Professional Documents
Culture Documents
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
General troubleshooting tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
Check data source health. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
Data source not sending events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
Received data is not parsed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1072
Parsed data not displayed on dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073
Settings and policies not implemented. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073
The information in this document regarding McAfee or third-party products or services is provided for the education and
convenience of McAfee customers only.
All information contained herein is subject to change without notice, and is provided AS IS without guarantee or warranty as to
the accuracy or applicability of the information to any specific situation or circumstance.
A data source holds the location and connection information of your network's sources of data. It acts as a connector to your
source of data.
Define a Data Source for each network item from which you want to collect data.
If the data source is already a parent or child, or if it is a WMI data source and Use RPC is selected, this option is unavailable.
You can add more than one client data source with the same IP address and use the port number to differentiate them. This
allows you to segregate your data using a different port for each data type, then forward the data using the same port it came
into.
When you add a client data source, select whether to use the parent data source port or another port.
Note
WMI client data sources do not have time zone configurations because the query sent to the WMI host determines the time
zone.
When adding a correlation data source, select McAfee as the vendor and Correlation Engine as the model.
Enabling the correlation data source allows McAfee ESM to send alerts to the receiver correlation engine.
Note
Only one correlation data source can be added per McAfee Event Receiver (ERC). If more than one is required, McAfee ACE is
recommended.
Important
In many cases, integrations will work with newer versions of third-party products than those listed. Exceptions to this are:
• Log file format changes in third-party products that require SIEM parsing rule modifications.
• Code changes in third-party products that require new code-based SIEM collectors.
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
A10 Load Balancer Load Balancer All ASP Syslog 10.0 AX Series
Networks and
later
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Avecto Privilege Guard IAM / IDM 3.x ASP ePO - SQL 10.0 -
(ePO) and
later
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Switches and
Routers
Check Point Check Point Firewall All ASP OPSEC 10.0 Firewall 1,
and Edge,
later Enterprise,
Express, NG,
NGX,
SmartEvent,
and VPN
Check Point via Firewall All ASP Syslog 10.1 Using Check
Syslog and Point Log
later Exporter
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Cofense Triage Email Security 2.0 ASP Syslog 10.0 CEF format
and is
later supported.
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
CIFS/SMB File Other N/A Code File pull 10.0 ELM only
Source Based and
later
FTP/FTPS File Other N/A Code File pull 10.0 ELM only
Source Based and
later
HTTP/HTTPS File Other N/A Code File pull 10.0 ELM only
Source Based and
later
NFS File Source Other N/A Code File pull 10.0 ELM only
Based and
later
SCP File Source Other N/A Code File pull 10.0 ELM only
Based and
later
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
SFTP File Source Other N/A Code File pull 10.0 ELM only
Based and
later
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Management
Suite
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Tivoli Endpoint Host / Server / All ASP Syslog 10.0 Linux Agent
Manager - BigFix Operating and Required
Systems / later
Other
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
LOGbinder LOGbinder for Application 4.0, 5.0, ASP Syslog 10.0 CEF and
SharePoint (SP) 5.1 and Standard
later Syslog
formats are
later LOGbinder
data source.
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Malwarebytes
Anti-Exploit
running on
managed
endpoints.
ESM
supports
CEF
formatted
syslog.
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Enterprise Log - - - - - -
Manager
Enterprise - - - - - -
Security
Manager
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Operating
Systems
Event Receiver - - - - - -
(ERC)
Event - - - - - -
Receiver/ELM
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Operating
Systems
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Endpoint
Protection.
Internet Web Content / 2000, ASP File Pull 10.0 IAS Legacy
Authentication Filtering / 2003, and Format
Service - Proxies 2008 later
Formatted
Internet Web Content / 2008 R2, ASP File Pull 10.0 DTS
Authentication Filtering / 2012 and Compliant
Service - XML Proxies later Format
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Security
Suite for
Databases
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
nPulse CPX Flow and Packet All N/A N/A 10.0 URL
Packet Capture Capture and Integration
later
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
HP-UX,
Microsoft
Windows,
including
Oracle
RAC and
Oracle
Exadata
Real Application Database 11g ASP File Pull 10.0 Parses the
Clusters - RAC and Event
later Manager
Log
(evmd.log)
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Red Hat JBoss / WildFly Application Jboss 7.x ASP Syslog 10.0 -
v8 Server WildFly and
v8.x later
RioRey DDoS Protection Firewall / DoS RIOS 5.0, ASP Syslog 10.0 -
5.1, 5.2 and
later
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Silver Spring Network Smart Grid All ASP File pull / 10.0 -
Networks Infrastructure McAfee and
SIEM later
Agent
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Skyhigh Cloud Security DLP 2.2 ASP Syslog 10.0 CEF format
Networks Platform and is
later supported.
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
FireSIGHT IDS / IPS 5.x, 6.x Code eStreamer 10.0 Use Cisco
Management Based and Firepower
Console - later Management
eStreamer Center -
estreamer
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Method
Verified of ESM
Vendor Product Name Device Type Versions Parser Collection Version Notes
Note
This is the basic process for adding a data source. Instructions specific to individual data sources are given separately.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
5. Configure the data source using the configuration instructions.
6. (Optional) Click Advanced and configure the settings.
7. Click OK.
Task
1. Click the Get Events and Flows icon on the actions toolbar to pull events or flows.
2. From the McAfee ESM dashboard, click and select More Settings.
3. On the system navigation tree, select the receiver, then click the Properties icon.
4. On the Receiver Properties page, click Data Sources → Auto Learn.
5. On the Auto Learn page, click Configure.
6. On the Auto Add Rule Editor page, select Enable auto creation of data sources.
7. Click Add, then select the auto add rules you want the receiver to use to create data sources automatically.
8. To apply selected rules to the existing auto learned data, click Run Now.
Task
1. From the McAfee ESM dashboard, click and select More Settings.
Top pane Description A text label that helps users identify what the rule
accomplishes.
Auto Learn Matching IP/CIDR and The network location and host name from which traffic must
Criteria Host Name originate to trigger the rule.
Port The port that traffic must come through to trigger the rule.
Vendor and The rule triggers only when traffic originates from this vendor
Model and model of device.
Data Source/Client Name The name for the data source. This field supports variables to
Creation Parameters represent IP address, model, and host name. For example,
you can type Data source - {MODEL}_{HOST}_{IP}.
Data source Sets the new data source as a Data Source or a Client.
type
Parent Assigns a device to act as the parent of the new data source.
Vendor and The new data source appears in the system with this vendor
Model and model.
Zone (Optional) The zone where the new data source appears.
Storage Pool If you want the data generated by the data source (not
clients) to be stored on the ELM, click Storage Pool and
select the storage pool.
b. Click OK.
6. On the Auto Add Rule Editor page, use the arrows to arrange the rules in the order you want.
7. Click Run Now to apply the rules to the current auto learn results.
Results
Auto creation happens when alerts are pulled from the Receiver, either manually or automatically by McAfee ESM.
Task
1. On the system navigation tree, select Receiver Properties, then click Data Sources.
2. On the data sources table, select the primary data source to which you want to add a data source.
3. Click Add Child, then fill out the fields as you would for a parent data source.
4. Click OK.
Task
1. From the McAfee ESM dashboard, click and select More Settings.
Note
e. Select Require syslog TLS to apply Transport Layer Security (TLS) encryption for syslog.
f. Set the port.
g. Select Match by type to match clients by type, then select the vendor and model of this client.
h. Click OK.
Results
Events go to the data source (parent or client) that is more specific. For example, you have two client data sources, one with an IP
address of 1.1.1.1 and the second with an IP address of 1.1.1.0/24, which covers a range. Both are the same type. If an event
matches 1.1.1.1, it goes to the first client because it is more specific.
Task
1. On the system navigation tree, click a Receiver, then click the Add Data Source icon .
2. Select Generic in the Data Source Vendor field, then Advanced Syslog Parser in the Data Source Model field.
3. Enter the information requested, and select the correct encoding in the Encoding field.
Task
1. On the system navigation tree, select a Receiver, then click the Add data source icon .
2. Click Advanced, then make a selection in the Date Order field:
• Default - Uses the default date order (month before day). When using client data sources, clients using this setting
will inherit the date order of the parent data source.
• Month before day - The month goes before the day (04/23/2014).
• Day before month - The day goes before the month (23/04/2014).
3. Click OK.
• Copy files — The system copies whole logs from the remote share to the Receiver to be processed. If log files are large
and updated with new information infrequently, copying the whole log file can be inefficient and time consuming.
• Tail files — Logs are read remotely and only new events are read. Each time the log is read, it reads from the position
where it stopped previously. If the file changes significantly, this is detected and the whole file is reread from the beginning.
Task
1. From the McAfee ESM dashboard, click and select More Settings.
• Delimited Multiline Events — Select to specify if the events have dynamic length.
• Event Delimiter — Enter a string of characters that signal the end of an event and the beginning of another. These
delimiters vary greatly and depend on the type of log file.
• Delimiter is regex — Select if the value in the Event Delimiter field is to be parsed as a regular expression rather
than a static value.
• Tail Mode — Select Beginning to parse files completely that are encountered on the first run, or End to note the
file size and collect only new events.
• Recurse subdirectories — Select to read collection from child directories (subdirectories), looking for matches with
the wildcard expression field. If not selected, it searches only the parent directory files.
Task
1. From the McAfee ESM dashboard, click and select More Settings.
Migrate data sources to new Receivers and balance data sources between Receivers. Or, if you replace your Receiver, you can
transfer your data sources from your current Receiver to the new one.
Task
1. From the McAfee ESM dashboard, click and select More Settings.
• You can't transport flow data sources (for example, IPFIX, NetFlow, or sFlow).
• The source events of correlated events do not display.
• If you change correlation rules on the second Receiver, the correlation engine doesn't process those rules. When you
transport correlation data, they system inserts those events from the file.
Task
Note
The data is exported to a remote location and is configured using profile. The system now copies raw data
generated by this data source to the remote share location.
Note
The data sources are added to the second Receiver and accesses the raw data through the remote share profile.
• To import raw data source data copied from a Receiver in a secured location to a Receiver in an unsecured location.
• To edit the data sources on a Receiver by adding data sources to the existing list, editing existing data sources, or
removing existing data sources.
Task
Note
You can't edit the policy or the name of the data source.
c. For added data sources, change the rec_id to the ipsid of the Receiver you are importing to.
d. Save the changes made to the spreadsheet.
Note
You can't edit a data source to make it a data source from a client data source or the other way around.
Note
You can't change the policy or the name of the data source.
File format
If you are working with an exported .csv file, the first row shows the ESM version that the data was exported from.If you are
creating a new .csv file to provision data sources, enter the target ESM version.
G parent_id If the data source is a child, this indicates the data source’s parent.
I matching_type Defines a type of matching for data coming into this data source.
J aruba_version If the new data source is Aruba, this indicates it’s version. Otherwise, it's empty.
K autolearn Defines whether the parser should autolearn events. T=true, F=false. Default is
false.
N linked_ipsid Original IPSID from the export. The new IPSID is likely different after the data
source is added to a new receiver.
P nitro_formated_file Used for forwarded client data sources. Upon export, this contains the original
IPSID.
R parsing Sets whether the data collected by this data source should be parsed. Default
‘yes’, otherwise ‘no’.
S policy_name If policy is included in the export, this will reference that policy by name.
T require_tls For syslog data sources, sets TLS enabled (T) or disabled (F).
V syslog_port The port configured to listen to for this syslog data source (otherwise empty).
W type The DSID (data source ID) of the data source. Default is 49190.
Task
Note
Make sure that the Send Restrictions and Receive Restrictions column has All Systems or a Tag that is specific to the
selected McAfee Event Receiver (ERC).
Note
Make sure that Send Restrictions and Receiver Restrictions are configured correctly.
4. Select Server Tasks and run the Manage DXL Brokers task.
5. Perform the Wake Up Agent task on the ERC from the McAfee ePO console.
6. With an SSH session on the SIEM Event Receiver, restart the Receiver services by running NitroStop and NitroStart.
The McAfee Active Response events in the SIEM GUI are displayed after 10-15 minutes.
Task
Option Definition
Port 514
Transport TCP
Task
1. From McAfee ESM, select a receiver and click the Add Data Source icon.
Option Definition
Mask 32
Time Zone The time zone where the Advanced Threat Defense device is located.
2. Click OK and click Yes when prompted to add Advanced Threat Defense as a cyber threat feed source.
A cyber threat feed source is an automatic way to provide McAfee ESM with IOCs. You can view and manage IOCs with the
Cyber Threat Manager dashboard.
The Cyber Threat Feed Wizard opens.
3. On the Main tab, type a name for the feed and click Next.
4. Type your Advanced Threat Defense credentials and click Connect to test your settings.
5. If you want to populate watchlists, select the Watchlist tab and configure the watchlists.
6. If you want to detect past occurrences of this IOC, select the Backtrace tab and run a backtrace.
7. Click Finish and then click Yes to apply the settings.
{"Type":"Audit","MsgId":"M-TR-12-0","Result":"Success","User":"admin","Category":"Admin",
"Client":"10.10.10.10","Action":"Troubleshooting Log-Files Download","Description":"Successfully downloaded
Log binary. "}
{"Type":"Audit","MsgId":"M-
TR-13-1","Result":"Failure","User":"admin","Category":"Admin","Client":"10.10.10.10",
"Action":"Troubleshooting Diagnostic-File Download","Description":"Failed to download Diagnostic binary
file .
No Diagnostic binary file available"}
Field mapping
The mapping between the data source and McAfee ESM fields.
Link Interface
Result action
Category Category
Description Description
Result Device_Action
Summary.ATD IP Device_IP
Summary.Dst IP Destination IP
Summary.SubmitterType Event_Class
Summary.Subject.md5 File_Hash
Summary.fileId File_ID
Summary.Subject.size File_Size
Summary.Subject.Type File_Type
Summary.Subject.Name Filename
Summary.TaskId Job_Name
Summary.Parent_MD5 Parent_File_Hash
Summary.Subject.md5 Parent_File_Hash
Summary.Subject.sha-1 SHA1
UserID Source_UserID
100 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
HTTPAgent User_Agent
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 101
4| Configuring McAfee data sources
Option Definition
Time Order Tolerance The maximum time that events can be logged out of chronologic order.
Use Local Data Not available if the receiver is connected to a Data Streaming Bus.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
102 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Task
1. In the navigation pane, expand Application Security, point to Options, then click Logging Profiles.
2. Above the Logging Profiles area, click Create.
3. For Configuration, select Advanced.
4. For Profile Name, type a unique name for the logging profile.
5. Select Remote Storage, then select Reporting Server for the Type.
6. If you do not want data to be logged locally while it is being logged remotely, deselect Local Storage.
7. For Protocol, select UDP.
8. For Server IP, type the IP address of the McAfee Event Receiver.
9. For Server Port, type 514 (the default port used for Syslog).
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 103
4| Configuring McAfee data sources
10. (Optional) To ensure that system logging takes place, even when the logging utility is competing for system resources, select
Guarantee Logging.
11. (Optional) To log details about brute force attacks, DoS attacks, IP enforcer attacks, or web scraping attacks, select Report
Detected Anomalies. Examples of log details can include start and end time, number of dropped requests, and attacking
IP addresses.
12. Click Create.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
104 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 105
4| Configuring McAfee data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
CEF:Version|DeviceVendor|DeviceProduct|DeviceVersion|deviceEventClassId|Name|Severity|Extension
Log sample
106 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Field mapping
request URL
cs2 Subject
cs1 Object
fname Filename
cs3 Object_Type
cn1 Message_Text
Name Message
duser Destination_Username
shost Hostname
proto Protocol
src
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 107
4| Configuring McAfee data sources
app Application
You must have administrative credentials to perform the integration setup of the McAfee Application Data Monitor connector.
Task
108 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Value
Format CEF
Option Value
Enabled Parsing
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 109
4| Configuring McAfee data sources
Option Value
Mask 0
Port 514
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
110 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 111
4| Configuring McAfee data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
112 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID
Log sample
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999
Field mapping
Computer Hostname
IP Protocol Protocol
Source Source IP
Destination Destination IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 113
4| Configuring McAfee data sources
Task
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Data Source Model For Syslog, select EWS v5 / Email Gateway Original Format - Legacy (ASP).
114 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the McAfee Event Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 115
4| Configuring McAfee data sources
Option Definition
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
116 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Signature ID Sid
Name Message
Severity Severity
deviceDirection Direction
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 117
4| Configuring McAfee data sources
suser From
duser To
app Application
dst Destination IP
src Source IP
dhost Hostname
msg Reason
118 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
<22>Jan 1 01:23:45 mx1 Application=http, Event='Anti-virus engine detection', status='The content was
categorized as a Potentially Unwanted Program', User=user1@DOMAIN.LOCAL, source=(192.0.2.10),
msgid=1234_5678_a0b1c23_d4e5_f7a8_b9c0_d1e2f3a4b5v6, virusname=Cookie-Adserver (Abc\123\123abc Element),
filename= http://example.com/homepage;
Mappings (syslog)
This table shows the mappings between the data source and McAfee ESM fields.
Application Application
Event Message
status Reason
from From
to To
source Source IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 119
4| Configuring McAfee data sources
relay Destination IP
subject Subject
Task
Caution
If you leave the Default database as master, the McAfee Event Receiver fails to pull events.
120 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
7. Click OK to save.
8. Log off from the SQL Server Management Studio/Enterprise Manager.
Task
1. Log on to the McAfee ePO console using an account with the appropriate rights.
2. Select Menu → Permission Sets → User Management.
3. Click Actions → New.
4. Name the group McAfee SIEM.
5. Add rights so that the McAfee ESM account works properly. With the new group selected, scroll down to Systems, then
select Edit.
6. In Systems , select these options, then click Save.
a. For Actions, select Wake up agents, view Agent Activity Log.
b. For Tag use, select Apply, exclude, and clear tags.
7. To assign users to the group, in the User Management section, select Menu → Users.
8. Select New User and define these options:
a. Enter the New User name.
b. Set the Logon status to Enabled.
c. Set the Authentication type to ePO authentication and enter the password.
d. Set the Manually assigned permission sets to Selected permission sets and McAfee SIEM, then click Save.
McAfee ePO listed in the ESM device tree as a device McAfee ePO listed in the ESM
device tree as a data source
Associated McAfee ePO applications listed as child data sources under the device N/A
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 121
4| Configuring McAfee data sources
Assign tags in McAfee ePO from ESM for source or destination IP addresses and events N/A
generated by alarms
Automatic enablement of Threat Intelligence Exchange reporting in McAfee ESM over N/A
McAfee® Data Exchange Layer (DXL), if a Threat Intelligence Exchange server is
connected to McAfee ePO
Automatic enablement of McAfee ACE correlation rules for Threat Intelligence N/A
Exchange and Risk Advisor
Ability to query multiple McAfee ePO devices for custom reports or views in McAfee N/A
ESM
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
122 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
5. (Optional) If the receiver doesn't connect to the data source, test the connection manually.
a. SSH to the receiver.
b. At the command prompt, enter:
If the password contains special characters, it might need to be URL encoded. URL encoders are available on the
Internet.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 123
4| Configuring McAfee data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
124 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
After successfully logging on to the McAfee ESM console, you can add a McAfee ePO device using the Device wizard.
Task
1. From the device tree, select Physical Display, then click the Add Device icon from the Action toolbar.
2. In the Add Device Wizard, select McAfee ePolicy Orchestrator (v4.6 or newer), then click Next.
3. Enter a name for the McAfee ePO device, then click Next.
a. Select the McAfee Event Receiver that connects to the McAfee ePO device.
b. Enter the application IP address of the McAfee ePO Application Server.
c. Enter the application port (default is 8443).
d. Enter the application user name for the McAfee ePO web interface.
e. Enter the application password for the McAfee ePO web interface.
f. When McAfee ePO is added on the ESM, the ESM can check for the presence of a Threat Intelligence Exchange server.
If one is present, the ESM begins listening and retrieving events from the Data Exchange Layer (DXL). To use this
feature, select Enable DXL.
4. Test the McAfee Event Receiver’s ability to connect to McAfee ePO by clicking Connect. When the connection is successful,
click Next.
If the connection fails, verify the user credentials and that no firewall policies are blocking the connection between the
McAfee Event Receiver and McAfee ePO.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 125
4| Configuring McAfee data sources
Caution
Select Require user authentication only if each McAfee ePO user has a separate account for each device.
If the connection fails, make sure that you are using the correct user credentials, and that no firewall policies are blocking
the connection between the McAfee Event Receiver and McAfee ePO.
126 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Field mapping
The mapping between the data source and McAfee ESM fields.
ProductFamily Application
TargetProcessName Target_Process_Name
TargetFileName Destination_Filename
ThreatType Object_Type
Files Filesname
SourceProcessName Process_Name
SignatureName Signature_Name
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 127
4| Configuring McAfee data sources
ThreatCategory Threat_Category
AnalyzerVersion Version
ThreatActionTaken Device_Action
RegistryKey Registry.Key
RegistryValue Registry.Value
TargetProtocol Protocol
ThreatActionTaken Action
AnalyzerEngineVersion Version
128 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
ThreatSeverity Severity
ProductFamily Application
EventType Event_Class
URL URL
DomainName Domain
ContentRiskGroup Object
Action Action
ContentFuncGroup URL_Category
HostName Host
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 129
4| Configuring McAfee data sources
HostIP Source IP
ProductFamily Application
TargetProcessName Target_Process_Name
TargetFileName Destination_Filename
ThreatType Object_Type
SourceProcessName Process_Name
AnalyzerDATVersion Analyzer_DAT_Version
ThreatCategory Threat_Category
DetectionMethod Detection_Method
ThreatActionTaken Device_Action
130 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
ThreatEventID Signature ID
AnalyzerEngineVersion Version
ThreatSeverity Severity
USBSerialNumber Object
ProductFamily Application
TargetProtocol Protocol
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 131
4| Configuring McAfee data sources
TargetProcessName Target_Process_Name
TargetFileName Destination_Filename
ThreatType Object_Type
SourceProcessName Process_Name
AnalyzerDATVersion Analyzer_DAT_Version
ThreatCategory Threat_Category
DetectionMethod Detection_Method
ThreatActionTaken Device_Action
ThreatEventID Signature ID
ThreatName Threat_Name
AnalyzerEngineVersion Version
132 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
ProductFamily Application
TargetProtocol Protocol
TargetProcessName Target_Process_Name
TargetFileName Destination_Filename
ThreatType Object_Type
SourceProcessName Process_Name
AnalyzerRuleName Signature_Name
ThreatCategory Threat_Category
DetectionMethod Detection_Method
ThreatActionTaken Device_Action
ThreatEventID Signature ID
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 133
4| Configuring McAfee data sources
ThreatName Threat_Name
AnalyzerRuleID Response_Code
DurationBeforeDetection Elapsed_Time
ThreatActionTaken Action
ProductFamily Application
ThreatEventID Signature ID
ThreatName Threat_Name
134 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
URL URL
DomainName Domain
ContentRiskGroup Object
ContentFuncGroup URL_Category
ActionID Action
SourceProcessName Process_Name
TargetProtocol Protocol
TargetFileName Destination_Filename
DetectionMethod Object_Type
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 135
4| Configuring McAfee data sources
ThreatActionTaken Device_Action
ThreatHandled Threat_Handled
ProductFamily Application
TargetProtocol Protocol
TargetProcessName Target_Process_Name
TargetFileName Destination_Filename
TargetPath Filename
136 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
ThreatType Object_Type
SourceProcessName Process_Name
ThreatCategory Threat_Category
DetectionMethod Detection_Method
ThreatEventID Signature ID
ThreatSeverity Severity
AnalyzerEngineVersion Version
AttackVectorType Method
jtiFileHash SHA1
jtiObjectType File_Type
jtiReputation Reputation_Name
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 137
4| Configuring McAfee data sources
TargetProtocol Protocol
TargetProcessName Target_Process_Name
TargetFileName Destination_Filename
ThreatType Object_Type
SourceProcessName Process_Name
AnalyzerDATVersion Analyzer_DAT_Version
ThreatCategory Threat_Category
DetectionMethod Detection_Method
ThreatActionTaken Device_Action
ProductFamily Application
ThreatEventID Signature ID
138 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
ThreatName Threat_Name
AnalyzerEngineVersion Version
DurationBeforeDetection Elapsed_Time
TVDEventID Signature ID
ProductFamily Application
IPv6 Source IP
TVDSeverity Severity
SourceProcessName Process_Name
HostName Host
SiteName Domain
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 139
4| Configuring McAfee data sources
Version Version
DAT_Version Analyzer_DAT_Version
Message Message_Text
Priority Severity
Success Action
RemoteAddress Source IP
md5 File_Hash
sha1 SHA1
sha256 SHA256
140 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
md5 File_Hash
sha1 SHA1
sha256 SHA256
localReputation New_Reputation.TIE_File
filename Filename
md5 File_Hash
sha1 SHA1
sha256 SHA256
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 141
4| Configuring McAfee data sources
filename Filename
md5 File_Hash
sha1 SHA1
sha256 SHA256
This advanced integration assumes that McAfee ePO has been added as a device, and that the local network settings have been
properly configured in Asset Manager. If the local network settings have already been configured, skip to section 6.2.
Note
This configuration example assumes one McAfee ePO server with a local SQL database. In configurations where the McAfee
ePO server is connected to a secondary SQL database server, contact McAfee support for assistance.
142 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
3. Enter the IP addresses and optional subnets that make up the Local Network, then click OK.
McAfee ESM now allows the user to start McAfee ePO and view details specific to a managed endpoint.
1. Select an event from the McAfee ESM views that contain source or destination IP addresses associated with a managed
asset in McAfee ePO.
2. In the upper left of the component window, click the menu icon.
3. Select Actions → View in ePOfrom the expanded menu.
4. Select a McAfee ePO device (if applicable), then click OK.
• If only one McAfee ePO device or data source appears on the system, the McAfee ePO interface starts.
• If more than one McAfee ePO devices or data sources appear on the system, select the one you want to access. The
McAfee ePO interface starts for that device.
• If an event or flow is selected from a table component in McAfee ESM, with both a source IP address and
destination IP address from the local network, the user must also select which IP address is used in the lookup. Once
the IP address is identified, the McAfee ePO interface starts.
5. When prompted for authentication with McAfee ePO, enter the appropriate McAfee ePO credentials to log on.
Once authenticated, the asset information window for McAfee ePO displays details related to the endpoint that you
selected from the event in McAfee ESM.
Task
1. Select an event from the ESM views that contain source or destination IP addresses associated with a managed asset in
ESM.
2. In the upper left of the component window, click the menu icon.
3. From the expanded menu, select Actions → ePO Tagging.
4. Select a policy tag from the list, then click Assign.
5. (Optional) Once you assign an ESM tag to the endpoint, select Wake up client.
6. When finished, click Close.
7. (Optional) To access the ESM tagging options:
a. Select an ESM device in the ESM device tree, then click the Properties icon above the device tree.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 143
4| Configuring McAfee data sources
b. To display the tagging options, select ePO Tagging from the left side of the ePO Properties window.
• Single global account — If the user belongs to a group that has access to a McAfee ePO device, the integration features
can be used after entering the global credentials.
• Separate account for each device per user — The user must have permission to view the device in the ESM device tree.
Select a method of authentication to employ when using tags or actions. If the credentials are not found or are invalid, the user is
prompted to enter valid credentials, which must be saved to allow future communication with the device.
1. Verify that Require user authentication is selected when adding the McAfee ePO device on the ESM, or when configuring
its connection settings.
2. Enter the credentials on the ESM options page.
a. On the system navigation bar of the ESM console, click options, then click ePO Credentials.
b. Select a McAfee ePO device and click Edit.
c. Provide the user name and password for the selected device, then click Test Connection.
d. Click OK when the test passes.
