the McAfee Event Receiver:

syslog primary x.x.x.x level 7

Where x.x.x.x is the IP address of the McAfee Event Receiver, and 7 is the severity level of the logs that are to be sent.

3. (Optional) If a primary server has already been defined, syslog can be sent to a secondary server:

syslog secondary x.x.x.x level 7

Where x.x.x.x is the IP address of the McAfee Event Receiver, and 7 is the severity level of the logs that are sent.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1047
5| Configuring 3rd-party data sources

Add Xirrus Wi-Fi Arrays

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Xirrus

Data Source Model 802.11abgn Wi-Fi Arrays (ASP)

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname IP address and host name associated with the data source device

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

1048 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS

Support Generic Do nothing

Syslogs

Time Zone Time zone of data being sent

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1049
5| Configuring 3rd-party data sources

Option Definition

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

Xirrus 802.11abgn Wi-Fi Arrays log format and field mapping

Log format
The expected format for this device is:

<device IP> <severity> <data> <time> <station MAC> <message>

Log sample
This is a sample log from a Xirrus 802.11abgn Wi-Fi Array:

[1.2.3.4] <15>Jan 01 01:01:01: info : Station a1:b2:c3:d4:e5:f6, EAP Response packet (type PEAP) received

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

1050 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Client Name Host

SSID Domain

VLAN ID / packet type / Manufacture Object

Username Source User

Station MAC Source MAC

Source IP Address Source IP

Source Port Source Port

Destination IP Address Destination IP

Yubico YubiKey

Configure Yubico YubiKey

Set up the data source to send events and flows to ESM

Task

Configure YubiKey according to Yubico product documentation.

Add Yubico YubiKey

Set up the data source to send events and flows to ESM.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1051
5| Configuring 3rd-party data sources

4. Click Add.

Option Definition

Data Source Vendor Yubico

Data Source Model YubiKey

Data Format Default

Data Retrieval SYSLOG (Default)

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Enter a name for the data source.

IP Address/Hostname Enter the IP address and host name.

Note: Don't use _ (underscore) in a host name field.

Syslog Relay None

Mask 0

Require syslog TLS Select to require TLS.

Port Select the port number.

Support Generic Syslogs Do nothing

Generic Rule Assignment Accept default.

1052 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Time Zone Select the time zone offset applicable to the data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1053
5| Configuring 3rd-party data sources

Option Definition

Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

ZeroFox Riskive

Configure ZeroFox Riskive

See Riskive Documentation to enable syslog messages.

Add ZeroFox Riskive

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor ZeroFox

1054 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Source Model Riskive

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask <Default>

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs <Default>

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1055
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

1056 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

ZeroFox Riskive log format and field mapping

Log sample
This is a sample log from a Riskive device:

<133> Sep 20 16:02:19 2013 ZF1.0 192.168.0.3 5232117c1004db252d6479db: AlertPriority="MEDIUM"

AlertType="CONTENT_ALERT" AlertName="ZeroFoxContent" URL="http://example.com/" IP="1.2.3.4" Score="0.0"
Percentile="0" Headers="Cache-Control:no-store,no-cache,must-revalidate,post-check=0,pre-check=0,Connection:
Keep-Alive,Content-Type:text/html;charset=UTF-8,Date:Thu,12Sep201318:06:36GMT,Expires:Thu,
19Nov198108:52:00GMT,Keep-Alive:timeout=3,max=100,Pragma:no-cache,Server:Apache/2.2.15(CentOS),Set-
Cookie:app=2zf6bb1itfj47jbvb4tra3jdt7;expires=Thu,26-Sep-201318:06:36GMT;path=/,X-Powered-By:PHP/5.3.3"
DNS="name:example.com.,type:A,ttl:300,address:1.2.3.4,target:;name:example.com.,type:NS,ttl:
21600,address:,target:03.dnsv.jp.;name:example.com.,type:NS,ttl:21600,address:,target:
04.dnsv.jp.;name:example.com.,type:NS,ttl:21600,address:,target:01.dnsv.jp.;name:example.com.,type:NS,ttl:
21600,address:,target:02.dnsv.jp." ASNumber="9371" AsBlock="1.2.0.0/16"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

URL URL.URL

URL Web_Domain.Web_Domain

DNS DNS_Name.DNS_Name

Percentile Severity

AlertPriority Severity

IP src_ip

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1057
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

Headers Firsttime / Lasttime

ZScaler Nanolog

Configure ZScaler Nanolog

Use the Zscaler NSS admin portal for the configuration.