1. From the McAfee Firewall Enterprise Admin Console, select Monitor → Audit Management, then click the Firewall
Reporter/Syslog tab.
2. In the Export audit to syslog servers section, click New on the toolbar.
3. Enter the IP address of the McAfee Event Receiver where the logs are sent.
4. From the Remote Facility drop‐down list, select a syslog facility to help identify the audit export.
5. (Optional) Click in the Description cell and type a description of the audit export entry.
6. Verify these settings from the advanced options, then press OK.
• Port: 514
144 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
• Format: SEF
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask Default
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 145
4| Configuring McAfee data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
146 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID
Log sample
This is a sample log from a McAfee Firewall Enterprise device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999
Field mapping
This table shows the mappings between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 147
4| Configuring McAfee data sources
Computer Hostname
IP Protocol Protocol
Source Source IP
Destination Destination IP
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
148 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to Communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 149
4| Configuring McAfee data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
150 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from MVISION Cloud:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
severity Severity
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 151
4| Configuring McAfee data sources
Direction Direction
serviceName Service_Name
response Subtype
riscValue Reputation_Score
DeviceValue Operating_System
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
152 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname Enter host name associated with the data source device, www.myshn.net and click
Look up beside Hostname to automatically fill the IP Address field.
Username/Password The Username and Password credentials entered to extract MVISION Cloud data.
Field 1 shndlpapi
Use Proxy Enable to use proxy details for Proxy IP Address, Proxy Port, Proxy Username and
Proxy Password
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 153
4| Configuring McAfee data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
154 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 155
4| Configuring McAfee data sources
Option Definition
IP Address/ Type the hostname of the MVISION EDR server that you want to collect data from, then
Hostname click Look up to automatically fill the IP Address field.
Consumer Group A string used to create a consumer to pull the data from EDR. This can be whatever you
want, for example ("mvision_edr_siem" or "siem_edr").
Client ID/Client The Client ID and Client Secret Key are obtained by following the onboarding for MVISION
Secret Key EDR Activity Feed. For more details on generating these credentials, refer MVISION EDR
Integrations.
Use Proxy If you select this, enter the proxy IP, port, and credentials.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
156 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitroFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 157
4| Configuring McAfee data sources
user UserIDDst
threat.threatType Threat_Category
threat.threatAttrs.path File_Path
threat.threatAttrs.name Threat_Name
threat.severity severity
threat.maGuid Object_GUID
threat.interpreterFileAttrs.name AppID
threat.eventType Event_Class
tenant-id src_guid
message.payload.user UserIDSrc
message.payload.case.url URL
message.payload.case.status Status
Task
1. In MVISION ePO, create a role for the SIEM. For more information on adding and assigning a role see, MVISION ePO product
documentation.
158 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Note
Make sure the scope in Field 1 matches the permissions set for the user on the MVISION ePO. For more information
see, Add MVISION ePO topic.
Task
1. Configure the data source according to the instructions on the Knowledge Center.
2. Select a receiver.
3. Click the Properties icon.
4. From the Receiver Properties window, select Data Sources.
5. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 159
4| Configuring McAfee data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address Automatically populated when you enter the Hostname and click Look up.
Region URL
Singapore areventssgp.mvision.mcafee.com
Frankfurt areventsfrk.mvision.mcafee.com
Sydney areventssyd.mvision.mcafee.com
Authentication iam.mcafee-cloud.com
Hostname
160 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
System Token
0oawz1wagXnxG7lUr2p6
Field 1 Corresponds to permissions granted to the user account used to access the events API in
MVISION ePO. Make sure the permissions you assign here match the permissions of the
MVISION ePO user.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 161
4| Configuring McAfee data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list. See Configure zones in the ESM
Product Guide.
External data
Automatically selected when you import events from another receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
162 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
{"detectedutc":{"name":"","type":"","value":""},"analyzermac":
{"name":"","type":"","value":""},"sourceprocessname":{"name":"","type":"","value":""},"eventtimelocal":
{"name":"","type":"","value":""},"sourceipv6":{"name":"","type":"","value":""},"sourceipv4":
{"name":"","type":"","value":""},"analyzerdetectionmethod":{"name":"","type":"","value":""},"targetusername":
{"name":"","type":"","value":""},"sourcehostname":{"name":"","type":"","value":""},"threatseverity":
{"name":"","type":"","value":""},"analyzer":{"name":"","type":"","value":""},"tenantid":
{"name":"","type":"","value":""},"nodepath":{"name":"","type":"","value":""},"threattype":
{"name":"","type":"","value":""},"threateventid":{"name":"","type":"","value":""},"targethostname":
{"name":"","type":"","value":""},"analyzerversion":{"name":"","type":"","value":""},"analyzerengineversion":
{"name":"","type":"","value":""},"agentguid":{"name":"","type":"","value":""},"targetfilename":
{"name":"","type":"","value":""},"threatactiontaken":{"name":"","type":"","value":""},"threatname":
{"name":"","type":"","value":""},"analyzerdatversion":{"name":"","type":"","value":""},"analyzername":
{"name":"","type":"","value":""},"threatcategory":{"name":"","type":"","value":""},"autoguid":
{"name":"","type":"","value":""},"targetipv6":{"name":"","type":"","value":""},"analyzeripv6":
{"name":"","type":"","value":""},"analyzeripv4":{"name":"","type":"","value":""},"analyzerhostname":
{"name":"","type":"","value":""},"targetipv4":{"name":"","type":"","value":""},"tenantguid":
{"name":"","type":"","value":""},"threathandled":{"name":"","type":"","value":""}}
Log sample
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 163
4| Configuring McAfee data sources
Field mapping
Computer Hostname
IP Protocol Protocol
Source Source IP
Destination Destination IP
Task
Configure the data source according the instructions on the Knowledge Center and the MVISION Mobile documentation.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
164 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Data Format
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address Automatically populated when you enter the Hostname and click Look up.
Region URL
Singapore areventssgp.mvision.mcafee.com
Frankfurt areventsfrk.mvision.mcafee.com
Sydney areventssyd.mvision.mcafee.com
Authentication token.mcafee-mvision-mobile.com
Hostname
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 165
4| Configuring McAfee data sources
Option Definition
Use proxy Proxy, if required by installation. Enter the IP, port, and credentials for the proxy server.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
166 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
External data
Automatically selected when you import events from another receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 167
4| Configuring McAfee data sources
Log sample
This is a sample log from McAfee MVISION Mobile:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields .
Computer Hostname
IP Protocol Protocol
Source Source IP
Destination Destination IP
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
168 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 169
4| Configuring McAfee data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
170 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<SyslogForarderType>:|SENSOR_ALERT_UUID|ALERT_TYPE|ATTACK_TIME|ATTACK_NAME|ATTACK_ID|ATTACK_SEVERITY|
ATTACK_SIGNATURE|
ATTACK_CONFIDENCE|ADMIN_DOMAIN|SENSOR_NAME|INTERFACE|SOURCE_IP|SOURCE_PORT|DESTINATION_IP|DESTINATION_PORT|
CATEGORY|SUB_CATEGORY|
DIRECTION|RESULT_STATUS|DETECTION_MECHANISM|APPLICATION_PROTOCOL|NETWORK_PROTOCOL|RELEVANCE|
QUARANTINE_END_TIME|
MCAFEE_NAC_FORWARDED_STATUS|MCAFEE_NAC_MANAGED_STATUS|MCAFEE_NAC_ERROR_STATUS|MCAFEE_NAC_ACTION_STATUS|
SENSOR_CLUSTER_MEMBER|ALERT_ID|
ATTACK_COUNT|VLAN_ID|LAYER_7_DATA|VLAN_ID|PROTECTION_CATEGORY|SOURCE_VM_NAME|TARGET_VM_NAME|
SOURCE_VM_ESX_NAME|TARGET_VM_ESX_NAME|
PROXY_SERVER_IP|
Log sample
This is a sample log from a McAfee Network Security Manager device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 171
4| Configuring McAfee data sources
ATTACK_NAME Message
ATTACK_ID Signature ID
ATTACK_SEVERITY Severity
ADMIN_DOMAIN Domain
SENSOR_NAME Hostname
INTERFACE Interface
SOURCE_IP Source IP
DESTINATION_IP Destination IP
CATEGORY Category
SUB_CATEGORY Application
DIRECTION Direction
RESULT_STATUS Action
NETWORK_PROTOCOL Protocol
172 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Task
1. In the System Navigation Tree, select the Local ESM node or a group where you want to add the device.
2. Click the Add Device icon.
3. Select Network Security Manager (v7.1.3 or newer), then click Next.
4. Enter a name that is unique in this group for the NSM device in the Device Name field, then click Next.
5. In the Add Device Wizard, select the McAfee Event Receiver to associate this device with.
6. Enter the credentials to log on to the NSM device's web interface/API, then click Next.
7. Enter the target IP address or URL.
8. Enter the target SSH port number. Ensure that it is valid to be used with the specified IP address.
9. Add the user name, password, and an optional database name for the device.
10. Click Next. The ESM tests device communication and reports on the status of the connection. You can open System
Properties after successfully keying the device.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 173
4| Configuring McAfee data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
User Name < User name set up on NSM for pulling from the database >
Password < Password set up on NSM for pulling from the database>
Database Name <The name assigned when the database was set up>
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
174 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 175
4| Configuring McAfee data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
creationTime=" date time " alertType="…" category="…" subCategory="…" detectionMethod="…" attackId=" # "
attackName="…" severity=" # " alertCount=" # " sourceIPAddr="…" sourcePort=" # " targetIPAddr="…"
targetPort=" # " sourceUserId="…" destinationUserId="…"
Log sample
This is a sample of a log from the McAfee Network Security Manager device after SQL pull.
Mappings
This table shows the mappings between the data source and McAfee ESM fields.
detectionMethod Method
176 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
attackId Signature ID
sourceIPAddr Source IP
targetIPAddr Destination IP
result Action
appName Application
A McAfee Network Threat Response API user name and password must be generated on the Network Threat Response Device.
See the Network Threat Response documentation for instructions about how to set up the user name and password.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 177
4| Configuring McAfee data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/ The IP address and host name associated with the data source device.
Hostname
Sensor Groups Click Retrieve to get a list of sensor groups from NTR. Select at least one sensor group to
write out the data source.
178 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 179
4| Configuring McAfee data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Task
180 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Eventtime Firsttime
Eventtime Lasttime
Sip Source IP
Dip Destination IP
Protocol Application_Protocol
incidentId Incident_ID
Filename Filename
Size File_Size
Host Hostname
Behavior Object
victimIP Victim_IP
attackerIP Attacker_IP
url URL
incidentNTRURL Device_URL
Reputation Reputation_Name
Urlcategory URL_Category
Enginelist Engine_List
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 181
4| Configuring McAfee data sources
Dirtiness Reputation_Name
fileType File_Type
Sigcategory Category
Sha1 Sha1
Md5 File_Hash
Incidentid Incident_ID
Hostname hostname
1. From the ESM device tree, select the McAfee ePO device, then click the Properties icon just above the device tree.
2. Select Device Management from the left side of the ePO Properties window, then click Enable for Enable MRA.
A window shows that the MRA configuration process started, which means that MRA acquisition is enabled.
3. Click OK.
The data comes via a database query from the McAfee ePO SQL Server database. The database query returns an IP address
reputation score list. Constant values for the low reputation and high reputation values are provided. All returned McAfee ePO
and McAfee Risk Advisor reputation lists are merged in ESM, with duplicate IP addresses retaining the highest score. The merged
reputation list is sent to McAfee ACE devices and used in scoring risk for Source IP and Destination IP fields.
182 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
When you add McAfee ePO to ESM, you are prompted to configure McAfee Risk Advisor data. When you click Yes, a data
enrichment source and two McAfee ACE scoring rules (if applicable) are created and added to the policy.
For more information about data enrichment and risk correlation scoring, see the McAfee Enterprise Security Manager Product
Guide.
Note
A risk correlation manager must be created to use the McAfee ACE scoring rules.
The TIE data is collected when an McAfee ePO is added as a device with selected Enable DXL. For more information see Add
McAfee ePolicy Orchestrator as a device topic.
Task
Note
Make sure that the Receive column has All Systems or a Tag that is specific to the selected McAfee Event Receiver
(ERC).
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 183
4| Configuring McAfee data sources
Log sample
A sample log from McAfee TIE device:
{"detectionTime":1626974834,"remediationAction":2,"localReputation":0,"hashes":[{"type":"sha1",
"value":"ABCDMFzOXXIUIHpOl4i3WWg1234="},{"type":"md5","value":"abcdveqbRAUWAfzzV81234=="}]}
Field mapping
The mapping between the data source and McAfee ESM fields.
md5 File_Hash
sha1 SHA1
sha256 SHA256
md5 File_Hash
sha1 SHA1
sha256 SHA256
localReputation New_Reputation.TIE_File
184 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
filename Filename
md5 File_Hash
sha1 SHA1
sha256 SHA256
filename Filename
md5 File_Hash
sha1 SHA1
sha256 SHA256
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 185
4| Configuring McAfee data sources
1. From the System menu, select Diagnostics | System Log tab | Remote Syslog tab.
2. Select Enable Remote Logging.
3. Enter the IP address or DNS host name for the McAfee Event Receiver in the Remote Host field.
4. Enter the Remote Port where the McAfee Event Receiver is listening for syslog messages. Typically, the default is correct.
5. Set the Filter Level to only send syslog messages at this level or higher.
6. (Optional) To force a more precise and standardized time stamp with every message, select Include extended ISO date.
The date is prepended to syslog messages before being sent.
7. Click Submit.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
186 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Mask Default
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 187
4| Configuring McAfee data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID
Log sample
This is a sample log from a McAfee UTM Firewall device:
188 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999
Field mapping
This table shows the mappings between the data source and McAfee ESM fields.
Computer Hostname
IP Protocol Protocol
Source Source IP
Destination Destination IP
Task
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 189
4| Configuring McAfee data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device
Mask Default
Time Zone The time zone where the data source device is located
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
190 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 191
4| Configuring McAfee data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
uri_scheme Application_Protocol
client_to_server_bytes Bytes_from_Client
server_to_client_bytes Bytes_from_Server
http_action CommandID
source_ip src_ip
destination_ip dst_ip
requested_host Destination_Hostname
192 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Username Destination_UserID
application_type External_Application
request_timestamp_epoch firsttime,lasttime
process_name Process_Name
http_status_code Response_Code
user_id UserIDSrc
Virus Threat_Name
requested_path URL
Category URL_Category
Result action
result severity
request_timestamp_epoch firstime
request_timestamp_epoch lasttime
Task
See the McAfee Web Gateway Cloud Service Installation Guide for instructions.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 193
4| Configuring McAfee data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Customer ID Your McAfee ePO Cloud customer ID. You can find it under Web Protection → Getting
Started.
Use Proxy If selected, enter the IP address, port, and user credentials for the proxy.
194 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
Option Definition
Time Zone The time zone where the host device is located.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 195
4| Configuring McAfee data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
uri_scheme Application_Protocol
client_to_server_bytes Bytes_from_Client
server_to_client_bytes Bytes_from_Server
http_action CommandID
source_ip src_ip
destination_ip dst_ip
196 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
4| Configuring McAfee data sources
requested_host Destination_Hostname
Username Destination_UserID
application_type External_Application
request_timestamp_epoch firsttime,lasttime
process_name Process_Name
http_status_code Response_Code
user_id UserIDSrc
Virus Threat_Name
requested_path URL
Category URL_Category
Result action
result severity
request_timestamp_epoch firstime
request_timestamp_epoch lasttime
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 197
5| Configuring 3rd-party data sources
1. Log on to the A10 Networks Load Balancer user interface (UI), then select Config → System → Settings.
2. In the menu bar, select Log, then, in the Log Server field, enter the IP address of your McAfee Event Receiver.
3. Ensure that Log Server Port is set to 514, and leave all other settings at their default values.
4. Click OK.
logging syslog 5
logging host IP address of McAfee Receiver port 514
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
198 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask <Enable>
Require Syslog TLS Enable to require the Receiver to communicate over TLS
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 199
5| Configuring 3rd-party data sources
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
200 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Note
McAfee ESM supports only standard logs from this device. Custom logs generated by the AFLEX engine are not supported,
but custom rules for this product can be created in the ESM.
Log sample
System log:
AX log:
Oct 24 2014 04:05:06 Error [AX] Unknown gzip error while decompressing
packet
Logging log:
<13>a10logd: [SYSTEM]<6> User "admin" with session ID 1 successfully saved the running configuration
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 201
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
202 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask <Default>
Require Syslog TLS Enable to require the McAfee Event Receiver to communicate over TLS
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 203
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
204 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<date time> <device name> <application> <IP address> <user> <message> <destination user>
Log sample
This is a sample log from an Accellion Secure File Transfer device:
<123>1 2001-01-01T01:01:01-01:00 name0001 httpd - - - [12345]: (1.2.3.4) (User:username) [Web] Sent password
reset request to ldap user, user_id:example@example.com
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 205
5| Configuring 3rd-party data sources
Application Application
IP Address Source IP
Filename Filename
To email To
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
206 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 207
5| Configuring 3rd-party data sources
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
208 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
date time,message
Log sample
This is a sample log from an Access Layers Portnox device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
received IP Destination IP
device Hostname
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 209
5| Configuring 3rd-party data sources
Adiscon Rsyslog
Task
1. Create an event log monitoring service with Emulate %Param% properties from old EventLog Monitor and Include
optional Event Parameters as properties enabled.
2. Create or modify a rule set.
3. On the Syslog Target Options tab, configure the forwarding method, protocol, server (your McAfee Event Receiver), and
port.
4. On the Syslog message Options tab, select Use legacy RFC3164 processing.
5. In the Message Format field, enter:
%sourceproc%,%id%,%timereported:::uxTimeStamp%,%user%,%category%,%Param0%;%Param1%;%Param2%;%Param3%;
%Param4%;%Param5%;%Param6%;%Param7%;%Param8%;%Param9%;%Param10%;%Param11%;%Param12%;%Param13%;%Param14%;
%Param15%
6. In Event Channels (Services → Event Log Monitor V2 → Event Channels tab) select the rule set you created, then select
other events you want to send to McAfee ESM.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
210 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require syslog TLS Enable to require the Receiver to communicate over TLS
Port 514
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 211
5| Configuring 3rd-party data sources
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
212 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Adtran Bluesocket
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 213
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
214 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 215
5| Configuring 3rd-party data sources
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<pri>log_source: event=event_type&loglevel=severity&obj=object&ipaddr=source_ip&name=name&msg=message&
Log sample
This is a sample log for an Adtran Bluesocket device:
<133>user_tracking:
event=user_logout_successful&loglevel=notice&obj=user&ipaddr=192.0.2.0&name=NAME3215&msg=user: NAME213, role
id: #, role name: Public-Access, vlan id: #, vlan name: Managed, mac: FF:FF:FF:FF:FF:FF, ip: 192.0.2.1,
hostname: , login time: 2015-01-01 00:00:00, session duration: # hour, # minutes, ## seconds, sessionID:
00:11:22:33:44:FF:0000001111112222, tl. bytes in:9999999, tl. bytes out: 99999999, tl. pkts in: 99999, tl.
pkts out: 99999&
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
loglevel Severity
obj Object
ipaddr Source IP
216 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
log_source Application
role id Command
hostname Hostname
Adtran NetVanta
1. Log on to your Adtran NetVanta device through a web browser, then click Logging.
2. Select the Event History checkbox, click the Syslog Forwarding tab, then select the Syslog Forwarding checkbox.
3. Select a Syslog Forwarding Priority Level between 0 and 5, with 0 reporting the most and 5 reporting only the most
important events.
4. Enter the McAfee Receiver IP address in the Syslog Receiver IP Address section.
5. For the Logging Facility, enter a number between 0 and 9, then click Save.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 217
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
218 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 219
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from an Adtran NetVanta device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
dst Destination IP
220 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Device-Type Hostname
Session ID Session ID
Interface Object
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 221
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
222 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 223
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<Source Mac Address>SpectraGuard Version : Start/Stop: Source [SourceName] Source Status. : Source IP://
Domain/SubDomain : Date/Time : Severity : Message
Log sample
This is a sample log from an AirTight Networks SpectraGuard device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Severity Severity
SourceName Hostname
Domain Domain
Source IP Source IP
224 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
SubDomain Object
• syslog <syslog-id>
• description <description-string>
• address <ip-address>
• log-prefix log-prefix-string
• port <port #>
• level {emergency|alert|critical|error|warning|notice|inf|debug}
• facility <syslog-facility>
syslog 1
address x.x.x.x
facility user
level warning
exit
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 225
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
226 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 227
5| Configuring 3rd-party data sources
Option Definition
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Category AUTHENTICATION
Source IP 10.10.10.15
Destination 64575
228 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Alcatel-Lucent VitalQIP
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 229
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
230 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 231
5| Configuring 3rd-party data sources
<pri>application[pid]: message
Log sample
This is a sample log from an Alcatel-Lucent VitalQIP device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Subnet, IP Source IP
Host Hostname
Domain Domain
Important
These instructions refer to third-party products. Changes in those products can cause the instructions to be out of sync. You
might need to adapt.
232 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Important
Make sure you disable raw logs when you configure AWS CloudTrail.
Configure CloudWatch
Amazon Web Services (AWS) CloudWatch delivers three types of messages: alarms, events, and logs. These messages can be
delivered to an SQS, but the methods for each type of message differ. For specific details about how to configure a CloudWatch
service, see the AWS documentation. SQS Collector sends a notification each time a log file is written to the Amazon S3 bucket.
You need to set up resources to support your AWS CloudWatch service: an SQS queue (required), an SNS topic if you are
collecting alarms, a Lambda function if you are collecting logs. Use AWS documentation to set up these resources.
Each CloudWatch message type (alarm, event, and log) has a different format and different field mapping.
CloudWatch alarms - AWS CloudWatch Alarms delivers its logs through SNS topics. To see those logs on the ESM, add the SQS
used on the data source configuration as an endpoint for the SNS. Note that AWS CloudWatch Alarms are independent from ESM
Alarms.
CloudWatch events - CloudWatch Events delivers its logs through several AWS services. To see those logs on the ESM, select the
SQS used on the data source as the target of the events you want to deliver to the ESM. For more information, see AWS
documentation.
CloudWatch Logs - Streaming CloudWatch logs can consume significant resources. To avoid performance impact, stream only
critical data.
Important
There are no parsing rules for CloudWatch Logs. Instead, the field "message" is passed onto the parser. When you configure
the data source, make sure that you enable the parsing rules needed to parse these messages. For example, for messages
from "auth.log", you would enable the Linux rules.
AWS CloudWatch Logs (CWL) compile logs from several AWS services but, these logs aren't automatically streamed to another
service. If you want to stream CloudWatch Logs without manually copying the logs, stream the CWL Log Stream to the SQS using
a Lambda function with this code:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 233
5| Configuring 3rd-party data sources
import boto3
import json
import gzip
import os
from base64 import b64decode
response = queue.send_message(MessageBody=msg)
return {
'statusCode': 200,
'body': "Messages pushed successfully into SQS."
}
On "Environment Variables" put "SQS_URL" (without quotes) under "Key", then on "Value" put the URL of the SQS queue used in
the data source configuration. Next, give the IAM role used on the Lambda function permissions to write on the SQS by adding
the sqs:SendMessage and sqs:SendMessageBatch permissions. For more information, see AWS documentation.
Go to the CloudWatch Logs console, select the logstream that you want to stream, then click Actions > Stream to AWS Lambda
and follow the instructions.
Configure GuardDuty
Amazon Web Services (AWS) GuardDuty delivers its findings through Amazon CloudWatch events. You must have a CloudWatch
Events service configured before configuring it to send events to your SIEM. For more information, see AWS documentation.
The SQS collector pulls the Simple Notification Service (SNS) files from a S3 bucket and places it in the SQS queue, and then the
McAfee ESM (McAfee Event Receiver) pulls the SNS files from the SQS queue.
You must configure Event notification on the S3 bucket to point the SNS topic and to have a destination type of SNS topic. The
SQS queue then subscribes to the SNS topic. By configuring in this manner, anytime the files are added to the S3 bucket, they are
retrieved by the McAfee ESM (McAfee Event Receiver).
The SQS collector supports XML, JSON, and single line (new line separated) events. If logs are not XML and JSON, and are multiline
events, the events are collected as one event per line. Currently multiline events are not supported. For more information, see
AWS documentation.
234 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
• Make sure you have the Access Key ID and Secret Access Key for the AWS server.
• You need the URL of the SQS Queue.
• The user account you use to create the data source must have these permissions:
• sqs:DeleteMessage
• sqs:GetQueueUrl
• sqs:ListDeadLetterSourceQueues
• sqs:ReceiveMessage
• sqs:GetQueueAttributes
• sqs:ListQueueTags
• s3:GetObject
• s3:ListBucket
• sqs:SetQueueAttributes
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 235
5| Configuring 3rd-party data sources
Option Definition
IP Address The IP address of the data source device. Automatically populated when you clear the content
in this field, enter the Hostname, and click Look up.
Hostname The host name of the data source device. The host name is part of the URL of the SQS that
you are pulling data from. For example, if the URL for the SQS is https://sqs.us-
east-2.amazonaws.com/498939148594/CloudWatch-Logs, the host name is sqs.us-
east-2.amazonaws.com.
SQS URL The URL that points to the SQS queue provided by AWS.
SQS Visibility The time that a message (log) stays hidden after it is requested. If the collector doesn't delete
the message, the message is restored after the timeout (default is 300 seconds).
SQS Poll Interval The interval between collection requests (default is 300 seconds).
Connect Performs a test connection to the AWS services. Make sure that this test runs successfully
before moving on. If errors exist, collection might not work properly.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
236 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 237
5| Configuring 3rd-party data sources
CloudWatch alarms
This is a sample log from an Amazon CloudWatch alarm:
alarmname Message
SignatureVersion Version
Subject Message_Text
MessageID UUID
Message.Region Source_Zone
Message.Trigger.Namespace Source_Context
Message.AWSAccountId src_username
238 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Message.Trigger.MetricName Sensor_Name
Message.NewStateReason Status
Message.AlarmDescription Description
Message.TopicArn From
Type Object_Type
CloudWatch events
This is a sample log from an Amazon CloudWatch alarm:
signature Message
version Version
source Source_Context
region Source_Zone
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 239
5| Configuring 3rd-party data sources
detail.instance-id HostID
detail.state Status
detail.userIdentity.accountId src_username
CloudWatch logs
This is a sample log from an Amazon CloudWatch alarm:
There are no parsing rules for CloudWatch Logs. Instead, the field "message" is passed to the parser. Make sure you enable the
associated parsing rules. Because this sample log is an auth.log message, you would need to enable the Linux rules.
GuardDuty
Amazon Web Services (AWS) GuardDuty delivers its findings through Amazon CloudWatch Events. Make sure to have a
CloudWatch Events service configured before sending GuardDuty data. Refer to AWS documentation for specifics.
Ansible
Configure Ansible
Set up the data source to send events and flows to ESM.
Task
See Ansible product documentation for instructions on configuring it to send data to ESM.
Add Ansible
Add an Ansible data source to ESM.
Task
1. Select a receiver.
240 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
Mask 0
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 241
5| Configuring 3rd-party data sources
Option Definition
Time Zone Select the time zone offset applicable to the data being sent.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
242 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Apple Mac OS X
Task
1. Open the Terminal program, then make a backup of the syslog.conf file:
$ cp /etc/syslog.conf /tmp/syslog.conf.bkp
$ sudo vi /etc/syslog.conf
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 243
5| Configuring 3rd-party data sources
*.* @x.x.x.x
Note
A port can also be specified by adding :x to the end of the IP address, where x is the port number. If no port is specified,
default port 514 is used.
The line consists of a wildcard statement (*.*) and an action (@x.x.x.x) separated by tabs. It tells the syslog daemon to
forward a copy of all (*.*) events to the specified IP address.
4. Click Save, click Exit, then restart the syslogd service with these two commands:
$ ps -e | grep syslogd
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
244 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 245
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
246 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
Here is a sample log from an Apple Mac OS X device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
IP Address Source IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 247
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
248 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 249
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Date Time Application: action Source IP Detection Type protocol/port (application) destination IP URL: url
Log sample
This is a sample log from an Arbor Networks Pravail device:
250 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
<13>Oct 22 09:49:32 HTX-ARBOR-00 pravail: Blocked Host: Blocked host 192.0.2.1 at 09:49 by TCP SYN Flood
Detection using TCP/445 (MICROSOFT-DS) destination 192.0.2.2,URL: https://example.com/folder/
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Source Source IP
Destination Destination IP
Protocol Protocol
Follow the directions for your vendor to enable ArcSight CEF-formatted events to be delivered to the McAfee Event Receiver. You
might need administrative rights.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 251
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
252 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 253
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
ID|Name|Severity|Extension
The format of the event is consistent, until Extension. At this point, there is no specific order of fields in CEF. The various key
value pairs that follow can be arranged in any order based on the decisions of the vendor.
Log sample
This is a sample log from an ArcSight Common Event Format device:
254 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Signature ID Signature ID
Name Message
dst Dest IP
proto Protocol
src Source IP
start Firsttime
end Lasttime
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 255
5| Configuring 3rd-party data sources
severity Severity
dproc Application
nitroCommandID Command
sntdom Domain
shost Host
Aruba ClearPass
1. Log on to the ClearPass Policy Manager, then navigate to Administration Menu → External Servers → Syslog Export
Filters.
2. Copy the XML from the Syslog export file template, paste it into a blank file, and save it as an XML file, for example,
McAfee_SIEM_SyslogExportData.xml.
Note
Copying and pasting from a PDF may not work. Copy the XML from docs.mcafee.com or try pasting the content into a
plain text processor first. Some manipulation of the XML may be needed.
3. Change all instances of the text change.me.receiver.ip in the XML file to the IP address of the McAfee Event Receiver.
4. On the Syslog Export Filters page, select the Import link in the top right area of the page.
5. Click Browse to navigate to the XML file that you created.
256 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Note
This file sets up the needed syslog export filters and populates the syslog target IP address.
6. Navigate to the Syslog Targets page and verify that the IP address of the McAfee Event Receiver is in the host Address
field.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 257
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 259
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
260 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Session Log:
CEF.SignatureID CEF.EventName Severity duser dmac dpriv cs2 outcome rt dvc cat
Insight Log:
CEF.SignatureID CEF.EventName Severity dmac cs6 dst duser cs4 cs5 rt dvc cat
Audit Log:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 261
5| Configuring 3rd-party data sources
System Log:
Log sample
This is a sample log from an Aruba ClearPass device:
Session Log:
Insight Log:
Audit Log:
System Log:
<
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
262 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
CEF.Severity Severity
Endpoint.MAC-Vendor Object_Type
ArubaClearpassGuestVistorCompany Domain
Dvchost Hostname
requestMethod Method
ArubaClearpassGuestVisitorName Contact_Nickname
Endpoint.Device-Name External_Device_Name
CEF.SignatureID External_EventID
Endpoint.Device-Family External_Device_Type
Cat Subcategory
Src Device_IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 263
5| Configuring 3rd-party data sources
CEF.SignarureID SID
ArubaClearpassOnbardEnrollmentDeviceVersion Version
dpriv Privileges
1. In the BOTsink console, click the Gear icon, then select Administration → Syslog.
2. To configure a new syslog destination, click the + Server icon, then fill in the required BOTsink fields:
• Name – Type a name that helps you identify the McAfee Event Receiver.
• IP address – Type IP address of the McAfee Event Receiver.
• Port – Type 514 or a server-side port.
• Protocol – Select User Datagram Protocol (UDP) or Transmission Control Protocol (TCP).
• Enable – Select to turn on syslog forwarding from the BOTsink Manager.
3. Click Save.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
264 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 265
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
266 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<9>BotSink: Severity:[] Attacker IP:[] Target IP:[] Target OS:[] Description:[] Details:[] Phase:[] Service:
[]
Log samples
This is a sample log from a device:
<9> BotSink: Severity:[Medium] Attacker IP:[192.168.1.79] Target IP:[1.1.1.1] Target OS:[CentOS 7.0]
Description:[Telnet connection started] Details:[16/8/1@19:32:42: START: telnet pid=122 from=1.1.1.1 ] Phase:
[Access] Service:[TELNET]
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Description Message
Severity Severity
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 267
5| Configuring 3rd-party data sources
Target OS Operating_System
Details Message_Text
Phase Threat_Category
Service Service_Name
Device External_Device_Type
VLANID vlan
Axway SecureTransport
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
268 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 269
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
270 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from an Axway SecureTransport device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Version Version
IP Source IP
Filesize Message_Text
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 271
5| Configuring 3rd-party data sources
FilePath/FileName Object
TransferProtocol Application
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
272 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the McAfee Event Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 273
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
274 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<event action> <hostname> <IP address> <time><username> <destination username> <spam score> <event ID>
<subject>
Log sample
This is a sample log from a Barracuda Networks Spam Firewall device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Host Hostname
Client IP Source IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 275
5| Configuring 3rd-party data sources
Action Event_Class
Event ID External_Event_ID
Queued as ID Queue_ID
1. Open a web browser and log on to your Web Application Firewall (WAF) device.
2. Click the ADVANCED tab and select Export Logs.
3. In the Syslog section, click Add Syslog Server, then fill in these fields:
4. Click Add.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
276 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 277
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
278 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
System Logs:
Timestamp Unit Name Log Type Severity Level Attack Description Client IP Client Port Application IP
Application Port Rule ID Rule Type Action Taken Follow-up Action Attack Details Method URL Protocol Session
ID User Agent Proxy IP Proxy Port Authenticated User Referrer Attack ID Attack Group
Access Logs:
Timestamp Unit Name Log Type Application IP Application Port Client IP Client Port Login ID Certificate User
Method Protocol Host Version HTTP Status Bytes Sent Bytes Received Cache Hit Time Taken Server Server Port
Server Time Session ID Response Type Field Profile Matched Field Protected Field WF Matched Field URL Query
Referrer Cookie User Agent Proxy IP Proxy Port Authenticated User Custom Header 1 Custom Header 2 Custom
Header
Audit Logs:
Timestamp Unit Name Log Type Admin Name Client Type Login IP Login Port Transaction Type Transaction ID
Command Name Change Type Object Type Object Name Variable Old Value New Value
Additional Data
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 279
5| Configuring 3rd-party data sources
Unit Name Timestamp Log Type Severity Level Protocol Source IP Source Port Destination IP Destination Port
Action ACL Name Interface ACL Details
Log sample
This is a sample log from a device:
System Log:
Access Log:
2016-02-02 21:16:59.914 -0800 wafbox1 TR 192.0.2.0 80 198.51.100.0 37754 "-" "-" POST HTTP 192.0.2.0 HTTP/
1.1 200 812 6401 0 198.51.100.0 80 0 SERVER DEFAULT PASSIVE VALID /cgi-bin/process.cgi "-" http:// 192.0.2.0/
cgi-bin/1.pl ys-grid_firewall_log-grid=o%3Acolumns%3Da%253Ao%25253Aid%25253Ds%2525253Aiso_timestamp
%25255Ewidth%25253Dn%2525253A38%255Eo%252 "Mozilla/5.0 (X11; U; Linux i686 (x86_64);en-US; rv:1.8.1.20)
Gecko/20081217 Firefox/2.0.0.20" 198.51.100.0 37754 User2 en-us,or;q=0.5 gzip,deflate
ISO-8859-15,utf-8;q=0.7,*;q=0.7
Audit Logs:
2016-02-02 21:08:53.861 -0800 wafbox1 AUDIT User3 GUI 192.0.2.0 0 CONFIG 17 - SET web_firewall_policy
default url_protection_max_upload_files "5" "6" "[]"
afbox1 2016-05-21 03:28:23.494 -0700 NF INFO TCP 192.0.2.0 52236 192.0.2.0 8000 DENY testacl MGMT/LAN/WAN
interface traffic:deny policy TCPFeb 3 15:09:02 wsf STM: LB 5 00141 LookupServerCtx = 0xab0bb600
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
280 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Client IP Source IP
Application IP Destination IP
Rule ID Signature_Name
URL URL
Referrer Referrer
Cmd Command
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 281
5| Configuring 3rd-party data sources
Version Application_Protocol
Interface Interface
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
282 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the McAfee Event Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 283
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
284 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<device IP> <service> <time date> <source IP> <destination IP> <web domain> <action> <service> <command>
<application> <user>
Log sample
This is a sample log from a Barracuda Networks Web Filter device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Hostname Hostname
Application Application
Source IP Source IP
Destination IP Destination IP
Command Command
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 285
5| Configuring 3rd-party data sources
Service Object
Description Message_Text
Subject Subject
BeyondTrust BeyondInsight
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
286 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 0
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Port 514
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 287
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
288 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<5>2017-03-02T11:53:51Z 10.101.25.167 Agent Desc: normalized Agent ID: fim Agent Ver: Category:
Source Host: Event Desc: Event Name: OS: Event Severity: 5 Source IP: Event
Subject: Event Type: 0 User: Workgroup Desc: Workgroup ID: Workgroup Location:
AssetName: ATTACK1 FimEventName: Unknown FimEventTypeID: 10000 AssetId: 3 FimDate: 2017-03-02
2:42:37 PM UserIdentifier: UserName: UserType: Alert: No FilePath:
FileSHA1: FileMD5: FileVersion: FileSize: FileAttributes:
FileAccessControlLists: UserName1: UserType1: Alert1: No Action: AccessMask:
CallerProductName: CallerVendor: CallerVersion: CallerDigitalSignature: CallerSHA1:
CallerMD5: CallerPath: Deferred: FimCategory: BLINK-FMP-905 Name: Description: File
Integrity Module in Power Broker EPP has been disabled since a version of PowerBroker for Windo Severity: 5
RuleGuid: RuleName: File Integrity Cannot be Enabled RuleDescription: File Integrity Module in
Power Broker EPP has been disabled since a version of PowerBroker for Windows Desktops was detected. To
avoid this message, disable the File Integrity engine in EPP Central Policy RulePath:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
actType action
agentID application
target Attribute_Type
category Category
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 289
5| Configuring 3rd-party data sources
fimCategory Category
systemName Category
Desc Description
fimRuleDesc Description
path Destination_Filename
actType Device_Action
dip dst_ip
assetName External_Device_Name
eventID External_EventID
auditID External_SessionID
callerPath File_Path
path File_Path
roleUsed Group_Name
workGroupDesc Group_Name
hostname hostname
sHost hostname
eventDesc Message_Text
eventName msg
290 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
objectType objectname
osType Operating_System
userType Privileged_User
eventSev1 severity
sha1 SHA1
fimRuleName Signature_Name
ruleName Signature_Name
appUserID Source_UserID
userID Source_UserID
sip src_ip
app Target_Process_Name
username UserIDSrc
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 291
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Data Source Model Bit9 Parity Suite (ASP) for Basic (RFC 3164) logs
Bit9 Parity Suite – CEF (ASP) for ArcSight CEF formatted logs
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
292 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 293
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Bit9 Parity Suite Basic (RFC 3164) log format and field
mapping
Log format
The expected format for this device is:
Log sample
This is a sample log from a Bit-9 Parity Suite device:
294 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
hostname Hostname
event_type Application
ip_address Source IP
Destination IP Destination IP
CLI Command
hostname Domain
username Source_Username
process Target_Process_Name
file_name Destination_Filename
policy Policy_Name
Description Message_Text
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 295
5| Configuring 3rd-party data sources
Log sample
This is a sample CEF log from a Bit9 Parity Suite device:
Field mapping
This table shows the mappings between the data source and McAfee ESM fields.
dhost Hostname
installerFilename Application
src Source IP
dst Destination IP
proto Protocol
296 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
fname Filename
Policy Object_Type
spriv Object
suser Source_Username
duser Destination_Username
externalId End_Page
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 297
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
298 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 299
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Blue Coat Director device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Device ID Hostname
IP Protocol Protocol
IP Address Source IP
300 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Destination IP Destination IP
Application Application
Command Command
Filename Filename
Invalid IP Object
Task
• If you selected W3C Extended Log File Format (ELFF) string, type this custom format:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 301
5| Configuring 3rd-party data sources
• If you selected Custom format string, enter the format for the supported custom string.
4. Click Test Format to make sure that there are no syntax errors.
5. Select Log all headers from the Multiple-valued header policy list, then click OK.
Configure Syslog
Task
302 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
5. Click OK.
6. Click Apply to return to the Upload Client tab.
7. For Save the log file as, select text file.
8. Leave the defaults for all other options.
9. Click the Upload Schedule tab.
10. Select Upload Type.
11. For Upload the access log, select continuously to stream the access logs to the McAfee Event Receiver.
12. Leave the default settings for all other options.
13. Click OK, then click Apply.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 303
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
304 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Task
1. Select a receiver.
2. Click the Properties icon.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 305
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your
data source.
IP Address/Hostname The IP address and host name associated with the data source device.
Interval 5 Minutes
Delete processed files Select to have the Receiver delete the files from the FTP Server after they are
processed.
306 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 307
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
308 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
date time c-ip c-port r-ip r-port x-cifs-uid x-cifs-tid x-cifs-fid x-cifs-method x-cifs-server x-cifs-share
x-cifs-path x-cifs-orig-path x-cifs-client-bytes-read x-cifs-server-bytes-read x-cifs-bytes-written x-client-
connection-bytes x-server-connection-bytes x-server-adn-connection-bytes x-cifs-client-read-operations x-
cifs-client-write-operations x-cifs-client-other-operations x-cifs-server-operations s-action x-cifs-error-
code cs-username cs-auth-group s-ip
Field mapping
Access Log
Fields with * indicate compatibility with version 9.2 and later only.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 309
5| Configuring 3rd-party data sources
c-ip src_ip
cs-username src_username
sc-filter-result Query_Response.Query_Response*
cs-categories Subject.Subject
sc-status Action
s-action Message
cs-method commandname
rs-Content-Type application
cs-host domain
cs-uri-port dst_port
cs-uri-path URL.URL
Job_Name.Job_Name*
cs-User-Agent User_Agent.User_Agent*
s-ip dst_ip
Fields with * indicate compatibility with version 9.2 and later only.
310 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
c-ip src_ip
s-action Message
cs-bytes Bytes_Sent.Bytes_Sent*
sc-bytes Bytes_Received.Bytes_Received*
cs-method Method.Method
cs-uri-scheme
cs-host domain
cs-uri-port src_port
cs-uri-path URL.URL
cs-username src_username
rs(Content-Type) application
cs(Referer) Referer.Referer*
cs-User-Agent User_Agent.User_Agent*
sc-filter-result Action
cs-categories Object_Type.Object_Type
x-virus-id Object_Type.Object_Type
s-ip dst_ip
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 311
5| Configuring 3rd-party data sources
nFMAIN
Fields with * indicate compatibility with version 9.2 and later only.
nfMAIN Application
Source src_ip
Status Response_Code.Response_Code*
Action Action
IncomingBytes Bytes_Received.Bytes_Received*
OutgoingBytes Bytes_Sent.Bytes_Sent*
Method Method.Method
Scheme Protocol
Username src_username
User-Agent User_Agent.User_Agent*
Result Query_Response.Query_Response*
Category Category.Category*
Virus Threat_Name.Threat_Name*
Device_IP Device_IP.Device_IP*
DevicePort src_port
312 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
DestinationIP dst_ip
DestinationPort dst_port
nFIM
Fields with a * indicate compatibility with version 9.2 and later only.
nFIM Application
Source src_ip
Username src_username
Protocol Protocol
Method Method.Method
Client Client_Version.Client_Version*
Action Action
File Filename.Filename
DeviceIP DeviceIP.DeviceIP*
nFSSL
Fields with * indicate compatibility with version 9.2 and later only.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 313
5| Configuring 3rd-party data sources
nFSSL Application
Source src_ip
Action Action
DestinationIP dst_ip
DestinationPort dst_port
Supplier URL.URL
Category Category.Category*
DeviceIP DeviceIP.DeviceIP*
IncomingBytes Bytes_Received.Bytes_Received*
OutgoingBytes Bytes_Sent.Bytes_Sent*
Protocol Protocol
nFSTREAM
Fields with * indicate compatibility with version 9.2 and later only.
nFSTREAM Application
314 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
DestinationPort dst_port
Status Response_Code.Response_Code*
Action Action
User-Agent User_Agent.User_Agent*
Hostexe Client_Version.Client_Version*
Protocol Protocol
Bytes1 Bytes_Received.Bytes_Received*
Bytes2 Bytes_Sent.Bytes_Sent*
Device Device_IP.Device_IP*
Source src_ip
URL URL.URL
Method Method.Method
nFP2P
Fields with * indicate compatibility with version 9.2 and later only.
nFP2P Application
Source src_ip
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 315
5| Configuring 3rd-party data sources
Username src_username
Protocol Protocol
ClientType Message
Bytes1 Bytes_Received.Bytes_Received*
Bytes2 Bytes_Sent.Bytes_Sent*
Action Action
DestinationIP dst_ip
DestinationPort dst_port
Device Device_IP.Device_IP*
Task
316 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Note
Note
An H next to the directory indicates that this is the home directory for the user. If H doesn't appear, highlight the
directory and click Set as home dir.
Results
The Filezilla FTP server is up and running and the proxysg user is ready to go.
1. To configure access logs to upload their data to the FTP server, select Configuration → Access Logging → Logs → Upload
Client.
2. In the Log drop-down list, select the custom log that you created earlier.
3. From the Upload Client Type drop-down list, select FTP Client, then click Settings.
a. Fill in these fields.
b. Click Change Primary Password, enter the password, then click OK.
c. In the Filename field, type a name that contains text or specifiers.
Note
The file name includes the log name, last octet of the proxy sg, month, day, hour, minute, and seconds.
d. Since the Filezilla server is not configured for FTPS or SFTP, deselect Use Secure Connections (SSL).
e. Select Local Time to upload the local time file instead of using UTC.
f. Click OK, then click Apply to return to the Upload Client Configuration page.
4. For Save the log file as, select gzip file to reduce the log file size.
The McAfee Event Receiver decompresses a gzipped log file and parses the logs that are in it.
5. Click the Upload Schedule tab, then, on the Log drop-down list, select the custom log you created.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 317
5| Configuring 3rd-party data sources
• Log on to the FTP server (FileZilla in this guide) and check the log, verifying the entries that state that the ProxySG has
uploaded the log files.
• Make sure that logs state that the McAfee Event Receiver connected and downloaded the log files.
• Verify that port 514 is open on the McAfee Event Receiver. Your output will be similar.
• Use tcpdump on the McAfee Event Receiver to verify receipt of syslog from the server. You can use a command like this
to verify the receipt of data:
1. Click the General Settings tab, then, in the navigation pane, expand Data Settings and select Cloud Download.
2. Select Enable Cloud Download, then specify the directory where the Cloud access logs are being saved.
3. Specify the Cloud API Username and Cloud API Password to grant access, then click Save.
318 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 319
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
320 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 321
5| Configuring 3rd-party data sources
x-bluecoat-appliance-name External_Device_Name
c-ip Device_IP
x-exception-id Reason
sc-filter-result Action
cs-categories URL_Category
cs(Referer) URL
cs-method Request_Type
cs-uri-scheme Protocol
cs-host Web_Domain
cs(User-Agent) User_Agent
s-ip Source IP
sc-bytes Bytes_Sent
cs-bytes Bytes_Received
322 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
x-bluecoat-application-name Application
r-ip Destination IP
*.*; @1.2.3.4:514
where 1.2.3.4 is the IP address of your McAfee Event Receiver and 514 is the default port for syslog.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 323
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
324 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 325
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
326 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 327
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
328 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Domain Domain
IPaddr Source IP
External IP Destination IP
CN Source Username
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 329
5| Configuring 3rd-party data sources
Task
1. Click the Wired tab on the Configuration Wizard panel, then click New on the toolbar.
2. Select the syslog receivers, then click Next.
3. On the Select Action page, click the action that you want to perform.
Note
Each device can have up to six syslog receivers. All syslog receivers defined for a device receive the same data.
6. To change a syslog receiver, select it and click Edit, then make the changes and click Update.
7. To open the Deployment section of the wizard, click Next.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
330 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 331
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
332 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
DATE:SEVERITY:EVENTSOURCE: MESSAGE
Log sample
This is a sample log:
Field mapping
This table shows the mapping between the data source and ESM fields.
Object Object
Source IP Source IP
Destination IP Destination IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 333
5| Configuring 3rd-party data sources
Host Host
Application Application
Task
1. Log on to the command line interface for the switch and enter this command:
2. To verify that the logging setting was added, enter this command:
> syslogdIpShow
Results
This lists all configured remote syslog server IP addresses for the switch.
334 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 335
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
336 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<date time> <device name> <log type> <time> <message ID> <severity> <class> <user> <role> <IP> <interface>
<application> <swname> <arg0> <arg1> <arg2>
Log sample
This is a sample log from a Brocade VDX Switch device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 337
5| Configuring 3rd-party data sources
Swname Host
Application Application
IP Source IP
interface Interface
Check Point
You can configure Check Point using:
1. Install the log exporter on the checkpoint device version that you are using. For more information see, Checkpoint
documentation.
2. Run the following command from the checkpoint device:
cp_log_export add name <name> [domain-server mds] target-server <target-server IP/host name> target-port <target-port>
protocol <(udp|tcp)> format syslog
Where,
338 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
target-server IP/host name The IP/Hostname of the McAfee Event Receiver configured to receive this data.
target-port The port configured on the receiver to receive this type of syslog.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 339
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
340 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 341
5| Configuring 3rd-party data sources
1. Use SSH to connect to the Check Point management server, then enter expert mode.
2. Open $FWDIR/conf/fwopsec.conf and edit the file according to the type of authentication you want to use.
3. Run cprestart.
1. Log on to the Check Point user interface, then expand the OPSEC Applications tree node.
2. Right-click the OPSEC Application category, select New OPSEC Application, then enter a name for the OPSEC Application.
Note
This name is used when creating the data source in the ESM.
3. In the Host field, select a host, then select the network object that represents the McAfee Event Receiver.
Note
If the object does not exist, create one by clicking New and entering the IP address of the McAfee Event Receiver.
4. In the Client Entries section, select LEA, then click Communication near the bottom of the dialog box.
5. Enter and confirm your one-time password, then click Initialize.
342 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
The certificate is initialized and displays the message Initialized but trust not established.
6. Close the Communication dialog box.
7. On the OPSEC Application Process dialog box, click OK.
8. Perform an Install DB on the Check Point server.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 343
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Device Type Select the type of device from SMS / CMA, Security Device, Log Server / CLM, and
Secondary SMS / CMA.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Use Authentication Type of authentication selected when creating the LEA connection.
Application Name Name of the OPSEC Application created during Check Point setup.
344 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Activation Key One-time password created while creating the OPSEC application during Check
Point setup.
Options (authentication only) Advanced settings leave default unless having connection issues.
Connect (authentication only) Tests the connection to the OPSEC LEA service and pulls the certificate.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 345
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Task
1. Select the parent data source from the Receiver Properties Data Sources window.
2. Select Add Child.
3. If you are sending firewall logs to a CLM instead of the CMA, find the distinguished name for the CLM.
a. Use SSH to connect to the CMA, then enter expert mode.
b. At the command prompt, enter:
346 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Child Data Source Screen Settings Log server / CLM and Secondary SMS / CMA
Option Definition
Parent Report Console User-defined name of the CMA that manages the CLM (preselected if creating a child data
source).
Option Definition
Parent Report Console User-defined name of the CMA that manages the CLM (preselected if creating a child data
source).
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 347
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
348 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Task
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 349
5| Configuring 3rd-party data sources
Field mapping
This table shows the mappings between the data source and McAfee ESM fields.
product Application
dst_machine_name Destination_Hostname
origin Device_IP
domain_name Domain
i/f_dir Direction
350 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
time Firsttime,Lasttime
rule Incident_ID
i/f_name Interface
policy_name Policy_Name
proto Protocol
bytes Total_Bytes
layer_uuid UUID
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 351
5| Configuring 3rd-party data sources
vpn_feature_name VPN_Feature_Name
Cimcor
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
352 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 0
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Port 514
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 353
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
354 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Field mapping
eventTime firsttime,lasttime
src src_ip
cimtrakUser Source_UserID
sfileUser src_username
filePath File_Path
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 355
5| Configuring 3rd-party data sources
processName application
processID PID
forensicData Description
objectPath Caller_Process
Configure the appliance according to vendor instructions. See the data sheet for appliance specifications.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
356 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Port 514
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 357
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
358 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
user Source_UserID
dst_ip dst_ip
severity severity
timestamp firsttime,lasttime
user_id UserIDSrc
method Method
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 359
5| Configuring 3rd-party data sources
uri URL
protocol Protocol
http_resp_code Response_Code
Cisco Firepower
• Discovery Events
• Intrusion Events
• Intrusion Event Packet Data
• Intrusion Event Extra Data
8. Click Save.
360 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
7. By default, the McAfee Event Receiver pulls RNA and Intrusion Events. To allow it to collect both event types, select these
options:
• RNA Events
• Intrusion Events
• Intrusion Event Packet Data
• Intrusion Event Extra Data
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/ The IP address and host name associated with the data source device.
Hostname
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 361
5| Configuring 3rd-party data sources
Option Definition
Port Default
Upload This allows the user to upload and validate the certificate that was downloaded in the
previous section.
Connect Test the connection to the data source after the Certificate is downloaded.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
362 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 363
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Event Second, First/Last Seen, First/Last Used First Time, Last Time
Network Protocol, Host Type, ID, Attribute ID, Source Type, Protocol, Custom Product, Application Application
364 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Protocol Protocol
NetBIOS Name, CVE ID, Custom Vendor, Service Vendor name, Hostname Host
Generator ID External_EventID
Rule ID External_SubEventID
UUID UUID
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 365
5| Configuring 3rd-party data sources
366 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Cisco IOS
1. Open a secure connection to the console of your Cisco IOS device, then go into enable mode.
Router> enable
Note
Router(config)#
Note
System messages are enabled by default. If logging is disabled, use this command to enable it or to ensure that it is on.
Router(config)# logging on
By default, this only logs to the console. Use this command to enable logging to send to a specific host, such as the McAfee
Event Receiver. The host argument is the name or IP address of the host.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 367
5| Configuring 3rd-party data sources
Router(config)# exit
b. Save changes.
OR
368 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Router# disable
Router>
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 369
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
370 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Cisco IOS device:
Field mapping
This table shows the mappings between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 371
5| Configuring 3rd-party data sources
Facility Application
SourceIP Source IP
DestIP Destination IP
Protocol Protocol
Interface Interface
category Category
Task
1. Select a receiver.
372 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Port 443
URI cgi-bin/sdee-server
Interval Choose the frequency you want to pull from the IPS
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 373
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
374 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
sd:hostId Hostname
sdIdsAlert/@severity Severity
cid:interface Interface
cid:protocol Protocol
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 375
5| Configuring 3rd-party data sources
@cid:version Version
cid:appName Application
cid:riskRatingValue Reputation
sd:signature/@id Incident_ID
cid:os/@type Object
marsCategory Threat_Name
Cisco Meraki
1. From the dashboard, navigate to Network-wide → Configure → General, then click Add a syslog server.
2. In the Server IP field, enter the IP address of the McAfee Event Receiver, and in the Port field, enter 514 (the default port
for syslog).