Task

1. Navigate to Policy → Administration → Configure Nanolog Streaming Service.

2. Click Add Feed, and type a name for the feed.
3. From the NSS Name list, select the Zscaler NSS system.
4. From the Status list, select Enabled.
5. Enter the IP address of the McAfee Event Receiver in the SIEM IP field.
6. Enter 514 in the TCP Port field.
7. Use the default CSV format for the Feed Output Type and Feed Output Format.
8. Click Done to save changes.

Add ZScaler Nanolog

Add the data source to a receiver.

Task

1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.

Option Definition

Data Source Vendor Zscaler

Data Source Model Nanolog Streaming Service

1058 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Data Format Default

Data Retrieval Default

Enabled Select options for processing events. Some options may not be available for your data
source.

• Parsing - if you want to parse events. Enabling parsing is recommended.

• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).

Name Name of data source

IP Address/Hostname The IP address and host name associated with the data source device.

Syslog Relay None

Mask 32

Require Syslog TLS Enable to require the Receiver to communicate over TLS.

Support Generic Syslogs Do nothing

Time Zone Time zone of data being sent.

5. (Optional) Click Advanced and configure the settings.

Option Definition

Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1059
5| Configuring 3rd-party data sources

Option Definition

Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version

Date Order
Select the format for the dates on data sources:

• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).

Zone To assign this data source to a zone, select the zone from the list.

External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.

For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.

Export in Use this option when you are exporting raw data source data.
NitoFile
format

Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.

Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.

1060 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources

Option Definition

Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.

ZScaler Nanolog log format and field mapping

Log format
The expected format for this device is:

"%s{time}","%s{login}","%s{proto}","%s{url}","%s{action}","%s{appname}","%s{appclass}","%d{reqsize}","%d{resp
size}","%d{stime}","%d{ctime}","%s{urlclass}","%s{urlsupercat}","%s{urlcat}","%s{malwarecat}","%s{threatname}
","%d{riskscore}","%s{dlpeng}","%s{dlpdict}","%s{location}","%s{dept}","%s{cip}","%s{sip}","%s{reqmethod}","%
s{respcode}","%s{ua}","%s{referer}"

Log sample
This is a sample log from a Zscaler Nanolog Streaming Service device:

"Mon Jan 01 01:01:01 2001","example","HTTP","1.2.3.4/","Allowed","General Browsing","General

Browsing","123","321","78","78","General Surfing","Miscellaneous","Miscellaneous or Unknown","Clean
Transaction","None","0","None","None","Example","Default Department","4.3.2.1","1.2.3.4","head","403 -
Forbidden","example ua","None"

Field mapping
This table shows the mapping between the data source and McAfee ESM fields.

Log fields McAfee ESM fields

time First Time, Last Time

login Source User

url URL

reqsize Bytes_from_Client

respsize Bytes_from_Server

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1061
5| Configuring 3rd-party data sources

Log fields McAfee ESM fields

urlclass – urlsupercat – urlcat URL_Category

malwarecat Threat_Category

threatname Threat_Name

riskscore Reputation_Score

cip Source IP

sip Destination IP

reqmethod Command

ua User_Agent

1062 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
6| Configuring asset data sources

Configuring asset data sources

Configure an Altiris asset data source
Retrieve asset data from an Altiris server to meet compliance requirements like PCI.

Before you begin

You must have Asset Manager permissions on the Altiris Management Console.

Task

1. Click the Asset Manager icon, then click the Asset Sources tab.
The Asset Sources tree shows the McAfee ESM devices and Receivers on the system, and their current asset sources.

Note

McAfee ESM can have one asset source; McAfee Event Receivers can have multiple asset sources.

2. Select a device and click Add.

Option Definition

Enabled Enable or disable the data source.

Type Select Altiris.

Name Give the data source a name. Use a common naming convention for all asset data sources.

Zone (Optional) The zone where the Active Directory server is located.

Priority Set a priority for this data source if it discovers an asset at the same time as another asset
data source.

IP Address and Port The IP address and port that ESM uses to connect to the Active Directory server.

Use SSL If you want to use an encryption protocol for the data, select Use SSL.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1063
6| Configuring asset data sources

Option Definition

User Name and Credentials for the Active Directory server.

Password

Enable Proxy To use a proxy server, select Enable Proxy and enter the IP address, port, and user
credentials.