3. Add the roles to the Roles field to enable logging for them.
376 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 377
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
378 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
src Source IP
dst Destination IP
request Method
url URL
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 379
5| Configuring 3rd-party data sources
protocol Protocol
direction Direction
router Device_IP
signature Signature_Name
group Group_Name
client Host
SSID Wireless_SSID
reason Reason
priority Priority
Cisco NX-OS
380 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
> enable
# configure terminal
where 192.0.2.1 is the IP address of your McAfee Event Receiver, and 6 is the severity level of the logs you want to send (6
is all events, 2 is only critical and emergency events).
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 381
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
382 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 383
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Cisco NX-OS device:
2001 Jan 01 01:01:01 EET: %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user example_username
from 192.0.2.2 - sshd[12345]
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Host Hostname
protocol Protocol
384 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Application Application
file Filename
domain Domain
1. Go to the ASDM Home window, then select Configuration → Features → Properties → Logging → Logging Setup.
2. To enable syslog, select Enable logging.
3. In the navigation tree under Logging, select Syslog Servers, then click Add to add syslog server.
4. In the Add Syslog Server dialog box, enter the syslog server details, then click OK.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 385
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
386 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 387
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Action Application
Bytes_Sent Command
Count Destination_Hostname
388 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Device_IP Direction
Domain Destination IP
Group_Name Host
Interface_Dest Interface
Object Object_Type
Policy_Name Protocol
Reason Session
Severity Source IP
URL Username
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 389
5| Configuring 3rd-party data sources
3. In the right pane, enable Remote Destination Server, enter the IP address of the syslog server, then select the appropriate
level and facility.
4. Click Save Changes.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled: Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
390 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 391
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Cisco Unified Computing System device:
392 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and ESM fields.
facility Application
severity Severity
server Host
1. In the controller UI, select Management → Logs → Config, enter the IP address of the server where you want to send the
syslog messages, then click Add.
2. In the Syslog Level field, select the severity level.
Note
The only messages sent to the syslog server are messages with severity equal to or less than the level you set.
3. In the Syslog Facility field, set the facility for outgoing syslog messages to the syslog servers.
4. By default, messages logs include information about the source file. To not include this information, deselect File Info.
5. To commit and save the changes, click Apply, then click Save Configuration.
Task
1. Select a receiver.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 393
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
394 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 395
5| Configuring 3rd-party data sources
Option Definition
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Cisco Wireless LAN Controller device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
396 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
CMD Command
Domain Domain
SSID Wireless_SSID
Remote IP Device IP
Citrix NetScaler
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 397
5| Configuring 3rd-party data sources
Note
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
398 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 399
5| Configuring 3rd-party data sources
Option Definition
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
400 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Citrix NetScaler device:
<12> 01/10/2001:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context username@192.0.2.1 -
SessionId: 12345- example.com User username : Group(s) groupname : Vserver
a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - -
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Host Host
Protocol Protocol
Source Source IP
Destination Destination IP
Vserver IP Device_IP
Application Application
Command Command
Domain Domain
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 401
5| Configuring 3rd-party data sources
Filename Filename
Nat_ip NAT_Details
1. In the Access Gateway Management Console, click Management → System Administration, then click Logging.
2. Click Remote Server Settings → Access Gateway Logging, then enter the IP address of the McAfee Event Receiver in the
Server field.
3. In the Port field, enter the port used to receive syslog by the McAfee Event Receiver (default is 514).
4. Under Log Type, select one or more types of logs to be sent to the McAfee Event Receiver.
5. (Optional) To change the frequency with which logs are sent or to send them manually, click Management → System
Administration → Logging → Access Gateway Logging → Log Settings.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
402 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 403
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
404 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Citrix Secure Gateway device:
[Mon Jan 01 01:01:01 2001] [error] SSL Library Error 47 on 1.2.3.4:123 with peer 4.5.6.7:456 An unclassified
SSL network error occurred. (error code: 12345 error:12345678)
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Username Username
Protocol Protocol
Source IP Source IP
Destination IP Destination IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 405
5| Configuring 3rd-party data sources
To_syslog: yes
Syslog_facility: daemon
3. Save your changes, close the file, then copy the file to all nodes.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
406 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 407
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
408 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Hostname Host
Message Message
Node Command
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 409
5| Configuring 3rd-party data sources
Severity Severity
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
410 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 411
5| Configuring 3rd-party data sources
Option Definition
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
412 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log format
The expected format for this device is:
Log sample
This is a sample log from a Code Green Data Loss Prevention device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Hostname Host
IP Address Source IP
Destination IP Destination IP
Session ID Session ID
Severity Severity
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 413
5| Configuring 3rd-party data sources
Cofense Intelligence
1. Make sure that you have a recent version of Python installed, and the python-requests library.
2. Acquire the Cofense Python scripts and configure the config.ini file with the Cofense API credentials.
3. To execute the script, use the command:
python cofense_to_mcafee.py”
• If you need a proxy to connect to Cofense, change the [proxy]:use value to True and fill out your proxy information
in the following two fields.
• Verify that any absolute paths are correct for your operating system.
• To send Indicators of Compromise (IOCs) to McAfee ESM via CEF, set [output-cef]:use to True and provide a host
name/IP address and port where you want to send CEF events.
• For Cyber Threat Feeds, set up the McAfee ESM integration to output STIX files to a directory: set [output-
stix]:use to True and provide the directory where you want to write the files.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
414 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 415
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
416 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
CEF.Severity Severity
externalId External_EventID
Cat Subcategory
dst Destination IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 417
5| Configuring 3rd-party data sources
fname File_Path
fileHash File_Hash
Cofense Triage
1. Make sure you have a recent version of Python installed, and the python-requests library.
2. Acquire the Cofense Python scripts and configure the config.ini file with the Cofense API credentials.
3. To execute the script, use this command:
python Cofense_to_mcafee.py”
• If a proxy is needed to connect to Cofense, change the [proxy]:use value to True and fill out your proxy
information in the following two fields.
• Verify that any absolute paths are correct for your operating system.
• To send Indicators of Compromise (IOCs) into McAfee ESM via CEF, set [output-cef]:use to True and provide a host
name/IP address and port where you want to send CEF events.
• For Cyber Threat Feeds, set up McAfee ESM integration to output STIX files to a directory; set [output-stix]:use to
True , and provide the directory where you want to write the files.
418 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 419
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
420 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
CEF:0|Cofense|Triage|2.0|Rule ID|Event|Severity|start rt Time Message Reported duser suser cat Recipe Name
Highest Priority Rule Matched – Priority Level Highest Priority Rule Matched – Rule Name Report URL Subject
Log sample
This is a sample log from a device:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 421
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
cat Threat_Category
Subject Subject
Severity Severity
422 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 423
5| Configuring 3rd-party data sources
Option Definition
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
424 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<timestamp> <device name> <log type> [<location>] <service>; <message type> <message>
Log sample
This is a sample log from a Cooper Power Systems Cybectec RTU device:
Jan 1 01:01:01 deviceName Security: [Example - Location] Security Service; MAINTENANCE: "Admin" -
Authenticated (EXAMPLEDOMAIN\admin; HOSTNAME)
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 425
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Source Hostname
PROTO Protocol
SRC Source IP
DST Destination IP
Command Command
Domain Domain
Event Object
Point Interface
Device External_Device_Name
Value New_Value
426 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 427
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
428 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 429
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Cooper Power Systems Yukon IED Manager Suite device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Protocol Protocol
IP Address Source IP
Priority Severity
Server Application
Domain Domain
430 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Corero IPS
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 431
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
432 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<date> <time> <device IP> <severity> <device name> <id> <pt> <prot> <cip> <cprt> <sip> <sprt> <atck> <disp>
<ckt> <src> <msg>
Log sample
This is a sample log from a Corero IPS device:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 433
5| Configuring 3rd-party data sources
Field mapping
This table shows the mappings between the data source and McAfee ESM fields.
prot Protocol
cip Source IP
sip Destination IP
atck Signature ID
msg Message
Crowdstrike
Configure Crowdstrike
See the Crowdstrike documentation for instructions about configuring the data source on Crowdstrike. For information about
Crowdstrike API access, see Getting Access to the CrowdStrike API.
Add Crowdstrike
Add the data source to a receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
434 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
Hostname Host name associated with the data source device. Click Look up to automatically fill the IP
field.
Client Secret Key Secret key for APIs (otain from Crowdstrike)
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 435
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
436 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
6. Click OK.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 437
5| Configuring 3rd-party data sources
{"metadata":{"customerIDString":"0123456789ABCDEFGHIJKLMNOPQRSTUV","offset":14947764,
"eventType":"DetectionSummaryEvent","eventCreationTime":1536846439000,"version":"1.0"},
"event":{"ProcessStartTime":1536846339,"ProcessEndTime":0,"ProcessId":38684386611,"ParentProcessId":
38682494050,
"ComputerName":"CS-SE-EZ64","UserName":"demo","DetectName":"Process Terminated",
"DetectDescription":"Terminated a process related to the deletion of backups,
which is often indicative of ransomware\r\nactivity.","Severity":4,"SeverityName":"High",
"FileName":"explorer.exe","FilePath":"\\Device\\HarddiskVolume1\\Windows",
"CommandLine":"C:\\Windows\
\Explorer.EXE","SHA256String":"6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",
"MD5String":"ac4c51eb24aa95b77f705ab159189e24","MachineDomain":"CS-SE-EZ64",
"FalconHostLink":"https://falcon.crowdstrike.com/activity/detections/detail/
abcdefghijklmnopqrstuvwxyz012345/12345678901?_cid=xxxxxxxxxxxxxxxxxx",
"SensorId":"abcdefghijklmnopqrstuvwxyz012345","DetectId":"ldt:abcdefghijklmnopqrstuvwxyz012345",
"LocalIP":"1.2.3.4","MACAddress":"xx-xx-xx-xx-xx","Tactic":"Malware","Technique":"Ransomware",
"Objective":"Falcon Detection Method","PatternDispositionDescription":"Prevention, process killed.",
"PatternDispositionValue":16,"PatternDispositionFlags":
{"Indicator":false,"Detect":false,"InddetMask":false,"SensorOnly":false,
"Rooting":false,"KillProcess":true,"KillSubProcess":false,"QuarantineMachine":false,"QuarantineFile":false,
"PolicyDisabled":false,"KillParent":false,"OperationBlocked":false,"ProcessBlocked":false}}}
{"metadata":{"customerIDString":"0123456789ABCDEFGHIJKLMNOPQRSTUV","offset":460662,"eventCreationTime":
1480375833,
"eventType":"CustomerIOCEvent"},"event":
{"AgentIdString":"f2c76aa30f40454064d4ecbdaecfd2ca","ProcessId":"25917476803",
"ComputerName":"WINDOWS-10-12345","MD5String":"2f0eaaf91fc7a5c70d1f4be9b18a1cf5","ParentProcessId":"258260559
31",
"ProcessStartTime":1462816700,"FileName":"StikyNot.exe","FilePath":"\\Device\\HarddiskVolume1\\Windows\
\System32",
"CommandLine":"\"C:\\Windows\\system32\\StikyNot.exe\" ","DeviceId":"f2c76aa30f40454064d4ecbdaecfd2ca"}}
Other logs
{"event":{"AuditKeyValues":[{"Key":"target_name","ValueString":"user@example.com"}],
"OperationName":"activateUser","ServiceName":"CrowdStrike
Authentication","Success":true,"UserId":"user@example.com","UserIp":"192.0.2.100",
"UTCTimestamp":1452711518},"metadata":{"customerIDString":"0123456789ABCDEFGHIJKLMNOPQRSTUV",
"eventType":"AuthActivityAuditEvent","eventCreationTime":1480375833,"offset":80960}}
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
metadata.version Version
event.UserName src_username
438 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
event.Technique Malware_Insp_Result
event.Tactic Malware_Insp_Action
event.SHA256String SHA256
event.Severity severity
event.SensorId Sensor_Name
event.PatternDispositionDescription Subcategory
event.MachineDomain DomainID
event.MACAddress src_mac
event.LocalIP src_ip
event.FilePath File_Path
event.FileName Destination_Filename
event.FalconHostLink TC_URL
event.DetectDescription Description
event.ComputerName HostID
event.CommandLine Target_Context
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 439
5| Configuring 3rd-party data sources
event.DetectId UUID
event.FilePath File_Path
event.FileName Destination_Filename
metadata.eventCreationTime firsttime,lasttime
event.DeviceId External_Device_Name
event.ComputerName HostID
event.MD5String Hash
event.CommandLine Target_Context
Operation events
metadata.eventCreationTime firsttime,lasttime
event.UserIp src_ip
event.UserId src_username
event.ServiceName Service_Name
event.Success Status,action
440 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
metadata.Version Version
metadata.eventType Category
Other events
metadata.Version Version
metadata.eventCreationTime firsttime,lasttime
event.UserIp src_ip
event.UserId UserIDSrc
event.ServiceName Service_Name
event.Success Status
Task
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 441
5| Configuring 3rd-party data sources
Note
• SyslogServerIP—The IP addresses of the Syslog servers where messages are sent. Specify multiple values with
commas.
• SyslogServerProtocol—Specifies the Syslog protocol that is used to send audit logs. Specify TCP or UDP. The
default value is UDP.
• SyslogServerPort—The port used to connect to the Syslog server. The default value is 514.
• SyslogMessageCodeFilter—Defines which message codes are sent from the Vault to McAfee ESM through the
Syslog protocol. You can specify message numbers or ranges of numbers, separated by commas. Specify multiple
values with pipelines. By default, all message codes are sent for user and safe activities.
• SyslogTranslatorFile—Specifies the XSL file used to parse CyberArk audit records data into Syslog protocol.
Specify multiple values with commas.
• DebugLevel—Determines the level of debug messages. Specify SYSLOG(2) to include Syslog xml messages in
the trace file.
• UseLegacySyslogFormat—Controls the format of the syslog message, and defines whether it is sent in a newer
syslog format (RFC 5424) or in a legacy format. The default value is No, which enables working with the newer
syslog format. Specify multiple values with commas.
2. In DBParm.ini, paste the SYSLOG section at the bottom of the file, then rename the file to McAfee.xsl.
3. Copy the relevant XSL translator file from the syslog subfolder of the server installation folder to the location specified in
the SyslogTranslatorFile parameter in DBParm.ini.
Note
During vault installation or upgrade, sample XSL files are copied to the PrivateArk\Server\syslog folder.
4. Make any needed changes to the XSL translator file relevant to ESM implementation.
5. Stop and Start the vault for the changes to take effect.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
442 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 443
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
444 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Nov 05 15:08:51 VLT2PI "Cyber-Ark Vault 5.50.0074" 295 295 "NULL" 6 LOCALHOST\\SYSTEM Retrieve password
<username>=PasswordManager <action>=Retrieve password <msg>=, , Root\\Groups\\RMAPSDBGroup, ,
PROD_RMAPS_OLA_DB, , , , CPM, , Retrieve password
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 445
5| Configuring 3rd-party data sources
Task
Note
• SyslogServerIP – The IP addresses of the syslog servers where messages are sent. Specify multiple values with
commas.
• SyslogServerProtocol – Specifies the syslog protocol that is used to send audit logs. Specify TCP or UDP. The
default value is UDP.
• SyslogServerPort – The port used to connect to the syslog server. The default value is 514.
• SyslogMessageCodeFilter – Defines which message codes are sent from the vault to McAfee ESM through the
syslog protocol. You can specify message numbers or ranges of numbers, separated by commas. Specify multiple
values with pipelines. By default, all message codes are sent for user and safe activities.
• SyslogTranslatorFile – Specifies the XSL file used to parse CyberArk audit records data into syslog protocol.
Specify multiple values with commas.
• DebugLevel – Determines the level of debug messages. Specify SYSLOG(2) to include syslog xml messages in
the trace file.
• UseLegacySyslogFormat – Controls the format of the syslog message, and defines whether it is sent in a newer
syslog format (RFC 5424) or in a legacy format. The default value is No, which enables working with the newer
syslog format. Specify multiple values with commas.
2. In DBParm.ini, paste SYSLOG section at the bottom, then rename the file to McAfee.xsl.
446 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
3. Copy the relevant XSL translator file from the syslog subfolder of the server installation folder to the location specified in
the SyslogTranslatorFile parameter in DBParm.ini.
Note
During vault installation or upgrade, sample XSL files are copied to the PrivateArk\Server\syslog folder.
4. Make any needed changes to XSL translator file relevant to ESM implementation.
5. Stop and Start the vault for changes to take effect.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 447
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
448 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 449
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Fname Filename.Filename
cs4_Database Database_Name.Database_Name
Dhost Destination_Hostname.Destination_Hostname
Spriv Priviledged_User.Priviledged_User
externalId Instance_GUID.Instance_GUID
cs1_Affected_User_Name Destination_UserID.Destination_UserID
App protocol
App application
duser dst_username
suser src_username
cs2_Safe_Name objectname
Dvc src_ip
shost src_ip
450 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Src src_ip
Note
where <SIEM_IP> is the IP address of the McAfee Event Receiver and <FORMAT> is the CEF.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 451
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
452 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 453
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
severity severity
url link
454 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Src_host Hostname
eventname Message
Damballa Failsafe
1. Log on to the Damballa Failsafe Management Console, then navigate to Setup → Integration Settings.
2. Click the Syslog tab, then select Enable Publishing to Syslog.
3. In the Syslog Hostname field, enter the IP address of the McAfee Event Receiver, then select Enable Syslog Header.
4. In the Syslog Facility and Syslog Severity drop-down lists, select the facility and severity of events to send to the McAfee
Event Receiver.
5. Leave the Syslog Port field blank for the default port of 514, then click Save.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 455
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
456 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 457
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Damballa Failsafe device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
shost Host
proto Protocol
src Source IP
458 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
dst Destination IP
externalid Session ID
app Application
cat Object_Type
request URL
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 459
5| Configuring 3rd-party data sources
msg Message_Text
cs2 Threat_Name
Dell Aventail
4. Click Save, then click Pending Changes to apply the new settings.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
460 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 461
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
462 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Before 9.2.0:
Hostname Host
Severity Severity
Duration Elapsed_Time
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 463
5| Configuring 3rd-party data sources
Session ID Session ID
Variable, cleanup, attribute, file, assigned to, Client OS, Client OS Version, policy Object
Hostname Host
Severity Severity
SrcBytes Bytes_Sent
DstBytes Bytes_Received
Duration Elapsed_Time
Session ID Session ID
464 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
file Filename
assigned to Destination_Zone
policy Policy_Name
Task
1. Select a receiver.
2. Click the Properties icon.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 465
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
466 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 467
5| Configuring 3rd-party data sources
Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Dell PowerConnect Switches device:
JAN 01 01:01:01 192.0.2.1-1 TRAPMGR[123456789]: service(123) 1234 %% An invalid user tried to login through
Web from 192.0.2.2
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Application Application
IP Protocol Protocol
IP Address Source IP
468 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
User Username
Severity Severity
Dell SonicOS
1. Log on to the web interface, then select Log → Automation from the navigation menu.
2. In the Syslog Servers section, click Add, then, in the Name or IP Address field, enter the IP address of your McAfee Event
Receiver.
3. In the Port field, enter 514 (the default port for syslog), then click OK.
4. In the Syslog Format list, select Default, then click Apply.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 469
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
470 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 471
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a SonicWall device:
Standard Event:
<129>id=firewall sn=0012ABCD3456 time="2014-01-10 12:11:10 UTC" fw=123.45.56.1 pri=1 c=32 m=608 msg="IPS
Detection Alert: ICMP Destination Unreachable (Port Unreachable)" sid=310 ipscat=ICMP ipspri=3 n=323984
src=192.168.0.12:53:X1: dst=10.10.0.88:6045:X4:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Management Event:
id Application
mgmtip Source IP
472 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
m Signature ID
Standard Event:
pri Severity
m Siganture ID
c **Event_Class
Category Category
bytesRx Bytes_Received
bytesTx Bytes_Sent
FQDN Domain
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 473
5| Configuring 3rd-party data sources
* Only available in ESM 9.2.0 and later ** Values are converted to their text equivalent
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
474 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 475
5| Configuring 3rd-party data sources
Option Definition
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
476 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a MEAS device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
CAT Catalong_Name
Cmd FTP_Command
DEPT Organizational_Unit
dproc Application
dprot Access_Resource
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 477
5| Configuring 3rd-party data sources
dst Destination IP
FileType File_Type
fname Destination_Filename
fname Filename
host Host
Jobtype Job_Type
LUName Logical_Unit_Name
name Rule_Name
Number.of.Bytes *Bytes_Sent
pgname Application
Plan DB2_Plan_Name
proto protocol
Reason Reason
478 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
severity severity
shost LPAR_DB2_Subsystem
src Source IP
sntdom Domain
SQLSTMT SQL_Statement
Step/Stepname Step_Name
StepCount Step_Count
suid Source_UserID
TYPE Command
VOLS Volume_ID
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 479
5| Configuring 3rd-party data sources
Dragos
Option Description
Name
Choose a descriptive name for the server.
Hostname/IP
The hostname or IP address of the ESM server.
Port
The port configured for the Receiver in ESM.
Protocol
TCP
Source Hostname
Accept the default value or assign your own.
Source Process
Accept the default value or assign your own.
Message Format
RFC 3164 BSD Syslog
Message Delimiter
Use newline delimiter for TCP and TLS streams
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
480 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 0
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Port 514
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 481
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
482 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
severity Severity
type Category
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 483
5| Configuring 3rd-party data sources
occurredAt firsttime
occurredAt lasttime
shost HostID
sntdom DomainID
src_ip src_ip
smac src_mac
dst_ip dst_ip
dmac dst_mac
externalId External_SessionID
msg Message_Text
matchedRuleId Policy_ID
community_rule_name Rule_Name
Caution
Some versions of Sentinel IPS have different setup methods for remote syslog than other versions of the same product. See
the corresponding documentation for your version of Sentinel IPS.
484 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 485
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
486 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Timestamp | Src | Src Port | Dst | Dst Port | Severity | Attack Description
Log samples
This is a sample log from a Econet Sentinel IPS device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 487
5| Configuring 3rd-party data sources
Source Source IP
Dst Destination IP
Severity Severity
1. Log on to the iPrism Web Security configuration web console, then click System Settings → Event Logging.
2. Select Enable event logging using Syslog, then, in the Syslog Host field, enter the IP address of the McAfee Event
Receiver.
3. In the Syslog Port field, enter 514, then click Save and Activate Changes.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
488 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 489
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
490 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<priority> <date> <time> <device> <type> <protocol> <time> <action> <IP> <profile> <user> <bandwidth> <URL>
<rating> <duration> <method> <status> <mime>
Log sample
This is a sample log from an EdgeWave iPrism Web Security device:
<123>Jan 01 01:01:01 iprism: WEB http 978310861 P 192.0.2.1 Block-User domain\username 123 http://
example.com/sub web search 0 HTTPGET 200 image/gif
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Rating Message
IP Source IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 491
5| Configuring 3rd-party data sources
Protocol Application
Mime Object
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
492 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 493
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
494 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from an Enforcive Cross-Platform Audit device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
EventID Signature ID
Severity Severity
cat Category
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 495
5| Configuring 3rd-party data sources
Dhost Destination_Hostname
src Source IP
dst Destination IP
Application Application
Dproc Target_Process_Name
Message Message_Text
Entrust IdentityGuard
1. In the Entrust Identity Guard Properties Editor, click System Logging Appenders from the Table of Contents.
2. In the SYSTEM_SYSLOG Host Name field, enter the IP address of the McAfee Event Receiver.
3. To specify a port other than the standard syslog UDP port, add a colon and the port number at the end of the IP address
(for example, 192.0.2.1:514).
4. Click Validate → Save.
496 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 497
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
498 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<Priority> <Date> <Time> <IP> <Log Type> <Severity> <Log ID> <Domain> <User> <Message>
Log samples
This is a sample log from an Entrust Identity Guard device:
<123>Jan 1 01:01:01 196.0.2.1 Audit Writer] [INFO ] [IG.AUDIT] [AUD3003] [DOMAIN/user] One time password
with index 4 created for user DOMAIN/user. Expiry Date: 2001-01-01 01\:01\:01
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 499
5| Configuring 3rd-party data sources
Description Message
IP Source IP
Description Action
Domain Domain
Replace <ip_address> with the McAfee Event Receiver IP address. Replace <vr_name> with the virtual router name. Replace
<local0 ... local7> with the local level you want to send to the McAfee Event Receiver.
configure log target syslog <ip_address>:514 vr <vr_name> <local0 ... local7> DefaultFilter severity Debug-
Data
configure log target syslog <ip_address>:514 vr <vr_name> <local0 ... local7> match Any
500 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
configure log target syslog <ip_address>:514 vr <vr_name> <local0 ... local7> format timestamp seconds date
Mmm-dd event-name none process-slot priority tag-name
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 501
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
502 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log samples
These are sample logs from an device:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 503
5| Configuring 3rd-party data sources
<123> Jan 01 01:01:01 AAA: MSM-A: Login failed for user Bob through ssh (192.0.2.0/24) <123> Jan 01 01:01:02
AAA: MSM-A: User Bob logout from ssh (192.0.2.0/24) <123> Jan 01 01:01:03 AAA: MSM-A: Login passed for user
Bob through ssh (192.0.2.0/24)
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Severity Severity
Action Action
Application Application
Source IP Source IP
Destination IP Destination IP
Object Object
504 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Log on to the F5 Networks FirePass Admin Console, then navigate to Device Management → Maintenance → Logs.
2. In the System Logs menu, select Enable Remote Log Server, and verify that Enable Extended System Logs is deselected.
3. In the Remote Host field, type the IP address of the McAfee Event Receiver.
4. In the Log Level drop-down list, select Information.
5. In the Kernel Log Level drop-down list, select Information, then click Apply System Changes to save.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 505
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
506 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 507
5| Configuring 3rd-party data sources
Log sample
This is a sample log from an F5 Networks FirePass SSL VPN device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
hostname Host
domain Domain
session Session ID
group Command
Sid Object
Email To
508 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
Example:
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 509
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
510 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 511
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Fidelis XPS
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
512 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 513
5| Configuring 3rd-party data sources
Option Definition
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
514 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
<action> <alert UUID> <compression> <destination address> <destination port> <filename> <from> <group>
<policy> <protocol> <rule> <sensor IP> <sensor name> <severity> <source address> <source port> <subject>
<summary> <time> <to> <user>
Log sample
This is a sample log from a Fidelis XPS device:
alert aabbccdd-eeff-1122-3344-5566778899aa 0 192.0.2.1 123 <n/a> <n/a> default POLICY TLS Expired SSL
Certificate 127.0.0.1 sensor1 Medium 192.0.2.2 456 <n/a> Invalid SSL certificate detected from 192.0.2.3
2001-01-01 01:01:01 <n/a> <n/a>
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
rule Message
proto Protocol
srcaddr Source IP
dstaddr Destination IP
severity Severity
filename Filename
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 515
5| Configuring 3rd-party data sources
from From
to To
subject Subject
Task
enable
configure terminal
Replace <SIEM-name> with a short name without spaces to identify the server.
516 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
write memory
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 517
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
518 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 519
5| Configuring 3rd-party data sources
Log format
The expected format for this device is:
Log sample
This is a sample log from a FireEye Malware Protection System device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
cn2 Protocol
src Source IP
dst Destination IP
cn1 VLAN
520 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
cs1 Message
msg Application
cs2 Command
cat Object
cs4 URL
cs3 Operating_System
filepath File_Path
filehash File_Hash
1. From the AirMagnet Policy Notification List, select Syslog to open the Syslog Notification dialog box.
2. In the Notification Name field, enter a unique notification name.
3. In the Generation drop-down list, select an interval to generate notifications.
4. In the Syslog server name field, enter the fully qualified domain name (FQDN) or IP address of the McAfee Event Receiver.
5. In the Facility code drop-down list, select the type of messages you want to send.
6. In the Protocol area, select UDP, then enter the port used on the McAfee Event Receiver for receiving syslog (default is
514).
7. Click OK to save and close.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 521
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
522 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 523
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<date time> <device name> <message> <sensor> <location> <description> <source MAC> <SSID>
Log sample
This is a sample log from a Fluke Networks AirMagnet Enterprise device:
<123>Jan 01 01:01:01 deviceName deviceName Alert: Rogue AP by MAC address (ACL) from sensor SensorName,
Location: location, Description: , Source MAC: A1:B2:C3:D4:E5:F6, Channel: 123
524 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
SSID Host
Sensor Object
Task
logging 192.0.2.1
3. Save changes:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 525
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
526 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 527
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Force10 Networks FTOS device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
528 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Service Application
IP Address Source IP
Severity Severity
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 529
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
530 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 531
5| Configuring 3rd-party data sources
Option Definition
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Timestamp="2013-11-21 00:00:00",LogId="1615132411",NodeId="10.1.0.2",Facility="Cluster
protocol",Type="Diagnostic",Event="Cluster protocol event",CompId="148",InfoMsg="p0 load: 3 (passed: 1111111
netload_factor: 2 all: 2222222 p: 19",ReceptionTime="2013-11-21
00:00:00",SenderType="Firewall",SituationId="2011",Situation="System_Cluster-Protocol-
Event",EventId="5809198281527719675"
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
ReceptionTime firsttime/lasttime
NodeId Device_IP.Device_IP
532 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Facility application
Type/AlertSeverity severity
Action action
Src src_ip
Dst dst_ip
Protocol protocol
SrcPort/IcmpType src_port
DstPort/IcmpCode dst_port
SrcIF Interface.Interface
AccTxBytes Bytes_Sent.Bytes_Sent
AccRxBytes Bytes_Received.Bytes_Received
Username/AuthName src_username
Sendertype objectname
Situation sid
Forcepoint Websense
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 533
5| Configuring 3rd-party data sources
After you install or enable Websense Multiplexer, activate and configure McAfee ESM integration on TRITON - Web Security.
Follow this procedure for each Policy Server instance in your deployment.
Task
1. Navigate to Settings → General → SIEM Integration and select Enable SIEM integration for this Policy Server.
2. Provide the IP address or host name of the system hosting McAfee ESM, then provide the communication port to use for
sending McAfee ESM data.
3. Specify the transport protocol (UDP or TCP) to use when sending data to McAfee ESM, then select the McAfee ESM format
to determine the syntax of the string used to pass log data to the integration.
4. From the available options, select the CEF format, then click OK to cache your changes.
5. To implement the changes, click Save and Deploy.
Results
When the changes are saved, Websense Multiplexer connects to Filtering Service and distributes the log data to both Log Server
and the selected McAfee ESM integration.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
534 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 535
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
536 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
The expected format for this device is Common Event Format (CEF).
Log sample
This is a sample log from a Websense device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
act Action
severity Severity
cat Category
src Source IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 537
5| Configuring 3rd-party data sources
dst Dest. IP
spt Source IP
destinationTranslatedPort Nat_Details
requestMethod Method
request URL
in Bytes_Received
out Bytes_Sent
cn2_ScanDuration Elapsed_Time
fname Filename
cat Category
sourceServiceName Service_Name
request URL
dhost Web_Domain
app Protocol
dst Dest. IP
538 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
src Source IP
Cn1_DispositionCode Signature ID
EventID External_EventID
ForeScout CounterACT
Task
1. From the ForeScout website, download the ForeScout plug-in for integration with the McAfee ESM.
2. In the CounterACT software, click Options from the toolbar, then click Plugins.
3. Click Install and navigate to the plug-in file that you downloaded, then click Install.
The plug-in appears in the Plugins list.
4. Select the McAfee ESM plug-in, then click Configure.
5. Select the devices that need to be configured to send events to the McAfee Event Receiver, then click OK to open the
Configuration window.
6. In the Server Address field, enter the IP address of the McAfee Event Receiver.
7. In the Syslog Port field, enter 514, then click OK to save and exit.
Task
1. Select a receiver.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 539
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
540 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 541
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<Priority> <device name>[<event ID>]: <log type> <source IP> <rule> <policy> <match> <category> <details>
<reason> <added>
Log sample
This is a sample log from a ForeScout CounterACT device:
<123>CounterACT[12345]: NAC Policy Log: Source: 192.0.2.1, Rule: Policy "AntiVirus Compliance" , Match: "AV
Not Running:Match", Category: Not Compliant, Details: Host evaluation changed from "AV Not Installed:Match"
to "AV Not Running:Match" due to condition . Reason: Property update: AntiVirus Installed: Added: AV
Software.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Event ID Session ID
542 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Destination Destination IP
Policy Application
command Command
See the ArcSight product documentation for setup instructions about sending syslog data to a remote server. Use the IP address
of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 543
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
544 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 545
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log Sample
This is a sample log from a ForeScout CounterACT device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Dpt Protocol
Dst Destination IP
546 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
dproc Application
sntdom Domain
request URL
filePath Subject
Fortinet FortiGate
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 547
5| Configuring 3rd-party data sources
Note
The preferred format is space-delimited logs, but you can also use comma-separated logs.
Task
Note
If you already have a syslog server configured in the FortiGate UTM, you can still add up to a total of three syslog servers in
the configuration by changing the first line to config log syslogd2 setting or config log syslogd3 setting.
For more information, see FortiOS™ Handbook Logging and Reporting for FortiOS 6.0 under the section, Advanced Logging.
The preferred format is space-delimited logs, but you can also use comma-separated logs.
Task
3. Click Apply.
548 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
IP Address/Hostname IP address and host name associated with the data source device
Mask Default
Time Zone The value must be (GMT,00:00) Greenwich Mean Time because the receiver parses the
time from the eventtime field within the log which is in the UTC/GMT time zone.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 549
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
550 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID
Log sample
This is a sample log from a Fortinet FortiGate UTM device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Computer Hostname
IP Protocol Protocol
Source Source IP
Destination Destination IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 551
5| Configuring 3rd-party data sources
Fortinet FortiMail
Option definitions
Option Definition
Facility Displays the facility identifier that the FortiMail unit uses to identify itself.
2. Select Enabled to allow logging to a remote host, then, in Profile name, enter a profile name.
3. In IP, enter the IP address of the syslog server where FortiMail stores the logs.
4. In Port, enter 514 for syslog (default is UDP).
5. In Level, select the severity level that a log message must equal or exceed to be recorded to this location.
6. In Facility, select the facility identifier that the FortiMail unit uses to identify itself when sending log messages.
7. To easily identify log messages from the FortiMail unit, enter a unique facility identifier, then verify that no other network
devices use the same facility identifier.
8. Deselect CSV format.
9. In Logging Policy Configuration, enable the types of logs that you want to record to this storage location, then click
Create.
552 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 553
5| Configuring 3rd-party data sources
Option Definition
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
554 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Statistics:
Config:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 555
5| Configuring 3rd-party data sources
System:
Update:
SMTP:
Admin:
HA:
Webmail:
Antivirus:
556 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Antispam:
Encryption:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
dst_ip Destination IP
Src Source IP
Pri Severity
session_id Message_ID
To To
from From
direction Direction
domain Domain
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 557
5| Configuring 3rd-party data sources
virus Threat_Name
subject Subject
log_id External_EventID
device_id External_SessionID
mailer Application
Dictionary Category
hash File_Hash
File Filename
interface Interface
group Group_Name
Pid PID
daemon Process_Name
proto Protocol
reason Reason
Score Spam_Score
558 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
URL URL
alias User_Nickname
Fortinet FortiManager
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 559
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
560 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 561
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Fortinet FortiManager device:
<123>date=2001-01-01time=12:01:01,devname=device,device_id=ABC123,
log_id=0123456789,type=example,subtype=example,pri=example,user=username; msg="Message Text;
firmware=12345678; type=ABCD1234; version=1.0
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
devname Host
log_id Object
562 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
subtype Application
1. From the main Fortscale interface, navigate to System Configuration → System → Alert Forwarding via Syslog.
2. Toggle Enable Forwarding to Yes.
3. For Forwarding Type, select Alerts.
4. In the IP field, enter the IP address for the McAfee Event Receiver.
5. In the Port field, type the port where the McAfee Event Receiver is listening. Default is 514.
6. Under Selective Forwarding: Alert Severity, check which alert severities to forward.
7. Under Selective Forwarding: User Tags, check which tags to filter for forwarded events.
8. Click Apply.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 563
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
564 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 565
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
566 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Severity Severity
Comment Message_Text
FreeRADIUS
Configure FreeRADIUS
Task
logdir = syslog
Log_destination = syslog
log {
destination = syslog
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
where 10.10.3.21 is the IP address or host name of the McAfee Event Receiver, and “example1” is the facility to be used with
FreeRADIUS in the next step.
-l syslog
–g example1
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 567
5| Configuring 3rd-party data sources
where “example1” is the facility name that you have chosen to use.
Add FreeRADIUS
Add the data source to a receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
568 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 569
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID
Log sample
This is a sample log from a FreeRADIUS device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999
570 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Computer Hostname
IP Protocol Protocol
Source Source IP
Destination Destination IP
Gigamon GigaVUE
Task
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 571
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
572 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 573
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log samples
This is a sample log from a Gigamon GigaVUE device:
<123>Original Address=192.0.2.1 Jan 1 01:01:01 hostname application: Packet Drop port 12 drop 123 packets
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Hostname Host
Application Application
574 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
The McAfee Collector is used to send the Globalscape logs to McAfee ESM. See the McAfee Collector documentation for
configuration help.
Task
1. In the administration interface, connect to EFT, then click the Server tab.
2. Click the Server node, set the log level to Diagnostic, then select Generic log tail for the client.
3. In the right pane, click the Logs tab.
4. In Log File Settings folder in which to save log files box, type the path to the directory in which to save this server's log files.
To browse for a path, click the folder icon.
5. In the Log file format list, click W3C Extended, Microsoft IIS, NCSA Common, or No Logging.
Note
The McAfee Collector is used to send the Globalscape logs to McAfee ESM. See the McAfee Collector documentation.
Note
If a Host ID is used, you must use this same Host ID when creating the data source on the McAfee Event Receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 575
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Host ID Name of the host ID in the McAfee Collector, if a Host ID was entered.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
576 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 577
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
computer timestamp IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID
Log samples
This is a sample log from a <Product Name> device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
c-ip Source IP
cs-method Command
578 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
cs-uri-stem Message_Text
sc-bytes Bytes_from_Server
cs-bytes Bytes_from_Client
s-name Destination_Hostname
1. From the Gurucul interface, navigate to Configure → Data → Data Export → Data Forwarder Workflow → Configuration
(Top right corner) → +Add (Top right corner).
2. Configure the data source.
Option Definition
Query String
SELECT
trendingriskvalues.id AS id,
globalusers.userrisk AS userrisk,
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 579
5| Configuring 3rd-party data sources
Option Definition
globalusers.firstname As firstname,
globalusers.lastname As lastname,
globalusers.employeeid AS employeeid,
round(globalusers.userrisk/(10*2)) AS severity
FROM
trendingriskvalues,
globalusers
WHERE
trendingriskvalues.userid_id = globalusers.id
Header -
Footer -
580 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
1. From the Gurucul interface, navigate to Configure → Data → Data Export → Data Forwarder Workflow → Configuration
(Top right corner) → +Add (Top right corner).
2. Configure the data source.
Option Definition
Destination SyslogForwarder
type
Query String
SELECT
trendingriskvalues.id AS id,
globalusers.userrisk AS userrisk,
globalusers.firstname As firstname,
globalusers.lastname As lastname,
globalusers.employeeid AS employeeid,
round(globalusers.userrisk/(10*2)) AS severity
FROM
trendingriskvalues,
globalusers
WHERE
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 581
5| Configuring 3rd-party data sources
Option Definition
trendingriskvalues.userid_id = globalusers.id
Header -
Footer -
Option Definition
582 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 583
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
584 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<log date time> <device IP> CEF: <CEF version>|Gurucul|GRA|<Gurucul version>|<Signature ID>|<name>|
<severity>| <external event ID> <reputation score> <event time> <destination username> <first name> <last
name> <destination user ID> <first name label> <last name label> <reputation score label>
<log date time> <device IP> {<Signature ID> <destination user ID> <destination username> <reputation score>
<event time> <severity>}
Field mapping
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 585
5| Configuring 3rd-party data sources
HashiCorp Vault
Task
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
586 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
Mask 0
Time Zone Select the time zone offset applicable to the data being sent.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 587
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
588 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 589
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
590 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 591
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log samples
This is a sample log from a HBGary Active Defense device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
srcHost Host
Event ID Application
src Source IP
dst Destination IP
592 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
message Message
sev Severity
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 593
5| Configuring 3rd-party data sources
Option Definition
• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
594 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 595
5| Configuring 3rd-party data sources
<device IP> <date time> <application> <message> <username> <source IP> <object>
Log samples
This is a sample log from a Hewlett-Packard 3Com Switch device:
[192.0.2.1] <123>Jan 1 01:01:01 1234 1234G %%10VTY/5/VTY_LOG(l):- 1 - TELNET user username in group failed
to login from 192.0.2.2(a1b2-c3d4-e5f6) on interface.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Application Application
Command Command
Task Object
596 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 597
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
598 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
These instructions are for FutureSmart printers. For instructions on configuring other Hewlett-Packard printers, see the product
documentation.
Task
1. Using the Web interface, access the supported HP printer through any Web browser. For example: http://<IP address of the
printer>.
2. Click the Networking tab and the Advanced sub-tab.
3. Enter the IP address of the SmartConnector server in the Syslog Server field.
4. Select Enable CCC Logging to activate the logging of advanced security events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 599
5| Configuring 3rd-party data sources
Log format
The expected format for this device is:
Log sample
This is a sample log from a Hewlett-Packard LaserJet Printers device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Hostname Host
Hewlett-Packard ProCurve
Task
logging <ip_address>
600 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 601
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
602 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Hewlett-Packard ProCurve device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 603
5| Configuring 3rd-party data sources
Application Application
IP Protocol Protocol
Source IP Source IP
Destination IP Destination IP
HyTrust Appliance
IPaddress:port
-or-
hostname:port
604 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
8. Click Apply.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 605
5| Configuring 3rd-party data sources
Option Definition
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
606 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a HyTrust Appliance device:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 607
5| Configuring 3rd-party data sources
<174>Feb 15 19:17:44 hta3a.testdrive.hytrust.com local5:INFO : ARC0005I Job scheduled to run Feb 15, 2012
7:17:44 PM on 101.652.04.10 is started at Feb 15, 2012 7:17:44 PM.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
HTA-log-message-code Message_ID.Message_ID
IBM
608 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
• CEF format:
CEF:0|IBM|Guardium|7.0|%%ruleID|%%ruleDescription|5|rt=%%receiptTimeMills cs1=%%severity
cs1Label=Severity cs2=%%serverType cs2Label=Server Type cs3=%%classification
cs3Label=Classification cat=%%category app=%%DBProtocol cs4=%%DBProtocolVersion cs4Label=DB
Protocol Version suser=%%AppUserName sproc=%%SourceProgram act=%%requestType start=%
%sessionStartMills externalId=%%violationID duser=%%DBUser dst=%%serverIP dpt=%%serverPort src=%
%clientIP spt=%%clientPort proto=%%netProtocol msg=%%SQLString
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 609
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
610 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 611
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
All logging levels are supported. For more information about how to change the log level settings, see the product
documentation provided by IBM for your version of WebSphere Application Server.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
612 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Port 22
Login timeout 30
Interval 5
“/opt/IBM/WebSphere/AppServer/profiles/name_of_profile/logs/server1”
“C:\IBM\WebSphere\AppServer\profiles\name_of_profile\logs\server1” where
“name_of_profile” is the profile name of the IBM InfoSphere Information Server
instance, and “server1” is the instance name of the application server.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 613
5| Configuring 3rd-party data sources
Option Definition
Username The logon for the computer that runs the server (a user name with sufficient
permissions on the server running IBM WebSphere Application Server).
5. Test the connection. If the test returns “test connection successful”, the device is configured correctly.
6. (Optional) Click Advanced and configure the settings.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
614 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<timestamp><threadId><shortName><eventType>[className][methodName]<message>
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 615
5| Configuring 3rd-party data sources
Log sample
This is a sample log from an IBM Websphere Application Server device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
threadId External_SessionID
eventType Severity
classname External_Application
methodName Method
ACIN, ACWA, ADFS, ADMC, ADMN, ADMR, ASYN, CHFW, CNTR, CSCP, CWLDD, CWLRB, CWLRS, CWNEN, CWOAU, CWPKI, CWPMI,
CWRCB, CWRLS, CWSCT, CWSID, CWSIU, CWWJP, CWXRS, DYNA, FFDC, HMGR, I18N, IVTL, NMSV, OBPL, PLGC, RASD, SCHD,
SECJ, SESN, SRVE, STUP, TCPC, TRAS, UTLS, WACS, WAR, WKSP, WMSG, WSSC, WSVR, WSWS, WTRN
616 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log sample
This is a sample syslog log from an IBM Guardium device:
<13>Jan 01 01:01:01 usr123456 guard_sender[0001]: Alert based on rule ID log full sql - US DBAs
Oracle#012Category: Classification: Severity INFO #012Rule # 20251 [log full sql - US DBAs
Oracle ]#012Request Info: [ Session start: 2001-01-01 01:01:01 Server Type: ORACLE Client: 192.0.2.1
(DEVICENAME1000) Server: 192.0.2.1 (DEVICENAME1000) Client PORT: 0001 Server Port: 0 Service Name:
SERVICEOAX1111 Net Protocol: NetProtocolName Protocol: ProtocolName Protocol Version: 9.99 User:
sys#012Application User Name :PU=SYS#012Source Program: Application Authorization Code: 0 Request Type:
BIND_DATA Last Error: #012SQL: begin sys . command_name . Command_Name ( l0row_id => 11111 , l0row_stamp =>
22222222 , row_id => 11111 , row_stamp => 22222222 , txt => 'backup piece handle=/Filepath/ recid=11111
stamp=22222222' , sameline => 0.00 ) ; end ;#012 To add to baseline:
Field mapping
This table shows the mapping between the data source and McAfee ESM.
Application Application
Severity Severity
ClientIP Source IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 617
5| Configuring 3rd-party data sources
ServerIP Destination IP
Category Category
Server Destination_Hostname
ExternalID External_EventID
Partition File_Path
Host Host
ObjectID Object
PID PID
Rule # Policy_ID
sproc Process_Name
618 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
SID Signature ID
SQL SQL_Statement
Imperva
Add Imperva
Add the data source to a receiver.
Note
This link refers to third-party documentation. McAfee doesn't maintain or verify the content.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 619
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 0
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Port 514
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
620 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 621
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
start firsttime,lasttime
src src_ip
cpt src_port
sip dst_ip
spt dst_port
request URL
app Application_Protocol
deviceExternalId External_Device_ID
Customer UserIDSrc
sourceServiceName HostID
act action
cs9 Signature_Name
622 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
fileType Event_Class
requestClientApplication User_Agent
fileId External_SessionID
suid Source_Logon_ID
xff NAT_Details.NAT_Address
siteid External_Hostname
suser username
Indegy
Configure Indegy
Set up Indegy to send events to McAfee ESM.
Task
1. From the Policies menu, select the Servers tab, then select the Syslog Servers tab.
2. Click +Add Syslog Server.
3. In the Server Name field, enter the name of the Syslog Server.
4. In the Hostname\IP field, enter a host name or an IP address of the Syslog server.
5. In the Port field, enter the port number on the Syslog server.
6. In the Transport field, enter the transport protocol.
7. Click Send Test Message and verify that the message arrived.
8. Configure Indegy policies to log events to McAfee ESM. See Indegy documentation for detailed instructions.
Results
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 623
5| Configuring 3rd-party data sources
Add Indegy
Add the data source to a receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
624 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 0
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Port 514
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 625
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Example log
626 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
msg CEF.EventName
severity CEF.Severity
src_ip src
src_port spt
src_mac smac
dst_ip dst
dst_port dpt
dst_mac dmac
External_Hostname dvchost
UserIDSrc suser
UserIDDst duser
Application_Protocol proto
Status outcome
Old_Value value_change
norm_sigid signature_id
Bytes_Received bytesIn
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 627
5| Configuring 3rd-party data sources
Infoblox NIOS
2. In the Grid or Device editor, click Monitoring, then define these options.
• Enable external syslog server: Select this to enable the Infoblox device to send messages to the specified syslog
server.
• Syslog Server Group: To define one or more syslog servers click Add, enter the following, then click OK:
• Copy audit log messages to syslog: Select the Infoblox device to include audit log messages with the
messages it sends to the syslog server. This function can be helpful to monitor administrative activity on multiple
devices from a central location.
• Audit Log Facility: Select the facility where you want the syslog server to sort the audit log messages.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
628 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 629
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
630 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties.
2. In the Grid Member editor, click Monitoring, then define these options.
• Override grid syslog settings: Select to override grid-level syslog settings and apply member-level settings.
• Enable external syslog server: Select to enable the Infoblox device to send messages to a specified syslog server.
• Syslog Server Group: To define one or more syslog servers, click Add, enter the following, and then click OK:
• Message Source: Specify which syslog messages the device sends to the external syslog server:
• Enable syslog proxy: Select to enable the device to receive syslog messages from other devices, such as syslog
servers and routers, then forward these messages to an external syslog server.
• Enable listening on TCP: Select if the device uses TCP to receive messages from other devices.
• Port: Enter the port number where the device receives syslog messages from other devices.
• Proxy Client Access Control: Click Add, enter the following in the Access Control Item dialog box, then click OK:
• IP Address option: Select IP Address to add the IP address of a device, or select Network to add the
network address of a group of devices.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 631
5| Configuring 3rd-party data sources
• Subnet Mask: If you entered a network IP address, you must also enter its subnet mask.
Infocyte
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
632 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 0
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Port 514
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 633
5| Configuring 3rd-party data sources
Option Definition
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
634 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
eventId sid
CEF.EventName msg
sev severity
sip src_ip
synapseScore Spam_Score
shost hostname
fileSize File_Size
pid PID
regPath Registry_Key
regValue Registry_Value
user UserIDSrc
path Destination_Filename
flagName Category
av Status
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 635
5| Configuring 3rd-party data sources
1. In the Windows Start menu, navigate to the Intersect Alliance folder in the programs listing, then open Snare for
Windows. The open-source version of the software includes Open Source in the title. This opens your default browser and
takes you to a web interface running on the local host.
2. In the upper left, click Network Configuration.
3. In the Destination Snare Server address field, enter the IP address of your McAfee Event Receiver.
4. In the Destination Port field, enter the port number used for sending syslog to your McAfee Event Receiver (default is 514).
5. Select Enable SYSLOG Header? to have syslog headers included with events.
6. (Optional) If using the Enterprise version of Snare, you can use the Coordinated UTC feature. This changes the time stamps
in the logs to UTC. If you enable this feature, you must set the time zone for this data source in McAfee ESM to Greenwich
Mean Time.
7. Click Change Configuration when done.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
636 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Time Zone Time zone of data being sent (Greenwich Mean Time if using the Coordinated Universal
Time feature in Snare).
Note
The Open Source version of Snare does not support coordinated UTC. Events delivered by Snare, contain time stamps
based on the time zone of the localhost from which they were sent. For coordinated UTC support, use the Enterprise
version of Snare for Windows.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 637
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
638 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Hostname Event Log Type Criticality SourceName Snare Event Counter DateTime EventID SourceName UserName
SIDType EventLogType ComputerName CategoryString DataString ExpandedString MD5 Checksum
Log samples
This is a sample log from Snare for Windows:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Hostname, Caller Machine Name, Caller Workstation, Client Name, from Workstation, Source Host
Workstation, Target Server Name, User Workstations, Workstation Name
Criticality Severity
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 639
5| Configuring 3rd-party data sources
Destination Dest. IP
SourceName Application
Domain, Caller Domain, Domain Name, Member ID, New Domain, Primary Domain, Supplied Realm Domain
Name, Target Domain, User Domain, Account Domain
Authentication Package Name, Authentication Package, Logon Process Name, Process Name, Application
Service Name
UserName, User Name, Caller User Name, Client User Name, Logon Account, Account Name, Source User
UserID
New Account Name, Member Name, Target Account Name, Account Name Destination User
NtLogon Session_Status
Interset
Configure Interset
640 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
With a fully configured and working Interset and McAfee ESM solution, this information is required.
• Familiarity with configuring Flume using Ambari. See the Configure Data Ingest documentation.
• The tenant ID in Interset that contains the data to send to the McAfee Event Receiver ESM (for example, 0).
• The name (FQDN or IP address) and port of the McAfee Event Receiver.
Task
• On each line, change the tenant ID <TID> to the appropriate tenant ID (for example, 0).
• Change the ESM McAfee Event Receiver location <ESM Syslog Receiver Port> with the port number of the
McAfee Event Receiver.
• Replace any other system variables, such as <ZOOKEEPER_HOST>, with appropriate values.
b. Upload and save the new esmSyslog.conf file to Ambari for processing.
3. Repeat step 2 with esmStorySyslog.conf, located in the same template folder, to also send high risk stories to the McAfee
Event Receiver. By default, only stories with a risk score greater than 75 are sent. To change this behavior, change the value
in the following line as needed:
interset_auth_events_<TID>_esm.sources.kafkaSource.interceptors.scoreChecker.toCompare =
riskScore:greaterThan:75
Add Interset
Add the data source to a receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 641
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
642 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 643
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Integrate Interset
An integration feature enables additional details involving Interset events displayed in the McAfee ESM.
This integration feature only works with events that contain the URL custom type. Ensure that the data source has been
configured and that the data source has been added to the McAfee Event Receiver before completing these steps.
Task
1. In the McAfee ESM console, select an ESM on the left side, then click the Properties icon.
2. From the System Properties menu, select Custom Settings.
3. Near the bottom of Custom Settings, click Device Links.
4. In the Custom Device Links window, select the Interset device that you previously added, then select Edit.
5. In the Edit URL window, click the arrow directly to the right of the blank URL field. Select Custom Types | URL.
Once selected, a value is automatically entered in the previously blank URL section.
6. The Custom Device Links window now displays the CustomType value. Select OK.
7. Select an event that contains the URL custom type, then select the Launch Device URL icon (an image of the Earth).
Once the Launch Device URL is selected, a browser window displays a logon prompt for your Interset device. Once logged
on, additional details about the selected Interset event in the ESM are displayed.
644 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
On Jan 21, 2016 8:00:00 AM, user543 told a Story with a Risk Score of 88. See 'https://analytics.example.com/
investigator#/?t=story&type=story&ts=1414746760&te=1417392000&state=stories' for details. It was very
unusual for user543 to take from the projects /project0871, /project0156, /project0589, /project0473, /
project0821, /project0221, /project0369. user543 mooched from the project /project0263. user543 took from
the inactive projects /project0833, /project0821, /project0852. user543 took significantly more from the
project /project0822 than others.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
URL URL
/appidname Application
/eventuuid UUID
/fileidpath Destination_Filename
/sourcepath Filename
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 645
5| Configuring 3rd-party data sources
/dvc External_Device_ID
/vendor External_Device_Type
/project Category
/size File_Size
Structured-data format includes more information without significantly increasing log size. It also makes it easier for automated
applications to extract information from a message. This format complies with Internet draft-ietf-syslog-protocol-23 (https://
tools.ietf.org/html/draft-ietf-syslog-protocol-23).