Retrieve Data To schedule automatic data retrieval, set the interval. You can also retrieve data manually
(Asset Sources Retrieve).

3. Click Connect to test the connection to the server.

Configure an Active Directory asset data source

Set up Active Directory to send data to ESM.

The LDAP (Active Directory) Asset source uses the Active Directory server for data. If the IP is missing, the SIEM device queries the
host (using the hostname given from the Active Directory server) using NetBIOS and then falls back to DNS if NetBIOS is not able
to resolve the IP. The system uses DNS as a backup to NetBIOS to query for the IP address.

If this process does not resolve the IP address, the asset's IP address isn't added to the Assets table.

Note

The NetBIOS query uses port 137 from the McAfee Event Receiver to their hosts, so port 137 needs to be allowed from the
SIEM device to each of the hosts listed in the LDAP server.

Task

1. Click the Asset Manager icon, then click the Asset Sources tab.
The Asset Sources tree shows the McAfee ESM devices and Receivers on the system, and their current asset sources.

Note

McAfee ESM can have one asset source; McAfee Event Receivers can have multiple asset sources.

2. Select a device and click Add.

1064 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
6| Configuring asset data sources

Option Definition

Enabled Enable or disable the data source.

Type Select Active Directory.

Name Give the data source a name. Use a common naming convention for all asset data sources.

Zone (Optional) The zone where the Active Directory server is located.

Priority Set a priority for this data source if it discovers an asset at the same time as another asset
data source.

IP Address and Port The IP address and port that ESM uses to connect to the Active Directory server.

Use TLS If you want to use an encryption protocol for the data, select Use TLS.

User Name and Credentials for the Active Directory server.

Password

Search Base The point in the directory tree where you want to start searching. See Active Directory
documentation for more detail.

Retrieve Data To schedule automatic data retrieval, set the interval. You can also retrieve data manually
(Asset Sources Retrieve).

3. Click Connect to test the connection to the server.

Add McAfee Vulnerability Manager

Get vulnerability assessment (VA) data to process in ESM.

Note

Ensure that VA data is collected only once. Duplicate data collection can cause unpredictable behavior in ESM.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1065
6| Configuring asset data sources

Task

1. From the dashboard, click and select Asset Manager.

2. Select the Vulnerability Assessment tab.
3. Select McAfee Vulnerability Manager.

Option Definition

Client ID Type the Frontline client ID number. This field is required for Digital Defense Frontline.

Company Name On FusionVM, the name of the company that must be scanned. If this field is left blank, all
companies that the user belongs to are scanned. If you enter more than 1 company,
separate the names with a comma.

Data Retrieval (Qualys QualysGuard) Select the method to retrieve the VA data. HTTP/HTTPS is the
default. The other options are SCP, FTP, NFS, CIFS, and Manual upload.

Note: A Qualys QualysGuard log file manual upload has a file size limit of 2 GB.

Domain Type the domain of the Windows box (optional, unless your domain controller or server
exists in a domain).

Exported scan file The directory where exported scan files reside.
directory

Exported scan file The exported scan file format (XML, NBE).
format

Install directory The location where Saint was installed on the server. The installation directory for a Saint
appliance scanner is /usr/local/sm/.

IP Address • eEye REM: The IP address of the eEye server that is sending trap information.
• eEye Retina: The IP address of the client holding exported scan files (.rtd).
• McAfee® Vulnerability Manager: The IP address of the server on which it is installed.
• Nessus, OpenVAS, LanGuard, and Rapid7 Metasploit Pro: The IP address of the client
holding exported scan files.
• NGS: The IP address of the system that is storing the Squirrel reports.

1066 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
6| Configuring asset data sources

Option Definition

• Rapid7, Lumension, nCircle, and Saint: The IP address of the respective server.

Mount Directory If you select nfs in the Method field, the Mount Directory fields are added. Enter the
mount directory set when you configured nfs.

Method The method to use to retrieve the exported scan files (SCP, FTP, NFS, or CIFS mount).
LanGuard always uses CIFS.

Password • McAfee® Vulnerability Manager: If using Windows authentication mode for SQL Server,
the password of the Windows box. If not, the password of the SQL Server.
• Nessus, OpenVAS, LanGuard, and Rapid7 Metasploit Pro: The password of SCP or FTP.
• NGS: The password for the SCP and FTP methods.
• Qualys and FusionVM: The password for the Qualys Front Office or FusionVM user
name.
• Rapid7 Nexpose, Lumension, nCircle, and Saint: The password to use when connecting
to the web server.
• Digital Defense Frontline: The web interface password.

Port Port Rapid7 Nexpose, Lumension, nCircle, McAfee® Vulnerability Manager, or Saint web
server are listening on. The default for Rapid7 Nexpose is 3780, for Lumension is 205, for
nCircle is 443, for McAfee® Vulnerability Manager is 1433, and for Saint is 22.

Project/Workspace Name of a particular project or workspace, or leave it blank to grab all projects or work
Name spaces.

Proxy IP Address IP address of the HTTP proxy.

Proxy Password Password for the proxy user name.

Proxy Port Port on which the HTTP proxy is listening.

Proxy Username User name for the proxy.

Qualys or FusionVM URL of the Qualys or FusionVM server to query.

server URL

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1067
6| Configuring asset data sources

Option Definition

Remote path and

CIFS method Nessus, OpenVAS, eEye Retina, Metasploit Pro, LanGuard, and NGS.
share name
You can use back or forward slashes in the path name (for example, Program Files\CIFS\va
or /Program Files/CIFS/va).

Schedule Receiver or Indicate the frequency with which you want the VA data to be retrieved from the Receiver
DEM data retrieval or McAfee Database Event Monitor:

• Daily — time to retrieve data each day.

• Weekly — Day of the week and the time on that day to retrieve data.
• Monthly — Day of the month and the time on that day to retrieve data.

If you do not want to retrieve data at a preset time, select Disabled.

Note: eEye REM does not support data retrieval from the source so the data must
be retrieved from the Receiver or McAfee Database Event Monitor.

Schedule VA data Indicate the frequency with which you want the VA data to be retrieved from the VA source.
retrieval

Session Saint: The session data is gathered from. To include all sessions, type All.

SNMP If you select authNoPriv or authPriv in the SNMP security level field, this field is active.
authentication Enter the password for the authentication protocol selected in the SNMP authentication
password protocol field.

SNMP If you select authNoPriv or authPriv in the SNMP security level field, this field is active.
authentication Select the type of protocol for this source: MD5 or SHA1 (SHA1 and SHA see the same
protocol protocol type). Make sure that your REM Events Server configuration matches your
selection.

SNMP Community SNMP community set when you configured the REM Events Server.

SNMP privacy If you select authPriv in the SNMP security level field, this field is active. Enter the
password password for the DES or AES privacy protocol. In FIPS mode, AES is the only option
available.

1068 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
6| Configuring asset data sources

Option Definition

SNMP privacy If you select authPriv in the SNMP security level field, this field is active and you can
protocol select either DES or AES. In FIPS mode, AES is the only option available.

SNMP security level

Security level you want to set for this source.

• noAuthNoPriv — No authentication protocol and no privacy protocol

• authNoPriv — Authentication protocol but no privacy protocol
• authPriv — Both authentication and privacy protocol.

SNMP authentication and privacy fields become active based on the security level you
select. Make sure that your REM Events Server configuration matches your selection.

SNMP user name Security name in REM Events Server Configuration.

SNMP version Version of SNMP for the source. The SNMP fields are activated based on the version
selected.

SNMPv3 Engine ID (Optional) SNMPv3 Engine ID of the trap sender, if an SNMPv3 profile is used.

Sudo password (Optional) Type the password to access the Saint installation directory.

Time out This field allows you to use the default time-out value for a source or provide a specific
time-out value. This is useful if you have much VA data from a vendor and the default time-
out setting is not allowing you to return all or any of the data. You can increase the time-out
value to allow more VA data retrieval time. If you provide a value, it is used for all
communications.

Token (Optional) Authentication token that can be set in the Metasploit Global Settings.

URL Type the URL to the Digital Defense Frontline server.

Use HTTP Proxy If you select to use the HTTP proxy, the Proxy IP Address, Proxy Port, Proxy Username,
and Proxy Password fields become active.

Use Passive mode If you select ftp in the Method field, this field becomes active. Select when to use passive
mode.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1069
6| Configuring asset data sources

Option Definition

Use sudo Select this option if you have access to the Saint installation directory and want to use this
access.

Use System Profile Select whether to use a previously defined profile. If you select this option, all SNMP fields
(eEye REM) are deactivated. When you select one of the existing system profiles, the fields are
populated with the information in the profile selected.

User name
Type the user name for McAfee® Vulnerability Manager. If you are using Windows
authentication mode for the SQL Server, enter the user name of the Windows box. If not, it
is the user name of the SQL Server.