These instructions apply to any JUNOS device running 10.3 or later. Some examples are EX, M, MX, PTX, QFX, QFabric, and T
series systems.
[edit system]
syslog {
host <HOSTNAME/IP ADDRESS of McAfee Event Receiver> {
facility SEVERITY;
structured-data {
brief;
}
}
}
646 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
[edit system]
syslog {
file <Path/Filename> {
facility SEVERITY;
structured-data {
brief;
}
}
}
More options can be specified for log outputs. See the JUNOS System Log Messages Reference document to learn more.
Task
1. To configure the system to log system messages, add a syslog statement at the [edit system] hierarchy level.
2. To log in structured-data format, include a structured-data statement for each logging output.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 647
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
648 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 649
5| Configuring 3rd-party data sources
Log samples
This is a sample log from a JUNOS structured-data format device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Hostname Hostname
Service-name Application
Source-address Source IP
Destination-address Destination IP
650 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Packet-incoming-interface Interface
Protocol-id Protocol
Session-id Session
To configure Juniper Networks NetScreen using the command line, type the following commands:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 651
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
652 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 653
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a device:
654 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
<123>JNHOST: NetScreen device_id=JNHOST [Root]system-warning-00515: Admin user BobJ has logged on via SSH
from 192.0.2.1:1234 (2001-01-01 01:01:01)
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
dst Dest. IP
proto Protocol
device_id Host
Service Application
Sent Bytes_sent
Rcvd Bytes_received
reason Reason
domain domain
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 655
5| Configuring 3rd-party data sources
Severity Severity
Session id Session ID
policy id Command
deviceId External_Device_ID
application Application
1. From the Network and Security Manager application, go to Action Manager → Action Parameters.
2. Fill in Syslog Server IP with the IP address of the McAfee Event Receiver.
3. Select the Syslog Facility you want to send the events as.
4. Click OK to save.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
656 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 657
5| Configuring 3rd-party data sources
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
658 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Juniper Networks Network and Security Manager device:
<123>Jan 1 01:01:01 192.0.2.1 20010101, 1234, 2001/01/01 01:01:01, 2001/01/01 01:01:01, domain.Name, 0,
deviceName, 192.0.2.2, info, cmd, (NULL), (NULL), 192.0.2.3, 3, 192.0.2.4, 4, (NULL), (NULL), 192.0.2.5,50,
192.0.2.6, 6, protocol, SYSTEM, 0, unknown, none, 0, 0, not applicable, informational, no,details, admin,
file, (NULL), 0, 0, 0, 0, 0, 0, 0, 0, no, 0, Not Set, service
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Protocol Protocol
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 659
5| Configuring 3rd-party data sources
Action Action
Severity Severity
Subcategory Application
Bytes In Bytes_Received
Details Command
User User
Policy Policy_Name
660 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Port 1433
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 661
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
662 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
severity Severity
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 663
5| Configuring 3rd-party data sources
product_name Application
domain_name Domain
hostname Hostname
product_version Version
event_type Event_Class
nIpAddress src_ip
File_Path* File_Path
Threat_Name* Threat_Name
task_display_name Job_Name
objectname* objectname
URL* URL
Message_Text* Message_Text
Process_Name* Process_Name
Category* Category
PID* PID
664 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Lastline Enterprise
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 665
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
Mask 32
Require Syslog TLS Require McAfee Event Receiver to communicate over TLS
666 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 667
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<Date-Time> <CEF Version> <Device Vendor> <Device Product> <Device Version> <Signature ID> <Name> <Severity>
<Key-Value Pairs>
Log sample
This is a sample log from a Lastline Enterprise device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
severity Severity
EventUrl URL
668 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
EventDetailLink Device_URL
IncidentId Incident_ID
act Action
cnt Count
detectionId File_ID
dhost Destination_Hostname
dst Destination IP
externalId External_EventID
fileHash File_Hash
fileSHA1 SHA1
fname Filename
fileType Object
proto Protocol
src Source IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 669
5| Configuring 3rd-party data sources
deviceType Sensor_Type
deviceExternalId External_Device_Type
dvchost Host
msg Message_Text
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
670 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 671
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
672 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Locum RealTime Monitor device:
<123>Jan 01 01:01:01 192.0.2.1 RealTime_Monitor 01:01 VALIDATION: 1234 Usercode example validated for
example (by FTP/SERVER/FOR/"192.0.2.2")
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Hostname Host
Protocol Protocol
Device IP Source IP
UC Destination IP
Application Application
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 673
5| Configuring 3rd-party data sources
Object Object
Task Command
Description Message_Text
LOGbinder
Configure LOGbinder
Task
Add LOGbinder
Add the data source to a receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
674 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 675
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
676 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Syslog
CEF
Syslog
CEF
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 677
5| Configuring 3rd-party data sources
Syslog
CEF
Syslog
CEF
Syslog
CEF
678 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
SQL
CEF
Signature ID Signature ID
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 679
5| Configuring 3rd-party data sources
cmdlet Command
suid Security_ID
itemsubject Subject
Signature ID Signature ID
680 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
newauditpolicy Policy_Name
Signature ID Signature ID
schemaname Database_Name
memberdomainname Domain
targetobjectname Object
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 681
5| Configuring 3rd-party data sources
Lumension Bouncer
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
682 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 683
5| Configuring 3rd-party data sources
Option Definition
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
684 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Lumension Bouncer device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
EndpointName Host
IPAddress Source IP
Severity Severity
TargetPath Filename
TargetFileName Object
AskReason Message_Text
CauseID Subject
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 685
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Lumension Bouncer device:
Jan 01 01:01:01 hostname Manager:John Client:192.168.1.1 EventID: 123456 Level: 1 Count:78 EventCause: 90
AppName: appName ManagedName:name Pathname:name
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
IpProto Protocol
SrcAddr Source IP
DstAddr Destination IP
AppName Application
686 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Lumension LEMSS
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 687
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
688 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<date time> <severity> <deviceIP> <date time> <HostName> <ApplicationName> <ProcessName> <Message ID> <User>
<UserName> <DeviceType> <DeviceName> <VolumeLabel> <StrongID> <Filename> <Other> <Reason> <UniqueID>
<ModelID>
Log sample
This is a sample log from a Lumension LEMSS device:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 689
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
HostName Hostname
ApplicationName Application
DeviceIP Source IP
ProcessName Command
VolumeLabel
Version Version
DeviceName External_Device_Name
DeviceType External_Device_Type
Filename Directory
Reason Reason
690 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
See your product documentation for instructions about sending syslog logs to a remote server. Use the McAfee Event Receiver IP
address for the IP address of the remote server.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 691
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
692 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a device:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 693
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
CEF:Severity Severity
Act Action
Cat Threat_Category
MalwareName Threat_Name
MalwareHash Hash
SessionId Session
MalwareClass Event_Class
CommandLine Command
Dvchost Host
filePath File_Path
Msg Message_Text
694 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 695
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
696 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 697
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
CEF:0|VENDOR|PRODUCT|VERSION|CATEGORY|MESSAGE|SEVERITY|deviceExternalId=externalid dvchost=hostname
deviceDnsDomain=domain deviceMacAddress=mac_address dvc=device_ip rt=TIMESTAMP cs1Label=KEY cs1=VALUE…
Log sample
This is a sample log from a Malwarebytes Management Console device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Message Message
dst Destination IP
698 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
src Source IP
act Device_Action
PayloadProc Application
ObjectScanned Object
dvchost Hostname
Severity Severity
fname Filename
PayloadUrl URL
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 699
5| Configuring 3rd-party data sources
Task
Note
When referencing partitions in the data source configuration, the partition numbering starts at zero.
Make sure these ports are open to the hostname in the connection string:
700 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
In Policy Editor, enable all parsing rules for the Azure Event Hub data source.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Data Microsoft
Source
Vendor
Data Default
Format
Data API
Retrieval
Enabled Select options for processing events. Some options may not be available for your data source.
IP Address
Important: Clear the IP Address field before using the Look up feature.
Automatically populated when you enter the Hostname and click Look up.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 701
5| Configuring 3rd-party data sources
Option Definition
Hostname The host name is part of the Event Hub connection string. Copy it from the Azure portal. For
example, if the connection string was Endpoint=sb://
test.windows.net/;SharedAccessKeyName=test;SharedAccessKey=1111/111=;EntityPath=test, the
host name would be test.windows.net.
Event Hub The connection string provided on the Azure portal when you set up the Event Hub.
Connection
String
Eventhub Created when you set up the Event Hub. Paste it from the Azure portal.
name
Note: This is not the Event Hub Namespace name. Find the Event Hub name on the Azure
Portal by clicking Event Hubs under the Entities heading.
Consumer Use $Default. If you want to collect the same data multiple times, add more groups (comma
Group delimited).
Partition
The number of partitions is set when you create an Event Hub and can't be changed. Event Hub's
Start/End
default is to define 4 partitions. The maximum number of partitions is 32, but when referencing
partitions it is done starting at 0.
If the Event Hub has 4 partitions defined, the correct data source configuration would be: Partition
Start: 0 and Partition End: 3.
You can use partitions to set up multiple data sources for a single Event Hub cluster. For example, if
you have 32 partitions in the cluster, you can set up a data source to collect from partitions 0–15 and
another data source to collect from partitions 16–31.
Support Do nothing
Generic
Syslogs
702 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another Receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from Receiver 1 into Receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 703
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a device:
{
"category": "WorkflowRuntime",
"level": "Error",
"operationName": "Microsoft.Logic/workflows/workflowActionCompleted",
"properties": {
"code": "BadGateway",
"correlation": {
"actionTrackingId": "12345678-1234-1234-1234-123456789012",
"clientTrackingId": "12345678901234567890"
},
"endTime": "2016-07-15T00:00:22. 123456Z ",
"resource": {
"actionName": "Send_email",
"location": "westus",
"resourceGroupName": "RG_TEST",
"runId": "12345678901234567890",
"subscriptionId": "87654321-4321-4321-4321-123456789012",
"workflowId": "12345678901234567890123456789012",
"workflowName": "WF_TEST"
},
"schema": "schema_name",
"startTime": "2016-07-15T00:00:01.123456Z",
"status": "Failed"
},
"resourceId": "/SUBSCRIPTIONS/12345678-1234-1234-1234-123456789012/RESOURCEGROUPS/RG_TEST/PROVIDERS/
MICROSOFT.LOGIC/WORKFLOWS/WF_TEST/RUNS/12345678901234567890/ACTIONS/SEND_EMAIL",
"time": "2016-07-15T18:00:22.6235064Z",
"workflowId": "/SUBSCRIPTIONS/12345678-1234-1234-1234-123456789012/RESOURCEGROUPS/RG_TEST/PROVIDERS/
MICROSOFT.LOGIC/WORKFLOWS/WF_TEST"
}
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
704 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
category Category
level severity
properties.status action
properties.status Status
properties.code Return_Code
properties.resource.actionName Description
Task
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 705
5| Configuring 3rd-party data sources
Note
3. Enable ESM integration in Microsoft Defender. For more information see Microsoft documentation.
Make sure to add Azure App. For more information see, Configure Microsoft Defender Advanced Threat Protection topic.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
706 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).
IP Address/ It is not used by this collector. You can just enter an IP address that is not used by any device.
Hostname
Important: Clear the IP Address field before using the Look up feature.
Automatically populated when you enter the Hostname and click Look up. The hostname
URL must be: api.securitycenter.microsoft.com
The hostname field can be below URLs based on your location:
• api-eu.securitycenter.microsoft.com
• api-us.securitycenter.microsoft.com
• api-uk.securitycenter.microsoft.com
• GCC: api-gcc.securitycenter.microsoft.us
• GCC High & DoD: api-gov.securitycenter.microsoft.us
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 707
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another Receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from Receiver 1 into Receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
708 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 709
5| Configuring 3rd-party data sources
title msg
title sigid
category Category
threatFamilyName Category
computerDnsName HostID
machineId Virtual_Machine_ID
sha256 Hash
fileName Destination_Filename
filePath File_Path
alertCreationTime firsttime
alertCreationTime lasttime
loggedOnUsers.domainName DomainID
loggedOnUsers.accountName UserIDSrc
severity severity
threatName Threat_Name
incidentId External_EventID
rbacGroupName Group_Name
detectionSource AppID
710 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
investigationState Response_Code
Microsoft DNS
1. Open the Domain Name System Microsoft Management Console (DNS MMC) snap-in.
2. Click Start → Programs → Administrative Tools, then select DNS.
3. From the DNS Server, right-click the server and select the Properties submenu.
4. Click the Debug Logging tab, then select Log packets debugging.
5. Ensure that the Incoming, UDP, Queries/Transfer, and Request checkboxes are selected.
6. Configure McAfee Collector to tail the log and send to the McAfee Event Receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 711
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Host ID Host ID associated with the McAfee Collector log tail configuration if applicable
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
712 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 713
5| Configuring 3rd-party data sources
Log sample
9/3/2010 2:06:38 PM 1720 PACKET 02306B10 UDP Rcv 127.0.0.1 be06 Q [0001 D NOERROR] A
(3)www(9)sonystyle(3)com(0)
9/3/2010 2:06:38 PM 1720 PACKET 06569C90 UDP Snd 10.0.0.30 6068 Q [0001 D NOERROR] A
(3)www(9)sonystyle(3)com(0)
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data source.
714 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
IP Address/ The IP address and host name associated with the data source device.
Hostname
Port The TCP port that the database is listening on. The default port is 1433.
Database Name The name of the database that contains the vwFEP_AM_NormalizedDetectionHistory view,
typically prefaced with FEPDW_*.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 715
5| Configuring 3rd-party data sources
Option Definition
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
716 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID
Log sample
This is a sample log from a Microsoft Forefront Endpoint Protection 2010 device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999
Field mapping
This table shows the mapping between the data source and McAfee ESM fields .
Computer Hostname
IP Protocol Protocol
Source Source IP
Destination Destination IP
The recommended method for data delivery is to use the McAfee Collector to send the logs over syslog. These agents can send
only the logs that haven’t yet been sent, eliminating duplicates.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 717
5| Configuring 3rd-party data sources
Task
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Data Retrieval The chosen method of data delivery ( SCP, HTTP, FTP, SFTP, NFS, or CIFS/Windows File
Share)
Enabled Select options for processing events. Some options may not be available for your data
source.
718 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 719
5| Configuring 3rd-party data sources
Option Definition
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
720 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log format
The expected format for this device is:
Log sample
This is a sample log from a Microsoft IAS device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields .
Client Domain
User-Name Username
Service-Name Application
Packet-type Action
Framed-IP-Address Source IP
NAS-IP-Address Device IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 721
5| Configuring 3rd-party data sources
Application Application
Reason-Code Reason
Connection-Info Message_Text
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
722 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Data Retrieval The chosen method of data delivery ( SCP, HTTP, FTP, SFTP, NFS, or CIFS/Windows File
Share)
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 723
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
724 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Microsoft IAS device:
"TestHost","IAS",01/01/2016,00:00:00,4,"EXAMPLE
\Test.User",,"192.0.2.1","192.0.2.2",,"192.0.2.2","TestIdentifier","192.0.2.1",
1,9,"192.0.2.1","TestClient",,,,,,,,,0,,,,,,1,,,,,1,,,,,,,,13,6,,,,"110",,,,,,,,,,,"Use Windows
authentication for all users",,,,,
"TestHost","IAS",01/01/2016,00:00:001,"EXAMPLE\Test.User","EXAMPLE\Test.User","0F-0F-0F-0F-0F-0F:EXAMPLE-
Host","0A-0A-0A-0A-0A-0A",,,"TestIdentifier","192.0.2.1",1,9,"192.0.2.1","TestClient",,,
19,,,,11,,0,,,,,,,,,,,,,,,,,,13,6,,,,"190",,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 725
5| Configuring 3rd-party data sources
Client Domain
IAS Application
Hostname Host
Policy-Name Policy_Name
Reason-Code Reason
Packet-Type+99+Reason-Code Signature ID
ServiceName Service_Name
NAS-Identifier External_Device_ID
726 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Framed-IP-Address Source IP
Connect-Info Message_Text
Acct-Session-Id Session
1. Open the Internet Information Services (IIS) Manager (found in Administrative Tools in the Control Panel).
2. Select the Logging option.
3. Select a log format. W3C format is the default, but IIS and NCSA are also supported. If using the W3C format, you must
select all fields.
4. Make a note of where the logs are being saved, or change the location as needed.
5. Finish the logging setup by configuring the McAfee Collector to tail the IIS logs and send to the McAfee Event Receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 727
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
728 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 729
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
WC3
date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-
version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-
bytes time-taken
NCSA
Remote_host_address Remote_log_name User_name [Date/time Greenwich mean time (GMT) offset] "Request and
protocol version" Service_status_code Bytes_sent
IIS
Advanced Logging
date time cs-uri-stem cs-uri-query s-contentpath sc-status s-computername cs(Referer) sc-win32-status sc-
bytes cs-bytes W3WP-PrivateBytes cs-username cs(User-Agent) time-local TimeTakenMS sc-substatus s-sitename s-
ip s-port RequestsPerSecond s-proxy cs-version c-protocol cs-method cs(Host) EndRequest-UTC date-local CPU-
Utilization cs(Cookie) c-ip BeginRequest-UTC
Log sample
The following are samples of possible logs from the Microsoft IIS device:
WC3
2011-04-14 14:58:36 MS_ISS_1 name 127.0.0.1 GET /exampletest - 80 - 127.0.0.1 HTTP/1.1 Mozilla/4.0+
(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR
+3.5.30729;+.NET+CLR+3.0.30729) - - 127.0.0.1 404 4 2 109 398 2
730 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
NCSA
IIS
172.16.255.255, anonymous, 03/20/01, 23:58:11, MSFTPSVC, SALES1, 172.16.255.255, 60, 275, 0, 0, 0, PASS, /
Intro.htm, -,
Advanced Logging
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
s-ip Destination IP
cs-method Command
cs-uri-stem Object
c-ip Source IP
cs(User-Agent) Application
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 731
5| Configuring 3rd-party data sources
cs-host Hostname
sc-status sid
Client IP Source IP
Server IP Destination IP
732 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
s-ip Destination IP
cs-method Command
cs-uri-stem Object
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 733
5| Configuring 3rd-party data sources
c-ip Source IP
cs(User-Agent) User_Agent
cs-host Hostname
sc-status sid
sc-bytes Bytes_from_Server
cs-bytes Bytes_from_Client
protocol Application_Protocol
1. Download the Advanced Logging extension for IIS. At the time of this documentation, it was available at:
http://www.iis.net/downloads/microsoft/advanced-logging
2. Run AdvancedLogging.exe to start the Web Platform Installer.
Once loaded, the installer displays a window to install Advanced Logging.
3. Select Install.
4. When the installer displays the licensing information, select I Accept.
The remaining phases complete the installation automatically.
5. Click Finish to exit the Advanced Logging installation.
6. Click Exit to exit the Web Platform Installer.
Advanced Logging is now installed.
734 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Open the Internet Information Services (IIS) Manager (found in Administrative Tools in the Control Panel).
2. Open the SMTP Virtual Server Properties dialog box.
3. Select the Enable logging checkbox.
4. Select the W3C Extended Log File Format from the Active log format drop-down list.
5. Click Properties → Advanced and then select all checkboxes.
6. Click OK.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 735
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
736 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 737
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem
cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent)
cs(Cookie) cs(Referer)
Log sample
This is a sample log from a device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
s-ip Destination IP
cs-method Command
cs-uri-stem URL
738 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
c-ip Source IP
cs(User-Agent) User_Agent
cs-host Hostname
The recommended method for data delivery is to use the McAfee Collector to send the logs over Syslog. These agents have the
added benefit of being able to send only the logs that haven’t yet been sent, eliminating duplicates.
See the respective delivery method documentation for the method you chose to use.
1. Open the Network Policy Server or the NPS Microsoft Management Console (MMC) snap-in.
2. In the console tree, click Accounting.
3. In the details pane under Log File Properties, click Change Log File Properties.
For Server 2008, click Configure Local file Logging under Local File Logging in the details pane.
4. In Log File Properties, enable the type of logging you want, then click Apply.
5. Click the Log File tab.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 739
5| Configuring 3rd-party data sources
6. Enter the path for log file storage in the Directory field. If you are not using the McAfee Collector, make sure that the path
is accessible to the McAfee Event Receiver.
For platforms earlier than Server 2008 R2, select IAS in the Format field.
8. To create a log file at specific intervals, select the interval that you want to use.
9. Click Apply, then OK.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
740 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 741
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
742 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log sample
These are log samples from a Microsoft IAS device:
"TestHost","IAS",01/01/2016,00:00:00,4,"EXAMPLE
\Test.User",,"192.0.2.1","192.0.2.2",,"192.0.2.2","TestIdentifier","192.0.2.1",
1,9,"192.0.2.1","TestClient",,,,,,,,,0,,,,,,1,,,,,1,,,,,,,,13,6,,,,"110",,,,,,,,,,,"Use Windows
authentication for all users",,,,,
"TestHost","IAS",01/01/2016,00:00:001,"EXAMPLE\Test.User","EXAMPLE\Test.User","0F-0F-0F-0F-0F-0F:EXAMPLE-
Host","0A-0A-0A-0A-0A-0A",,,"TestIdentifier","192.0.2.1",1,9,"192.0.2.1","TestClient",,,
19,,,,11,,0,,,,,,,,,,,,,,,,,,13,6,,,,"190",,,,,,,,,,,"NAP 802.1X (Wireless)",1,,,,
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Client Domain
IAS Application
Hostname Host
Policy-Name Policy_Name
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 743
5| Configuring 3rd-party data sources
Reason-Code Reason
Packet-Type+99+Reason-Code Signature ID
ServiceName Service_Name
NAS-Identifier External_Device_ID
Framed-IP-Address Source IP
Connect-Info Message_Text
Acct-Session-Id Session
744 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Open Network Policy Server (NPS) or the NPS Microsoft Management Console (MMC) snap-in.
2. Click Accounting in the console tree.
3. In the details pane under Log File Properties, click Change Log File Properties.
4. On the Log File Properties page, enable the logging you want, then click Apply.
5. On the Log File tab, enter the path for log file storage in the Directory field. If you are not using the McAfee Collector, make
sure that the path is accessible to the McAfee Event Receiver.
For platforms earlier than Server 2008 R2, select IAS in the Format field.
7. To create a log file at specific intervals, select the interval that you want to use.
8. Click Apply, then click OK.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 745
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
746 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 747
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Microsoft IAS device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Client Domain
User-Name Username
Service-Name Application
Packet-type Action
Framed-IP-Address Source IP
748 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
NAS-IP-Address Device IP
Application Application
Reason-Code Reason
Connection-Info Message_Text
Task
1. Open the Network Policy Server or the NPS Microsoft Management Console (MMC) snap-in.
2. In the console tree, click Accounting.
3. In the details pane under Log File Properties, click Change Log File Properties.
4. In the Log File Properties window, enable the logging you want, then click Apply.
5. Click the Log File tab.
6. Enter the path for log file storage in the Directory field. If you are not using the McAfee Collector, make sure that the path
is accessible to the McAfee Event Receiver.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 749
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
750 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 751
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Microsoft IAS device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
User-Name Domain
752 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
User-Name Username
Computer-Name Destination_Hostname
Framed-IP-Address Source IP
Client-IP-Address Device IP
Class Destination IP
NAS-IP-Address Device IP
Reason-Code Reason
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 753
5| Configuring 3rd-party data sources
Task
1. In the Microsoft Azure portal, navigate to Azure Active Directory. If Azure Active Directory is not visible in the left menu,
click More Services then search for it.
2. From the Active Directory submenu, click the Properties tab.
3. Copy the Directory ID value to use as the Tenant ID when setting up McAfee ESM for the Microsoft Office 365 data source.
4. Navigate to App registrations.
5. Add an application.
a. Click New application registration.
b. Name the application.
c. Select the Web app/API type.
d. In Sign-on URL , enter http://localhost:1234
e. Click Create at the bottom of the screen.
6. Select the newly created application.
7. Copy and save the Application ID to use as the Client ID when setting up McAfee ESM for the Microsoft Office 365 data
source.
8. Enable McAfee ESM to pull event data.
a. Click Required permissions.
b. Click Add at the top of the screen.
c. From Add API Access, click Select an API.
d. Search for and select Office 365 Management APIs. Then click Select at the bottom of the screen.
e. In Required Permissions, select Office 365 Management APIs.
f. Enable all Application Permissions.
g. Enable all Delegated Permissions then click Save at the top of the screen.
h. Work with your administrator to grant the application new permissions by clicking Grant Permissions at the top of
the screen.
9. Set up a security key.
a. Click Keys on the application settings.
b. Enter a key description and select a duration.
c. Click Save.
d. On the next screen, save the secret key value to a secure location for future reference.
Note
The secret key value does not appear again. McAfee ESM requires the secret key to set up the Microsoft Office 365
data source.
10. To get collected data for Microsoft Office 365 subscriptions to specific content types, use a tool that can send API POST and
GET comments. Starting a subscription requires an access token to call the subscription API.
a. For the POST URL, enter https://login.microsoftonline.com/"insert tenant id here"/oauth2/token
b. For POST raw body of the request, enter grant_type=client_credentials&client_id="insert client id
here"&client_secret="insert secret key here"&resource=https://manage.office.com
c. In the header, set Key to 'Content-Type' and the value to 'application/x-www-form-urlencoded'
754 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
d. Send the post results in JSON and retrieve the access token from the response to use in the next request.
Note
Note
As of June 12, 2017, content types are Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General,
and DLP.All. For information about starting subscriptions, see https://docs.microsoft.com/en-us/office/office-365-
management-api/office-365-management-activity-api-reference#start-a-subscription.
Note
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 755
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your
data source.
IP Address/Hostname manage.office.com
Tenant ID Use the Directory ID saved in Configure Microsoft Office 365 as the Tenant ID.
Client Key Use the Application ID saved in Configure Microsoft Office 365 as the Client Key.
Client Secret Key Use the Secret Key saved in Configure Microsoft Office 365 as the Client Secret Key.
756 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 757
5| Configuring 3rd-party data sources
Option Definition
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample Microsoft Office 365 log:
{"CreationTime":"2000-01-01T22:00:04","Id":"00000000-0000-0000-0000-000000000000","Operation":"Create","Organ
izationId":"00000000-0000-0000-0000-000000000000","RecordType":
2,"ResultStatus":"Succeeded","UserKey":"0000A0AA0A0000A0","UserType":2,"Version":
1,"Workload":"Exchange","UserId":"S-1-5-21-0000000000-0000000000-0000000000-0000000","ClientIPAddress":"10.10
.10.10","ClientInfoString":"Client=WebServices;ExchangeServicesClient/
00.00.0000.010;","ExternalAccess":false,"InternalLogonType":0,"LogonType":
1,"LogonUserSid":"S-1-5-21-0000000000-0000000000-0000000000-0000000","MailboxGuid":"00000000-0000-0000-0000-0
00000000000","MailboxOwnerSid":"S-1-5-21-0000000000-0000000000-0000000000-2026015","MailboxOwnerUPN":"user1@e
xample.com","OrganizationName":"server.example.com","OriginatingServer":"NEWSERVER (00.01.0000.001)\r
\n","Item":{"Attachments":"newfile.xls (000000)","Id":"AAAAAAAAAAAAA/
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","ParentFolder":
{"Id":"AAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","Path":"\\My Folders\\Personal
Folders - 2000\\Jan 2000"},"Subject":"AA00: RTF - AAA "}}
758 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
ResultStatus action
Workload application
ObjectID URL
OrganizationName domain
Subject subject
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 759
5| Configuring 3rd-party data sources
Microsoft SharePoint
See Microsoft documentation to configure SharePoint to send logs to a Receiver. To enable logging, use a file share method.