• Nessus, OpenVAS, and Rapid7 Metasploit Pro: The user name of SCP or FTP.
• NGS: The user name for the SCP and FTP methods.
• Qualys or FusionVM: The Front Office or FusionVM user name with which to
authenticate.
• Rapid7 Nexpose, Lumension, nCircle, and Saint: The user name to use when
connecting to the web server.
• Digital Defense Frontline: The web interface user name.

VA Source Name Type the name for this source.

Wildcard expression
A wildcard expression used to describe the name of exported scan files. The wildcard
expression can use an asterisk (*) or question mark (?) with the standard definition of
"wildcard" in a file name.

If you have both NBE and XML files, you must specify if you want NBE or XML files in this
field (for example, *.NBE or *.XML). If you only use an asterisk (*), you get an error.

1070 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
7| Troubleshooting

Troubleshooting
Find a solution to your data source configuration issue.

General troubleshooting tips

If a data source is not receiving events, verify that the data source settings have been written out and that policy has been rolled
out to the McAfee Event Receiver.

If there are errors saying events are being discarded because the Last Time value is more than one hour in the future, or the
values are incorrect, the Time Zone settings for the data source or ESM might need to be adjusted.

When creating custom ASP rules, the Key and Value table located in the Parsing tab displays potential field mappings based on
the log text entered in the Sample Log Data section. None of the data from the Key and Value table is populated by default.
Actual field assignments are set in the Field Assignment tab by dragging and dropping the key onto the wanted field.

When analyzing parsed event details, fields on the Custom Types tab are not present if the data intended to be captured for that
specific field is absent from the received logs.

Check data source health

View the operational status of a data source.

If you suspect a data source is not operating correctly, use the Health feature to view its status.

Task

1. From the device tree, select the data source, then click Properties.
2. In the Data Source Properties window, click Health.
The Data Source Health Check window displays status information.
3. Search the output for errors or warnings that indicate a problem with the data source.

Data source not sending events

Identify and resolve issues that prevent a data source from sending events to a McAfee Event Receiver.

Before you begin

Determine which Ethernet adapter is in use. On non-HA Receivers, it is usually eth0, and on HA Receivers it is usually eth1 or the
'floating' IP.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1071
7| Troubleshooting

Task

1. Use SSH to connect to the McAfee Event Receiver.

2. Enter tcpdump –nni ethx host x.x.x.x where x.x.x.x is the IP address of the data source, and ethx is the Ethernet
adapter in use.

Note

For syslog data sources, you should see incoming traffic on port 514 UDP. Slower data sources might need a few
minutes of observation before a packet is observed, and faster ones such as a firewall are almost immediate. If no
packets are observed, you may have a firewall or endpoint issue.

3. Check the IP and Ethernet numbers. If these are correct, the problem is likely on the endpoint. For non-syslog data sources,
perform a connection test from the GUI while running tcpdump. (WMI will 'pull' data over port 135, SQL will pull data over
port 1433, and so on.)

Note

If the IP and port information is correct and incoming traffic is not seen in the tcpdump, the problem could be related to
a firewall or network issue preventing inbound traffic over the specified port. Consult your network administrator.

4. Enter iptables –n –v –L|grep x.x.x.x. Ensure there is a rule in place for the data source IP address that will let it through
the firewall.

Note

Typical output from iptables includes the port and IP address of the data source.

5. In McAfee ESM, select the data source from the device tree.
6. Open the Device Status dashboard. Scroll down to find the vipsid number of the data source.
7. Use SSH to connect to the McAfee Event Receiver and enter ls –al /var/log/data/inline/thirdparty.logs/<vipsID
number>/in.
If the file size of Data.xxxxxx is larger than zero, data is being stored on the McAfee Event Receiver.

Received data is not parsed

Identify and resolve issues that prevent data from being parsed after it is stored on the McAfee Event Receiver.

Task

1. Ensure the correct parser is selected. In instances where there is more than one possible parser, choose the one with (ASP)
in the title.
2. Ensure the delivery and format settings are set to default values (unless you are using MEF or non-syslog data sources).
3. Make sure the data source settings and policy are current.