SharePoint log files are located at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\<version>\Logs\. The
log file naming convention is <computername><date><time>.
You can use syslog, SIEM Collector, CIFS to send logs from SharePoint to ESM.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add and configure the data source.
Note
Your environment and choice of data delivery method will dictate the settings you need to configure.
760 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log sample
This is a sample log from an Alcatel-Lucent VitalQIP device:
09/15/2011 15:00:41.24* w3wp.exe (0x1460) 0x05A4 SharePoint Foundation General fbv6 Medium
...</soap:Envelope> 5d56fbd6-58b1-479c-90c1-5db6af03790d
Field mapping
This table shows the mapping between the data source and McAfee ESM fields. This data source may support fields not listed
here.
timestamp TimeStamp
process Process
tid TID
Area Area
category Category
eventID EventID
severity Level
message Message
correlation Correlation
Microsoft SQL
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 761
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask <Enable>
Require Syslog TLS Enable to require the Receiver to communicate over TLS
762 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Time Zone Time zone where the data source is physically located
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 763
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Task
For Server 2008 and later, expand the navigation tree and select IPv4 or IPv6.
Note
764 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
The recommended method for data delivery is to use the McAfee Collector. These agents have the added benefit of being able to
send only the logs that haven’t yet been sent, eliminating duplicates.
See the respective delivery method documentation for setup and usage information.
Option Definition
Enabled Checked
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 765
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
766 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 767
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
The expected format for this device is as follows for Windows Server 2008 and 2008 R2
The expected format for this device is as follows for Windows Server 2012 and above:
768 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Windows Server 2003 DHCP device:
10,01/01/01,01:01:01,Assign,192.0.2.10,sampleHost1,000000000000,,17739,0,,,
10,01/01/01,01:01:01,Assign,192.0.2.20,sampleHost2, 000000000000,,3096562285,0,,,,0x4D53465420352E30,MSFT
5.0,,,,0
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
ID Sid
IP Address Source IP
TransactionID Session ID
QResult Return_Code
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 769
5| Configuring 3rd-party data sources
VendorClass(ASCII) External_Device_Name
Mimecast
Configure Mimecast
Set up Mimecast to send logs to ESM.
Task
Add Mimecast
Add the data source to a receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
770 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your
data source.
IP Address/Hostname The hostname of the login (for example, login-us.mimecast.com). Click Look up
to automatically fill in the IP address.
Field 1 (ESM 11.3.0 and 11.3.1) The Application ID. Get this from Mimecast.
Field 2 (ESM 11.3.0 and 11.3.1) The Application Key. Get this from Mimecast.
Client Key Access key for APIs. Get this from Mimecast.
Client Secret Key Secret key for APIs. Get this from Mimecast
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 771
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
772 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Note
The size of an array in WMI to hold data source configurations is not more than 2000 data sources.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 773
5| Configuring 3rd-party data sources
Task
• For Windows XP, Server 2003, or later, create a user account added to the Administrators group.
• For Windows 8.1 or Server 2012 R2, use the Administrator user account or create a user account and add it to the
Administrators, Distributed COM Users, and Event Log Readers groups.
2. If using the second option, configure the data source to use RPC.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Use System System Profiles are a way to use settings that are repetitive in nature, without having to enter
Profiles the information each time.
Data Source Windows Event Log WMI (set by default if using profile)
Model
Enabled Select options for processing events. Some options may not be available for your data source.
774 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
IP Address/ The IP address and host name associated with the data source device.
Hostname
NetBIOS Name The NetBIOS name (host name) associated with the data source device
Username The user name of the account being connected to on the data source device
Password The password of the account being connected to on the data source device
Interval How long the Receiver waits before checking for new data
Use RPC Use RPC – Whether to use Remote Procedure Calls (RPC) to connect to the data source device
Secure RPC Use a more secure connection via Remote Procedure Calls (RPC) that is required for Windows
Server, Professional, and Home versions after applying Microsoft Windows Update June 8,
2021-KB5003638 (OS Build 14393.4467).
For the list of WMI collection fails and results in DCOM errors, see WMI collection fails and
results in DCOM errors after applying Microsoft Windows Update (KB94640)
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 775
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
776 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a WMI data source:
10.33.146.158||System||164812||NtServicePack||4377||52||1387354608||3||MYOFFICEPC||MYDOMAIN\MyUserName||||2||
Windows Server 2003||KB2892076||Windows Server 2003 Hotfix KB2892076 was installed.
Motorola AirDefense
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 777
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
778 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 779
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID
Log sample
This is a sample log from a Motorola AirDefense device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Computer Hostname
IP Protocol Protocol
Source Source IP
Destination Destination IP
780 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 781
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
782 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 783
5| Configuring 3rd-party data sources
Log format
The expected format for this device is:
<priority> <date> <time> LANGuardian event[<event ID>]: sen_id=<ID> app_id=<ID> src_ip=<IP address>
dest_ip=<IP address> host=<web host> uri=<URI>
Log sample
This is a sample log from a NetFort Technologies LANGuardian device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
appname Application
src_ip Source IP
dest_ip Destination IP
host Domain
smb_action Command
784 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
NetFlow
Add NetFlow
Add the data source to a receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 785
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
786 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
nat_type NAT_Details.NAT_Type
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 787
5| Configuring 3rd-party data sources
app_name Application
fwd_status Forwarding_Status
if_desc Interface
code Reason
flow_id Session ID
vlan vlan
firsttime Firsttime
lasttime Lasttime
protocol Protocol
NetWitness Spectrum
788 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 789
5| Configuring 3rd-party data sources
Option Definition
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
790 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 791
5| Configuring 3rd-party data sources
file.name Destination_Filename.Destination_Filename
filetype File_Type.FileType
threat.category Category.Category
File.md5.hash File_Hash.File_Hash
domain.dst domain
ip.proto protocol
host hostname
ip.src src_ip
ip.dst dst_ip
tcp.srcport src_port
tcp.dstport dst_port
eth.src src_mac
eth.dst dst_mac
sessionid sessionid
time firsttime/lasttime
Niara
Configure Niara
792 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Set up Forwarding.
a. From the Niara Analyzer Interface, navigate to System Configuration → Syslog Destinations.
b. Fill in the Parameter Description, for example, McAfee ESM.
c. In the Syslog Destination field, enter the IP address or host name of the McAfee Event Receiver.
d. Set the protocol (default is UDP).
e. Set the port (default is 514).
2. Set up Notification.
a. From the Niara Analyzer Interface, navigate to System Configuration → Security Alerts/Emails.
b. Click Add New.
c. Select Enable Alert Syslog Forwarding.
d. Leave the default values for Query, Severity, and Confidence.
e. For Sending Notification, select As Alerts are produced.
f. For TimeZone, set as your local time zone.
Add Niara
Add the data source to a receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 793
5| Configuring 3rd-party data sources
Option Definition
• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
794 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 795
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
alert_name Message
alert_type Threat_Name
alert_category Threat_Category
alert_severity Severity
alert_confidence Confidence
src_host_name Host
src_ip Source IP
796 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
dest_ip Destination IP
description Description
alert_id Message_Text
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 797
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
798 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 799
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<131> 272 06/18/2014 10:33:00 tEvtLgMgr 0 : tIsakmp [03] No proposal chosen in message from 10.10.3.21
<134> 272 06/18/2014 10:33:00 tEvtLgMgr 0 : Security [06] Session: IPSEC[uname] attempting login
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Groups Group_Name
800 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Severity mapping
Each log that contains the following severity format (in brackets) is mapped according to the following sample and table:
<134> 272 06/18/2014 10:33:00 tEvtLgMgr 0 : Security [06] Session: IPSEC[uname] attempting login
The following table shows the conversion from the severity level in the Nortel log to the severity level recorded in the ESM:
01 99 (Emergency)
02 75 (Critical)
03 60 (Error)
04 50 (Warning)
05 25 (Alert)
06 10 (Debug)
07 10 (Informational)
Task
where <ID> is the ID of the host that is sending syslog events. The ID can be a number from 1–10.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 801
5| Configuring 3rd-party data sources
host enable
state enable
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
802 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 803
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
804 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<device> <date time> <log type> <severity> <message> <id> <port number> <MAC address>
Log sample
This is a sample log from a Nortel Networks Passport 8000 Series Switch device:
<123>DEVICE [01/01/01 01:01:01] SNMP INFO Spanning Tree Topology Change(StgId=123, PortNum=1234,
MacAddr=a1:b2:c3:d4:e5:f6)
Field mapping
This table shows the mapping between the data source and McAfee ESM.
Application Application
IP Address Source IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 805
5| Configuring 3rd-party data sources
Interface Object
Novell eDirectory
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
806 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 807
5| Configuring 3rd-party data sources
Option Definition
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
808 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log format
The expected format for this device is:
<date time> <device name> <account> <domain> <user ID source> <domain ID> <SysAddr> <SysName> <target CN>
<target O> <action> <Event ID> <event class> <category> <severity>
Log sample
This is a sample log from a Novell eDirectory device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
SysName Hostname
SysAddr Source IP
Account: Name: CN
Source User
Event ID Signature_Name
Subevent Category
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 809
5| Configuring 3rd-party data sources
ClassName Target_Class
Privileges Message_Text
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
810 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 811
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
812 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<date time> <device IP> <device name> <date time> device name> <application> <hostname> <Source IP> <User
Identifier> <URL>
Log sample
This is a sample log from a Novell Identity and Access Management device:
<123>Jan 01 01:01:01 192.0.2.1 Novell Access Manager\AG\URL Acc:[wMon, 01 Jan 2001 01:01:01 +0100] [Novell
Access Manager\AG\URL Access]: AMDEVICEID#hostname: AMAUTHID#3authorizationID: AMEVENTID#eventID: Source IP
Address: [192.0.2.2] User Identifier: [cn=12345678,ou=unit,O=domain] Accessed URL [https://example.com]
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
AMDEVICEID Hostname
Application Application
URL URL
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 813
5| Configuring 3rd-party data sources
Okta
Configure Okta
Set up Okta to send data to McAfee ESM.
Task
See Okta product documentation for instructions. The information on the developer site might be useful.
Add Okta
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data source.
814 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
System Token This is the API token you set up when you configured Okta to retrieve data.
Use Proxy If you use a proxy, type the IP address, port, and credentials for the proxy server.
Time Zone Select the time zone offset applicable to the data being sent.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 815
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
816 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
The supported parser queries the DB_Audit_Trail table within the database to pull events. As this table grows, performance
slows noticeably because two values must be pulled into the query: Timestamp and Transaction_ID. To alleviate impact on
performance, index the table. If there is still a considerable impact after indexing, use another option (Syslog, flat File, etc.) to
pull audit data.
Task
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 817
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address and The IP address associated with the data source device and the credentials to log on.
credentials
818 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 819
5| Configuring 3rd-party data sources
Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from an Oracle Audit device:
820 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
AUDIT_TYPE Category
DBID Database_ID
USERHOST Host
OBJECT_NAME Object
SQL_TEXT SQL_Statement
SESSION_ID Session_ID
ACTION SID
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 821
5| Configuring 3rd-party data sources
AUDIT_TYPE Category
DBID Database_ID
USERHOST Host
ADDITIONAL_INFO Message_Text
OBJECT_NAME Object
OBJECT_SCHEMA Database_Name
FGA_POLICY_NAME Policy_Name
SESSIONID Session_ID
CLIENT_PROGRAM_NAME Application
UNIFIED_AUDIT_POLICIES Rule_Name
SQL_TEXT SQL_Statement
SYSTEM_PRIVILEGE_USED Command
822 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
2. Edit the initsid.ora configuration file and enter the facility and priority in the AUDIT_SYSLOG_LEVEL parameter.
Example:
AUDIT_SYSLOG_LEVEL=facility.priority
3. Log on to the server with the syslog configuration file, /etc/syslog.conf, with root permissions.
4. Add the audit file location to syslog.conf
5. Restart the syslog logger (example: /etc/rc.d/init.d/syslog restart).
6. Restart the database instance (example: CONNECT SYS / AS SYSOPER).
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 823
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
824 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 825
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<Priority Number>Process Name[]: LENGTH: '' ACTION:[] SQLTXT DATABASE USER:[] PRIVILEGE:[] CLIENT USER:[]
CLIENT TERMINAL:[] STATUS:[] DBID:[]
Log sample
This is a sample log from an Oracle Audit device:
<133>Oracle Audit[8435]: LENGTH : '317' ACTION :[168] 'select decode(status, 'OPEN', 1, 0), decode(archiver,
'FAILED', 1, 0), decode(database_status, 'SUSPENDED', 1, 0) into :status, :archstuck, :dbsuspended from v
$instance' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[0] ''
STATUS:[1] '0' DBID:[10] '1234567890'
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
DBID Database_ID
USERHOST Host
826 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Message Message
PRIVILEGE Privileged_User
PROTOCOL Protocol
Session ID Session ID
Signature ID Signature ID
HOST Source IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 827
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your
data source.
Port 22
828 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Interval 15 minutes
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 829
5| Configuring 3rd-party data sources
Option Definition
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
830 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
<AuditRecord><Audit_Type></Audit_Type><Session_Id></Session_Id><StatementId></StatementId><EntryId></
EntryId><Extended_Timestamp></Extended_Timestamp><DB_User></DB_User><Userhost></Userhost><OS_Process></
OS_Process><Terminal></Terminal><Instance_Number></Instance_Number><Returncode></Returncode><Scn></
Scn><OSPrivilege></OSPrivilege><DBID></DBID> <Sql_Text></Sql_Text></AuditRecord>
Log sample
This is a sample log from an Oracle Audit device:
<AuditRecord><Audit_Type>0</Audit_Type><Session_Id>0</Session_Id><StatementId>0</StatementId><EntryId>0</
EntryId><Extended_Timestamp>2015-01-01T00:00:00.0000000</Extended_Timestamp><DB_User>/</
DB_User><Userhost>HOST.COMPANY.COM</Userhost><OS_Process>12345</OS_Process><Terminal>UNKNOWN</
Terminal><Instance_Number>2</Instance_Number><Returncode>0</Returncode><Scn>0</Scn><OSPrivilege>NONE</
OSPrivilege><DBID>1234567890</DBID> <Sql_Text>select count(*), null, null from sys.default</Sql_Text> </
AuditRecord>
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
DBID Database_ID
USERHOST Host
Message Message
PRIVILEGE Privileged_User
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 831
5| Configuring 3rd-party data sources
PROTOCOL Protocol
Session ID Session ID
Signature ID Signature ID
HOST Source IP
Task
832 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
Hostname Host name associated with the data source device, cloud.oracle.com. Click Look up to
automatically fill the IP field.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 833
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
834 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
6. Click OK.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 835
5| Configuring 3rd-party data sources
Oracle 12c introduced Unified Auditing. Previously, separate audit trails were kept for individual components. The Unified Audit
trail combines all auditing into a single audit trail. By default, Oracle 12c is in “Mixed Mode” and all log data is written to both the
traditional locations and the new location. Once Unified Auditing is explicitly enabled, all audit data are stored in the new location
exclusively.
Note
The minimum privileges for Oracle Unified Audit and Common Audit trail are CONNECT and AUDIT_VIEWER role.
Task
2. If this query returns the following, Unified Auditing has not been enabled.
PARAMETER VALUE
------------------ ----------
Unified Auditing FALSE
3. To enable Unified Auditing in Oracle 12c, first shut down your Oracle databases and listeners that are associated to the
Oracle Home.
4. Next, relink the Oracle executable to support Unified Auditing by doing the following:
Unix/Linux:
cd $ORACLE_HOME/rdbms/lib
Windows:
cd %ORACLE_HOME%\bin
mv orauniadu12.dll.dbl orauniaud12.dll
5. Start your Oracle databases and listeners associated to the Oracle Home.
6. Both ORA_SECURECONFIG and ORA_LOGON_FAILURES policies are enabled by default and can be configured as needed.
7. Enable auditing for the appropriate tables.
836 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
%ORACLE_HOME%/ldap/log
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 837
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
838 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 839
5| Configuring 3rd-party data sources
Log format
The expected format for this device is:
[Timestamp][ServerType][ThreadIdentifier][Severity][FunctionName][Hostname][PID][ThreadID] :[[
BEGIN
ConnectionID MessageID OperationID OperationName ConnectionIP ConnectionDomain
Trace information
END
]]
Log sample
This is a sample log from an Oracle Internet Directory Server device:
System Logs:
Field mapping
This table shows the mappings between the data source and McAfee ESM fields.
OperationName Message
ConnectionIP Source IP
ConnectionDomain Domain
PID PID
840 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
ConnectionID External_Session_ID
OperationID External_Event_ID
Task
\x5b\d{4}\x2d\d{2}\x2d\d{2}T(?:\d{2}\x3a){2}\d{2}(?:\x2b|\x2d)\d{2}\x3a\d{2}\x5d
h. Set ft_delim_end_of_event to 0.
i. Set ft_start_top to 1.
3. Save and close the file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 841
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
842 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 843
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Traffic Logs:
FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination
IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual
System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile,
FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port,
Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category,
FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets Sent,
Packets Received.
Threat Logs:
FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination
IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual
System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile,
FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port,
Flags, Protocol, Action, Miscellaneous, Threat ID, Category, Severity, Direction, Sequence Number, Action
Flags, Source Location, Destination Location, FUTURE_USE, Content Type
844 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Palo Alto PANOS device:
Field mapping
This table shows the mappings between the data source and McAfee ESM fields.
Source IP Source IP
Destination IP Destination IP
Hostname Host
Message Message_Text
Category Category
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 845
5| Configuring 3rd-party data sources
Domain Domain
NAT NAT_Details
Direction Direction
Command Command
Event ID Event_Class
OS Operating_System
Protocol Protocol
URL URL
Session ID Session ID
846 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 847
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
848 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log samples
This is a sample log from a Proofpoint Message Security Gateway device:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 849
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Hostname Hostname
Instancename Severity
Serivcename|mod|module Application
cmd Command
ip Source IP
File Filename
Definitions Object
Evt Reason
To Destination User
850 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Important
This procedure describes third-party software. The interface or associated processes might change without McAfee knowing
about it.
Task
1. Log on to Proofpoint.
2. Go to Settings and select the Connected Applications tab.
3. Click Create New Credential.
4. Type a name for the application and click Generate.
The Generated Service Credential window appears.
5. Note the Service Principal. You enter this in ESM as the user name.
6. Note the Secret. You enter this in ESM as the password.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 851
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname Enter host name associated with the data source device, tap-api-v2.proofpoint.com and
click Look up beside Hostname to automatically fill the IP Address field.
Use Proxy If you use a proxy, enter the IP address, port, and credentials for the proxy.
852 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can deselect the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitroFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 853
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
854 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log format
blocked_click
{
"data": {
"campaignId": "",
"classification": "",
"clickIP": "",
"clickTime": "",
"messageID": "",
"recipient": "",
"sender": "",
"senderIP": "",
"threatID": "",
"threatTime": "",
"threatURL": "",
"url": "",
"userAgent": ""
},
"message_type": ""
}
click_permitted
{
"data": {
"campaignId": "",
"classification": "",
"clickIP": "",
"clickTime": "",
"messageID": "",
"recipient": "",
"sender": "",
"senderIP": "",
"threatID": "",
"threatTime": "",
"threatURL": "",
"url": "",
"userAgent": ""
},
"message_type": ""
}
message_blocked
{
"data": {
"GUID": "",
"QID": "",
"ccAddresses": [],
"cluster": "",
"completelyRewritten": false,
"fromAddress": [
""
],
"headerFrom": "",
"headerReplyTo": null,
"impostorScore": 0,
"malwareScore": 0,
"messageID": "",
"messageParts": [
{
"contentType": "",
"disposition": "",
"filename": "",
"md5": "",
"oContentType": "",
"sandboxStatus": "",
"sha256": ""
},
{
"contentType": "",
"disposition": "",
"filename": "",
"md5": "",
"oContentType": "",
"sandboxStatus": "",
"sha256": ""
}
],
"messageSize": 44461,
"messageTime": "",
"modulesRun": [
"",
""
"urldefense"
],
McAfee "phishScore":
Enterprise Security
0, Manager Data Source Configuration Reference Guide 855
"policyRoutes": [
"",
5| Configuring 3rd-party data sources
Log sample
{
"data": {
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
"classification": "MALWARE",
"clickIP": "192.0.2.1",
"clickTime": "2016-06-24T19:17:44.000Z",
"messageID": "8c6cfedd-3050-4d65-8c09-c5f65c38da81",
"recipient": "bruce.wayne@pharmtech.zz",
"sender": "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz",
"senderIP": "192.0.2.255",
"threatID": "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
"threatTime": "2016-06-24T19:17:46.000Z",
"threatURL": "https://threatinsight.proofpoint.com/...",
"url": "http://badguy.zz/",
"userAgent": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"
},
"message_type": "blocked_click"
}
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
data.threatType Attribute_Type
data.cluster External_Device_ID
data.md5 File_Hash
data.filename Filename
data.sender From_Address
data.sender From
GUID Incoming_ID
data.GUID Incoming_ID
data.messageID Message_ID
data.recipient Recipient_ID
856 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
data.phishScore Reputation_Score
data.spamScore Spam_Score
data.threatStatus Status
data.subject Subject
data.threatUrl TC_URL
data.classification Threat_Category
data.threatID Threat_Name
data.threat Threat_Name
data.recipient.0 To_Address
data.recipient To_Address
data.url URL
message_type action
message_type msgdesc
message_type sigid
message_type msg
data.senderIP dst_ip
data.clickTime firsttime
data.messageTime firsttime
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 857
5| Configuring 3rd-party data sources
message_time firsttime
data.clickIP src_ip
data.senderIP src_ip
senderIP src_ip
Raytheon SureView
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
858 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 859
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
860 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Raytheon SureView device:
CEF:0|Raytheon|SureView|6.6|{1A2B3C4D-5E6F-1A2B-3C4D-5E6F1A2B3C4D}:1234|SIEM Notification3|1|Event
={1A2B3C4D-5E6F-1A2B-3C4D-5E6F1A2B3C4D} fired at 1/1/01 1:1:01 PM coming from HOSTNAME
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
proto Protocol
src Source IP
dst Destination IP
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 861
5| Configuring 3rd-party data sources
dproc Application
sntdom Domain
Task
1. Log on to your IBM iSeries (or AS/400) system from the command line.
2. Type STRAUD and press Enter.
3. From the audit menu, select System → Configuration.
4. From the System Configuration Menu, select SYSLOG → Definitions.
862 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 863
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
864 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Note
The expected format for this device depends on the logged event.
Log sample
This is a sample log from a Raz-Lee Security iSecurity Suite device:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 865
5| Configuring 3rd-party data sources
2016-03-01 03:31:47 Local6.Notice 192.0.2.0 AU RAZLEE Audit: MCA0100 *SECURITY Authority of *N/*N *SOCKET /
tmp/.ct_mc_0_srt929381427ac5388 changed for user profile *PUBLIC or authorization list . Type of command
used RPL. Access code (A-Added R-Removed N-None). Authorities marked by Y were changed: OBJOPUY-Y OBJLOIS-Y
*OBJOPR-Y *AUTLMGT- *AUTL- *READ-Y *ADD- *UPD- *DLT- *EXCLUDE- *EXECUTE-Y *OBJALTER-Y *OBJREF-Y. Job 6784/
QSYS/QYUSCMPOIU. DLO , folder , on behalf of Office user . Personal status changed . QOpenSyys/'root'
object .
Field mapping
This table shows the mappings between the data source and McAfee ESM fields.
IP Source IP
File Filename
Object Object
Job Mainframe_Job_Name
CMD/Command Command
Group Group_Name
866 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Msg ID Message_ID
Library Facility
Renamed New_Value
Device External_Device_Name
If JBoss is installed in a managed domain, the files are located in this directory: <INSTALL_PATH>/domain/servers/
<SERVER_NAME>/log/server.log
Where <INSTALL_PATH> is the directory where JBoss was installed and <SERVER_NAME> is the server instance to be monitored.
Syslog is not natively supported for logging on to JBoss. You can retrieve these files using a file-pull method (for example SCP or
SFTP) through the McAfee Event Receiver or Collector. You can also use a syslog program to send the information from the files
directly to the McAfee Event Receiver. See the relevant product documentation for more information.
Configure WildFly 8
Task
/subsystem=logging/syslog-handler=syslog:add(syslog-format=RFC5424, level=INFO)
/subsystem=logging/root-logger=ROOT:add-handler(name=syslog)
/subsystem=logging/syslog-handler=syslog:write-attribute(name=hostname,value="<ReceiverIpAddress>")
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 867
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
868 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 869
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
870 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Red Hat WildFly 8 device:
2017-05-15 02:22:20,825 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015876: Starting
deployment of "fiveseries.war"
2017-02-16 21:53:19,520 INFO [org.jboss.as] (Controller Boot Thread) JBAS015961: Http management interface
listening on http://127.0.0.1:9990/management
2014-02-16 21:53:19,523 INFO [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console listening on
http://127.0.0.1:9990
2017-02-16 21:53:19,525 INFO [org.jboss.as] (Controller Boot Thread) JBAS015874: WildFly 8.0.0.Final
\"WildFly\" started in 38820ms - Started 305 of 361 services (93 services are lazy, passive or on-demand)
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Class Target_Class
Severity Severity
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 871
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
872 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 873
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a RedSeal Networks RedSeal 6 device:
874 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
HostName Host
PrimaryService Protocol
PrimaryIp Source IP
RedSealServerIPAddress Destination IP
EventAction Application
PolicyName Command
RedSealServerName Domain
CheckName Object
Message Message_Text
OperatingSystem Version
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 875
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
876 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 877
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a ReversingLabs N1000 device:
878 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
proto Protocol
app Application
occurrence Count
classification Event_Class
detectionName Threat_Name
detectionReason Category
deviceDirection Direction
filehash File_Hash
fname Filename
fsize File_Size
fileType File_Type
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 879
5| Configuring 3rd-party data sources
fileHash File_Hash
oldFileHash Parent_File_Hash
requestMethod Method
dvc Device_IP
dvchost External_Device_Name
request URL
act Status
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
880 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 881
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
882 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a RioRey DDOS Protection device:
2014-01-01 01:01:01+00:00 abc-123 %SYSTEM: %ACD: AlarmInfoGet -> sysAlrm was normal_ylw_off_red_off now
normal_ylw_on_red_off
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
DeviceName Hostname
EventSource Application
Message Message
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 883
5| Configuring 3rd-party data sources
Victim IP Victim_IP
Command Command
Application Application
Destination IP Destination IP
Source IP Source IP
Threat Threat_Category
Riverbed Steelhead
884 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
logging <ip-address>
Where <ip-address> is the IP address of the McAfee Event Receiver, and <log level> is one of these settings:
Setting Definition
emerg Emergency
alert Alert
critical Critical
err Error
warning Warning
info Informational
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 885
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
886 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 887
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Riverbed Steelhead device:
Filed mapping
This table shows the mapping between the data source and McAfee ESM fields.
hostname Host
service Application
Remote Destination IP
888 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log ID Session ID
Command Command
host Domain
module Object
RSA Authentication
1. In the RSA Authentication Manager Security Console, navigate to Setup → System Settings.
2. In the Basic Settings section, select Logging.
3. Select the instance where you want to collect logs, then click Next.
4. In the Log Levels section:
a. Set Administrative Audit Log to Success
b. SetRuntime Audit Log to Success
c. Set System Log to Warning.
5. In Log Data Destination, set all three fields to Save to remote database and internal Syslog at the following hostname
or IP address, and enter the host name or IP address of the McAfee Event Receiver.