1072 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
7| Troubleshooting

a. Select the data source and click Properties.

b. Click Editor.
c. Make a minor change such as adding and deleting a space and click OK.
d. On the Data Source Properties page, click Write.
4. Roll out policy.

a. Select the McAfee Event Receiver from the device tree and click Policy Editor.
b. On the Policy Editor page, click Operations → Rollout.
c. On the Rollout page, select the McAfee Event Receiver and click OK.
5. For syslog data sources, enable logging of unknown events.

a. Select the data source and click Properties.

b. Click Editor.
c. Under Support Generic Syslogs, select Log "unknown syslog" event.
Unknown event types are logged as unknown rather than being discarded.
6. Make sure port numbers are assigned correctly (Interface → Communication).
7. In Policy Editor, make sure rules for the data source are enabled.

Note

Default policy rules are disabled by default and should not be enabled at the default level.

Parsed data not displayed on dashboard

Identify and resolve issues that prevent data from being displayed on the dashboard.

Task

1. Check if other data sources are working as expected.

2. If no data sources are displaying events, stop and start the McAfee Event Receiver.

Settings and policies not implemented

Identify and resolve issues with settings and policies that prevent data from being displayed.

Task

1. On the Configuration page, select the McAfee Event Receiver and click Properties.
2. Click Data Sources.
3. If the Write button is dimmed, make a minor change (add a space and remove it) to a data source.
4. Click Write.
5. If the Rollout page opens, select Rollout policy to all devices now.
6. If the Rollout page does not open, roll out policy manually.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1073
7| Troubleshooting

a. From the dashboard and select the ESM device.

b. Click Policy Editor.

c. Click Operations → Rollout.
d. Select Rollout policy to all devices now and click OK.

1074 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
8| Generic syslog configuration details

Generic syslog configuration details

Different options are available when configuring a new data source. When some options are selected, additional parameters
might appear.

This section outlines the general options available in the Add Data Source configuration screen and provides details.

Option Definition

Use System System Profiles are a way to use settings that are repetitive in nature, without having to enter the
Profiles information each time. An example is WMI credentials, which are needed to retrieve Windows Event
Logs if WMI is the chosen mechanism.

Data Source List of all supported vendors.

Vendor

Data Source List of supported products for a vendor.

Model

Data Format The expected format of the received / collected data. Options are Default, CEF, and MEF. Generally,
this option is left as Default for supported data sources; it is intended to be used for custom data
sources.

Note: If CEF is selected, the generic CEF parsing rule is enabled and rolled into policy for that
data source. If selected on supported CEF data sources, the generic parsing rule might override
existing parsing rules that are designed to parse data source-specific details. This results in
degraded reporting for the specific data source.

Data Retrieval The expected collection method used by the McAfee Event Receiver to collect the data. The default is
generally syslog. Typically, this option is changed to match the needs in a specific user's environment.
The data needs to remain in the expected format, otherwise the parsing rules cannot parse the
events.

Enabled: Parsing enables the data source to pass events to the parser. Logging enables the data source to pass
Parsing/ raw event data to the McAfee Enterprise Log Manager (ELM). SNMP enables reception of SNMP traps
for select data sources. If none of the options are checked, the settings are saved to McAfee ESM, but
effectively disables the data source. The default is Parsing.

McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1075
8| Generic syslog configuration details

Option Definition

Logging/SNMP
Trap

Name This is the name that appears in the Logical Device Groupings tree and the filter lists.

IP Address/ The IP address and host name associated with the data source device.
Hostname

Syslog Relay Allows data to be collected via relays with the option to group events under specific data sources
based on syslog header details. Enable syslog relay on relay sources such as Syslog-NG.

Mask Allows a mask to be applied to an IP address so that a range of IP addresses can be accepted.

Require Syslog When enabled, requires the McAfee Event Receiver to communicate over TLS.
TLS

Support Allows users to select one of the following options: Parse generic syslog , Log unknown syslog
Generic Syslog event , or Do nothing. These options control how McAfee ESM handles unparsed logs. Parse generic
syslog creates an event for every unique unparsed event collected. Log unknown creates a single
generic event and increment the count for every unparsed event. Do nothing ignores unparsed
events. Use Parse generic syslog sparingly as it can negatively impact McAfee Event Receiver and
McAfee ESM performance when there is a high incoming rate of unparsed logs. If unparsed events
must be reported in McAfee ESM, use the Log unknown option; otherwise, leave the setting as Do
nothing.

Time Zone Set based on the time zone used in the log data. Generally, it is the time zone where the actual data
source is located.

Interface Opens the McAfee Event Receiver interface settings to associate ports with streams of information.

Advanced Opens advanced settings for the data source.

1076 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
COPYRIGHT
Copyright © 2022 Musarubra US LLC.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.