6. Click Save to save changes.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 889
5| Configuring 3rd-party data sources
Task
ims.logging.audit.admin.syslog_host = 192.0.2.1
ims.logging.audit.admin.use_os_logger = true
ims.logging.audit.runtime.syslog_host = 192.0.2.1
ims.logging.audit.runtime.use_os_logger = true
ims.logging.system.syslog_host = 192.0.2.1
ims.logging.system.use_os_logger = true
*.* @192.0.2.1
ims.logging.audit.admin.syslog_host = 192.0.2.1
ims.logging.audit.admin.use_os_logger = true
ims.logging.audit.runtime.syslog_host = 192.0.2.1
ims.logging.audit.runtime.use_os_logger = true
ims.logging.system.syslog_host = 192.0.2.1
ims.logging.system.use_os_logger = true
890 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
7. Open the Authentication Manager Security Console and select Setup → Instances.
8. Right-click the server instance and select Logging.
9. In the Log Data Destination section, select Send system messages to OS system log.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 891
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
892 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Severty Severity
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 893
5| Configuring 3rd-party data sources
Event ID Signature ID
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
894 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 895
5| Configuring 3rd-party data sources
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
896 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
firsttime hostname application: [firsttime] INFO src_ip [-] payctrlusr ID Crypto payctrlprd:1 [op#1
ENCRYPTSTANDARD] - [action] [-]
Log sample
This is a sample log from a device:
<142>Apr 4 09:39:04 test.box.com testBox: [2016-04-04 09:39:04] INFO 172.0.0.1 [-] payctrlusr 0 Crypto
payctrlprd:3100660 [op#1 ENCRYPT AES] - [Success] [-]
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
hostname Host
src_ip Source IP
application Application
SAP
Configure SAP
Add the data source in ESM.
Install the McAfee ESM SAP Modules. Transport scripts must be loaded into SAP using standard SAP procedures. See the SAP
user guide or FAQ for more details.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 897
5| Configuring 3rd-party data sources
The McAfee ESM SAP Module periodically queries the SAP tables and writes the events to a text file in a configurable directory or
file share. The McAfee Event Receiver then polls and processes the event logs.
Task
• Read from SAP audit log - collects events from the SAP security audit log. Requires the audit log to be turned on.
• User authorization changes – collects events from SAP system tables related to users being added/deleted or
their profiles being changed. Does not require audit log to be turned on.
• User master data changes –this option also collects events from the SAP system tables. This option does not
require audit log to be turned on.
2. Click Save.
3. Select Since last execution and set the date.
4. Select Update runtime variable and click Save.
Add SAP
Collect SAP user, user role, and user authorizations events from SAP tables without requiring auditing to be turned on in SAP.
User logon and transaction events can be collected from the SAP Security Audit Log if auditing is turned on.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
898 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).
IP Address/Hostname The IP address and host name associated with the data source device.
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 899
5| Configuring 3rd-party data sources
Option Definition
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
900 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Client Kety The key associated with the data source device
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 901
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
902 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing manually is in NitroFile format, select this option if the data source
checksum has a checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
{"Version":"1.0","AlertCreationTimestamp":"2016-10-24T11:13:01.861Z","AlertId":
1,"AlertSeverity":"HIGH","AlertStatus":"NO_REACTION_NEEDED_T","AlertSource":\{"systemId":"ERP"}
,"AlertSystemIds":["ERP"],"HostNames":["null"],"Category":"Health
Checks","PatternId":"34A702410BB5164292C3B14AB6098FBA","PatternType":"FLAB","PatternName":"ABAP System Ping
Failed Health Check","PatternNameSpace":"http://sap.com/secmon","PatternDescription":"Checks if the ABAP
system is reachable via system ping. An alert is raised in case subsequent system ping attempts are
failing.","MinTimestamp":"2016-10-24T11:09:00.000Z","MaxTimestamp":"2016-10-24T11:13:00.000Z","Text":"Measure
ment 5 exceeded threshold 2 for 'System ID' = 'ERP'","Score":75,"UiLink":"http://34.200.66.55:8002/sap/
hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show?alert=EE65CA8D134AAD47AD41C73D64A6FE7D"}
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 903
5| Configuring 3rd-party data sources
AlertStatus Status
AlertSeverity severity
AlertSource.NetworkHostnameInitiator HostID
AlertSource.NetworkHostnameActor HostID
AlertSource.NetworkHostnameTarget Destination_Hostname
AlertSource.NetworkHostnameReporter Destination_Hostname
AlertSource.ServiceExecutableName Service_Name
AlertSource.ServiceProgramName Service_Name
AlertSource.ServiceFunctionName Service_Name
AlertSource.SystemIdInitiator External_Hostname
AlertSource.SystemIdActor External_Hostname
AlertSource.UserPseudonymInitiator.Pseudonym Source_UserID
AlertSource.UserPseudonymActing.Pseudonym Source_UserID
AlertSource.UserPseudonymTargeted.Pseudonym Destination_UserID
AlertSource.UserPseudonymTargeting.Pseudonym Destination_UserID
904 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Skycure Enterprise
1. From the Skycure Management Console, go to Dashboard → Configuration and select Configuration next to SIEM
Integration.
2. In the IP Address field, enter the IP address of the McAfee Event Receiver.
3. In the Port field, enter 514 (the default port for syslog).
4. In the Protocol field, select UDP from the drop-down list.
5. In the Format field, select McAfee ESM from the drop-down list.
6. Click Save.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 905
5| Configuring 3rd-party data sources
Option Definition
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
906 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 907
5| Configuring 3rd-party data sources
Log format
The expected format for this device is:
Log sample
This is a sample log from a Skycure Enterprise device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
shost Host
Severity Severity
EVENT_NAME Message
version Version
duid External_Device_Name
from Old_Value
to New_Value
908 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
1. From the web interface for Sophos Web Security and Control, navigate to Configuration → System → Alerts →
Monitoring.
2. Click the Syslog tab.
3. Make sure that Enable syslog transfer of web traffic is selected.
4. In the Hostname/IP field, type in the IP address or host name of the McAfee Event Receiver.
5. In the Port field, enter the standard syslog port of 514.
6. In the Protocol drop-down list, select UDP.
7. Click Apply to save the settings.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 909
5| Configuring 3rd-party data sources
Option Definition
• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
910 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 911
5| Configuring 3rd-party data sources
h=<remote host> u=<remote user> s=<HTTP status> X=<connection status> t=<timestamp> T=<request time
microseconds> Ts=<request time seconds> act=<action> cat=<URI category> rsn=<reason> threat=<threat name>
type=<MIME type> ctype=<content type> sav-ev=<engine version> sav-dv=<data version> uri-dv=<URI list
version> cache=<cache> in=<data in bytes> out=<data in bytes> meth=<HTTP request method> ref=<HTTP referrer>
ua=<User-Agent> req=<HTTP request> dom=<web domain> filetype=<filetype category> rule=<policy rule ID>
filesize=<size of file> axtime=<time for access check> fttime=<time for file-typing> scantime=<scan time>
src_cat=<internal use> labs_cat=<internal use> dcat_prox=<internal use> target_ip=<resolved IP>
labs_rule_id=<internal use> reqtime=<request queue time> adtime=<Active Directory time> ftbypass=<internal
use>
Log sample
This is a sample log from a Sophos Web Security and Control device:
h=192.0.2.1 u="domain\\user" s=123 X=+ t=978310861 T=12345 Ts=0 act=1 cat="0x2300000123" rsn=- threat="-"
type="-" ctype="text/html" sav-ev=- sav-dv=- uri-dv=- cache=MISS in=123 out=123 meth=GET ref="-"
ua="details" req="GET http://www.example.com/" dom="example.com" filetype="-" rule="-" filesize=-
axtime=0.000123 fttime=- scantime=- src_cat="-" labs_cat="-" dcat_prox="-" target_ip="192.0.2.2"
labs_rule_id="-" reqtime=- adtime=- ftbypass=-
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
u Source User
dom Domain
h Source IP
target_ip Destination IP
req URL
threat Object
rsn Command
912 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
cat Severity
SS8 BreachDetect
Task
1. In the DataBreach interface, locate the configuration file SA.properties file and open it.
2. Remove the comment characters from the SA_SIEM_INTEGRATION = ESM entry at the end of the file.
3. At the prompt, type security-analytics restart to restart all SA components.
Task
1. From the McAfee ESM dashboard, select the receiver and click the Add Data Source icon.
2. Configure the data source.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 913
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your
data source.
Port 22
Path /home/sa/esm
Username sa
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
914 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 915
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
"Pname":"pop-1",
"FCBytes":1733,
"RepSrc":"threatintel",
"Long":112.5603,
"EventTime":"2017-09-27T22:50:55.0Z",
"Country":"cn",
"App":"ssh",
"FCMinTTL":64,
"RepURL":127,
"FCTotPkts":21,
"FEndTm":"2017-09-27T22:50:55.0Z",
"FBytes":6334,
"PHostID":"+37.4118175:-121.9203741",
"FSTCPFlags":27,
"FSAvgIntpktTm":521578,
"EIP":0,
"PIP":"10.0.156.239",
916 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
"RepIP":65,
"Family":"encrypted",
"FCAvgIntpktTm":443346,
"FSBytes":2007,
"Sport":22,
"EventType":"flow",
"FCTCPFlags":27,
"SST":0,
"Cport":58432,
"Lat":37.8694,
"FSMaxTTL":64,
"PS":"base.eth.ip.tcp.ssh",
"ThreatTs":0,
"FSMinTTL":64,
"Mail ET":"1969-12-31T16:00:00.0Z",
"FCMaxTTL":64,
"FSTotPkts":18,
"City":"taiyuan",
"CIP":"10.0.100.61",
"FSMaxIntpktTm":5014062,
"FTOS":0,
"SID":"1_1425475393_1504900255.980007",
"FCMaxIntpktTm":5053752,
"FS":0,
"IPProto":"6",
"FCTotBytes":3131,
"SIP":"223.12.54.36",
"UID":"ss8\\hazelfletcher",
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 917
5| Configuring 3rd-party data sources
"MacID":"124b13b318b0",
"FSTotBytes":3203,
"CallST":"1969-12-31T16:00:00.0Z",
"FPkts":39,
"KEY":"2.85"
"assetDetails":{
"browsers":[],
"fPrintFlags":[0],
"linkType":[],
"macIDs":[],
"osType":[],
"userAgents":["10.0.100.124"],
"userIDs":[]
},
"assetID":"10.0.100.124",
"assetScore":19.073617935180664,
"assetType":"ClientIP",
"behaviorURL":"clientip/10_0_100_124/behavior.json",
"dataURL":"clientip/10_0_100_124/raw.json",
"dateFlagged":"2017-08-03T14:33:48.277Z",
"deviceStatus":1,
"iocFound":[],
"version":"3"
918 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
"name":"bad_reputation_url",
"type":3,
"killChain":"Delivery",
"impact":1,
"deviceStatus":1,
"numOfEvents":1,
"threatSource":"webroot",
"rowIDs":[
"3.8"
],
"startTime":"2017-08-03T14:33:30.0Z",
"endTime":"2017-08-03T14:33:30.0Z",
"data":{
"Server":"www.google.com",
"RepSrc":"webroot",
"Country":"us",
"App":"blogspot",
"RepURL":26,
"FCTotPkts":1,
"CatURL":"sports",
"EIP":2,
"RepIP":26,
"Sport":80,
"Cport":10,
"ThreatTs":393,
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 919
5| Configuring 3rd-party data sources
"FSTotPkts":2,
"CIP":"10.0.100.124",
"FS":0,
"IPProto":"6",
"FCTotBytes":378,
"SIP":"74.125.141.104",
"FSTotBytes":1386
Field mapping
assetID src_ip
assetScore Reputation_Score
assetType Object_Type
behaviorURL URL
browsers AppID
CIP src_ip
Cookie Message_Text
Cport src_port
deviceStatus Sub_Status
920 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
EventType Subcategory
Family Category
FCTotBytes Bytes_Sent
FN Filename
fPrintFlags Device_Action
FS File_Size
FSTotBytes Bytes_Received
FT File_Type
HostName HostID
iocFound Signature_Name
IPProto protocol
linkType Job_Type
MacID src_mac
osType Operating_System
Pname External_Device_Type
PS CommandID
RepIP Reputation
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 921
5| Configuring 3rd-party data sources
RespCode Response_Code
SCN Description
Sender From
SIP dst_ip
Sport dst_port
StartTime firsttime,lasttime
SUA User_Agent
threatSource SWF_URL
UID username
URL URL
URLQuery Search_Query
userAgents User_Agent
922 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
2. Navigate to Settings → External Services → External Syslog Servers → Add Syslog Server.
a. Enter the IP address of the McAfee Event Receiver and port 514 (the default port for syslog).
b. Save and apply the changes.
3. Navigate to Settings → Alerts → Add Alert Group.
a. Enter a name for the group in the Name field.
b. In the External Syslog server drop-down list, select the IP address of the McAfee Event Receiver.
c. Save and apply the changes.
d. Under Requests, click the + icon next to each alert you want to add them to the newly created alert group.
e. Save and apply the changes.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 923
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
924 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 925
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a CryptoAuditor device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
sigID Signature ID
externalID External_EventID
src Source IP
shost Host
dst Destination IP
dhost Destination_Hostname
severity Severity
926 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
SshAuditorReason Reason
SshAuditorRule Policy_Name
STEALTHbits StealthINTERCEPT
1. Log in to StealthINTERCEPT.
2. Open the Administration Console.
3. From the menu bar, select Configuration → Alerts.
4. Click the SIEM tab and click Configure in the SI System Alerting window.
5. Enter the IP address of the Receiver in the Host Address field.
6. In the Port field, enter 514.
7. From the Mapping File drop-down lists, select the McAfee ESM SIEM format.
8. Click Events and select the event types that you want for SIEM reporting.
9. Click OK to apply the new configuration.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 927
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
928 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 929
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a device:
930 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
shost Hostname
Policy_Name Policy_Name
Old_Attribute_Value Old_Value
Attribute_Name Attribute_Type
Object_Class Object_Type
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 931
5| Configuring 3rd-party data sources
Task
#systemevent.syslog.host=
#systemevent.syslog.port=
#systemevent.syslog.format=
a. Remove the symbol ‘#’ from these the beginning of each line.
b. Set the value for systemevent.syslog.host= to the IP address of the McAfee Event Receiver.
c. Set the value for systemevent.syslog.port= to the port where the McAfee Event Receiver is listening (default is 514).
d. Set the value for systemevent.syslog.format= to [{0}] {1} - {2}.
The three original lines should now look similar to this:
systemevent.syslog.host=192.0.2.1
systemevent.syslog.port=514
systemevent.syslog.format=[{0}] {1} - {2}
4. Save these changes and restart the Vontu Server (Symantec Data Loss Prevention server).
932 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 933
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
934 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 935
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Symantec DLP (Vontu DLP) device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
INCIDENT_ID Incident_ID
INCIDENT_SNAPSHOT URL
MATCH_COUNT Count
PROTOCOL Application_Protocol
SUBJECT Subject
SEVERITY Severity
FILE_NAME Filename
936 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Symantec Data Loss Prevention (Vontu) device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Application Application
SessionNumber Session ID
Source Source IP
Hostname Host
Message Message
E-mailAddress To
WebAddress URL
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 937
5| Configuring 3rd-party data sources
Task
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
938 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname IP address and host name associated with the data source device
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 939
5| Configuring 3rd-party data sources
Option Definition
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
940 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Symantec Endpoint Protection device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Hostname Host
Protocol Protocol
IP Source IP
Remote IP Destination IP
Session Session ID
Command Command
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 941
5| Configuring 3rd-party data sources
Domain Domain
Occurrences Count
File Filename
Rule Rule_Name
Source Detection_Method
942 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 943
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
944 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 945
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Symantec Message Gateway device:
<23>Jan 1 01:01:01 antispam conduit: [Brightmail] (INFO:1234.12345678): [12345] Spamhunter module: loaded
rulefile /data/rules (file ver 1, type 1; module ver 1): 100000 rules loaded.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Application Application
Hostname Hostname
Severity Severity
EventIDNumber Signature ID
Filepath/Filename Filename
SrcIP Source IP
DstIP Destination IP
Message Message_Text
946 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Log on to the Symantec PGP Universal Server Device with a web browser.
2. Click Settings.
3. Select Enable External Syslog.
4. Set the Protocol to UDP.
5. Set the Hostname to the IP address of the McAfee Event Receiver.
6. Set the Port to 514 (the default port for receiving syslog on the McAfee Event Receiver).
7. Click Save.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 947
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
948 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 949
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Symantec PGP Universal Server device:
2001/01/01 01:23:45 -00:00 NOTICE pgp/admin[2002]: Administrator [UNAUTHENTICATED USER] from 192.0.2.2 Using
Passphrase login successfully for Administrator "admin_bt" from 192.0.2.1
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Service Severity/Application
Message Command
Client Source IP
From Destination IP
950 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 951
5| Configuring 3rd-party data sources
Option Definition
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
952 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<pri>Alert type: [Alert Name] (Description), (Host), (Detection Type), (Threat Name), (Threat Category),
(Severity), (Threat Description)
Log sample
This is a sample log from a Symantec Web Gateway device:
<185>Symantec Web Gateway Alert: [Alert Name - Name] (Description: Alert events sent to syslog), (Count: 1),
(Host: 192.0.2.1), (Detection Type: 1), (Threat Name: Instant Buzz), (Threat Category: Adware), (Severity:
1), (Threat Description: Instant Buzz is an adware application which installed as an Internet Explorer
advertising toolbar. It changes a user's Internet Explorer settings unexpectedly and delivers targeted
advertisements to the user.)
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 953
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Severity Severity
Tenable Nessus
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
954 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
Mask 0
Time Zone Select the time zone offset applicable to the data being sent.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 955
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
956 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 957
5| Configuring 3rd-party data sources
Option Definition
• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
958 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 959
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
cat sid
CEF.Severity Severity
Confidence Confidence
cat Category
fileHash New_Value
cfp1 Reputation_Score
960 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
cfp2 Device_Confidence
deviceCustomDate1 firsttime,lasttime
TippingPoint SMS
1. From the Device Configuration screen, select Server Properties → Management tab.
2. At the bottom of the page, find Remote Syslog for Events:
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 961
5| Configuring 3rd-party data sources
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
962 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 963
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<Syslog category> Action Type Severity Policy UUID Signature UUID Signature Name Signature Number Signature
Protocol Source Address Source port Destination Address Destination Port Hit Count Source Zone Name
Destination Zone Name Incoming Physical Port VLAN ID Device Name Tipping Point Taxonomy ID – Category Id
assigned to Signature Event timestamp in Milliseconds
Log sample
Attention
The fields in this log are separated by tabs. If you copy and paste this log, the tabs may not copy correctly and you may need
to add them manually.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Severity Severity
964 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
1. Ensure that the Event Logger Module is installed on the Tofino Firewall LSM.
2. Open the Tofino Configurator tool.
3. Under Package Explorer, navigate to the Event Logger and select it.
The right frame refreshes with the configuration settings for the Event Logger.
4. Set the Syslog Server IP Address to the IP address of the McAfee Event Receiver.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 965
5| Configuring 3rd-party data sources
5. Set the Destination Port to the port set up on the McAfee Event Receiver for receiving syslog (default is 514).
6. Set the Lowest Priority Logged according to your preference.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
966 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 967
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a 3.1 Tofino Security – Tofino Firewall LSM Configuration device:
968 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
PROTO Protocol
DST_IP Destination IP
SRC_IP Source IP
Task
1. Select a receiver.
2. Click the Properties icon.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 969
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
970 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 971
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Topia Technology Skoot device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
cat sid
CEF.Severity Severity
Confidence Confidence
cat Category
972 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
fileHash New_Value
cfp1 Reputation_Score
cfp2 Device_Confidence
1. Open up the device management screen and click the Configuration tab.
2. Edit the Syslog server property.
3. In the Configure Syslog Service Settings window, select Enable Syslog Service.
4. In the Syslog server configuration IP field, enter the IP address of the McAfee Event Receiver.
5. Click Apply.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 973
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
974 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 975
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Source IP Source IP
Destination IP Destination IP
976 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Protocol Protocol
app Application
class Threat_Category
Hash File_Hash
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 977
5| Configuring 3rd-party data sources
Option Definition
Port The port assigned for the connection. Port 1433 is the default.
Database Name The name that will appear in lists of available databases.
Time Zone Time zone where the data source device is physically located.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
978 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 979
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
980 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Port 514
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 981
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Trend Micro Deep Security device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
982 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Computer Hostname
IP Protocol Protocol
Source Source IP
Destination Destination IP
msg Message
dst Destination IP
proto Protocol
src Source IP
TrendMicroDsFrameType Application
shost Host
request URL
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 983
5| Configuring 3rd-party data sources
Host ID Server_ID
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
984 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 985
5| Configuring 3rd-party data sources
Option Definition
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
986 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Log sample
This is a sample log from a Trend Micro – Deep Security Manager device:
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 987
5| Configuring 3rd-party data sources
Option Definition
• McAfee Enterprise Log Manager (ELM) - if you want to log the events on a ELM.
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
988 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 989
5| Configuring 3rd-party data sources
<computer name> <domain> <device name> <epoch time> <threat name> <infected file> <file location>
Log sample
This is a sample log from a Trend Micro OfficeScan device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Domain Domain
URL URL
Location File_Path
GUID Instance_GUID
990 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
IP Address Source IP
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 991
5| Configuring 3rd-party data sources
Option Definition
• McAfee Enterprise Log Search (ELS) - if you want to search event log on a ELS.
• SNMP Trap - if your environment requires it (this is rare).
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
992 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 993
5| Configuring 3rd-party data sources
<date time> < host > CEF:<version>|<device vendor>|<device product>|<device version>|<signature ID>|<name>|
<severity>|rt=<receipt time> scr=<source IP> dst=<destination IP> sport=<source port> dport=<destination
port> app=<application> shost=<source host> dhost=<destination host> externalId=<external ID>
Log sample
This is a sample log from a Trustwave Data Loss Prevention device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
dhost Host
cs6 Domain
app Application
src Source IP
dst Destination IP
994 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
proto Protocol
shost Object
fname File_Path
externalId Message_Text
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 995
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
996 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 997
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<date time> <device IP> <state> <date> <device name> <action> <priority> <hostname>
Log sample
This is a sample log from a Trustwave Network Access Control device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Priority Severity
998 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Domain Domain
IP Address Source IP
Action Message
Tychon
Add Tychon
View events from Tychon in ESM Scorecard. Tychon is an Enterprise Detection and Response (EDR) product that lets you collect
additional data needed to populate Scorecard. In combination with McAfee Policy Auditor and Tychon, customers can use ESM to
visualize the 10 assessment items in the US DoD CyberSecurity Scorecard.
Note
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 999
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
1000 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1001
5| Configuring 3rd-party data sources
Log format
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Tychon McAfee
CHSHostname Hostname
domainName Domain
userSid User_Nickname
logonType Logon_Type
assignedGroups Group_Name
userAdmin Privileged_User
isException Sub_Status
Compliant Status
1002 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
See the Type80 Security Software SMA_RT product documentation for setup instructions about sending syslog data to a remote
server. Use the IP address of the McAfee Event Receiver as the destination IP address and port 514 as the destination port.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1003
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
1004 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<date time> <IP address> <device name> <date time> <severity> <object> <user> <group> <name> <terminal name>
Log sample
This is a sample log from a Type80 Security Software SMA_RT device:
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1005
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Object Object
IP Address Source IP
User Username
Group Group_Name
Unix Linux
*.*; @<ip_address>:514
where <ip_address> is the IP address of your McAfee Event Receiver, and 514 is the default port for syslog/.
3. Run this command:
1006 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1007
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
1008 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1009
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
1010 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1011
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
1012 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
DG_SourceDriveType Object_Type
fname Filename
VMware
Configure VMware
See the specific product documentation of VMware for instructions about sending syslog events.
Add VMware
Add the data source to a receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1013
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
1014 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1015
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<166>Jan 1 12:34:56 Hostd: [2015-01-01 12:34:56.123 ABCD1234 severity service] Example Message
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
IP Address Source IP
Destination Destination IP
Host Hostname
Application Application
Command Command
Method Method
1016 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Severity Severity
File Filename
VMware AirWatch
1. Log on to Admin Console and navigate to Groups → Settings → All Settings → System → Enterprise Integration →
Syslog.
2. Enter the host name or IP address of the McAfee Event Receiver in the Host Name field.
3. Select UDP for Protocol.
4. Enter 514 in the Port field.
5. Select UserLevelMessages for Syslog Facility.
6. For Event Types Logged, select Console and Device.
7. Enter Airwatch in the Message Tag field.
8. Make sure that the Message Content field follows the default format.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1017
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
1018 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1019
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
AirWatch Syslog Details are as follows Event Type: {EventType}Event: {Event}User: {User}Event Source:
{EventSource}Event Module: {EventModule}Event Category: {EventCategory}Event Data: {EventData}
Log sample
This is a sample log from a device:
<101> October 11 11:12:22 AirWatch AirWatch Syslog Details are as follows Event Type: DeviceEvent:
SecurityInformationUser: sysadminEvent Source: Event Module: DevicesEvent Category: DeliveryEvent Data: 747
Field mapping
This table shows the mappings between the data source and McAfee ESM fields.
EventType Event_Class
Event Message
EventSource Subcategory
1020 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
EventModule Category
EventCategory Message_Text
Application Filename
Method Method
OS Version Version
OS Operating_System
Status Status
Session External_SessionID
VMware Horizon
Task
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1021
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 0
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
1022 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Port 514
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1023
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
1024 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Sys_action Action
Severity Severity
Application AppID
Host HostID
User UserIDSrc
UserGUID Src_Guid
AuthType Authentication_Type
Session Session_ID
Task
1. Select a receiver.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1025
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
Event Timeframe The desired timeframe to use when pulling events. For vCenter hosts that are overloaded
a higher Event Timeframe value is recommended.
Default Value: 5
Min value: 5
1026 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1027
5| Configuring 3rd-party data sources
Option Definition
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
computer date time IP protocol source destination original client IP source network destination network
action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received
intermediate connection time connection time intermediate username agent session ID connection ID
Log sample
This is a sample log from a VMware vCenter Server device:
SC-CHPROXY 2012-01-25 00:00:02 TCP 192.168.1.2:45678 10.10.10.78:443 192.168.1.5 Local Host Internal
Establish 0x0 - HTTPS 0 0 0 0 - - - - 255594 1555999
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
Computer Hostname
1028 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
IP Protocol Protocol
Source Source IP
Destination Destination IP
1. From the DSM product, select Log → Syslog and add the required information.
2. Select Syslog Enabled via System → General Preferences on the System tab.
3. Configure the Syslog server for DSM logging for each domain.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1029
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
1030 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1031
5| Configuring 3rd-party data sources
Log sample
These are sample logs from a Vormetric Data Security device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
filePath Destination_Filename
cat Category
url URL
Message ID Signature ID
sev Severity
dvchost Destination_Hostname
1032 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
key Registry_Key
Res Object
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1033
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
1034 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1035
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
<priority> <time> <date> <hostname> (<time> <date>) <process>[<process id>]: <key>=<value> <key>=<value>
<key>=<value>…
Log sample
This is a sample log from a WatchGuard Technologies Firebox device:
1036 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
protocol Protocol
source IP Source IP
destination IP Destination IP
message Message
msg_id Message_ID
VLAN ID VLAN
Severity Severity
application Application
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1037
5| Configuring 3rd-party data sources
domain Domain
filename Filename
interface Interface
Group Group_Name
member External_Device_Name
member External_Device_ID
Cluster ID External_Event_ID
Ruleset Rule_Name
path File_Path
1038 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Service Service_Name
1. Make sure that you have the credentials for a user with the necessary permissions to the database.
2. Make sure that you have your database’s open port and IP address to set up the McAfee Event Receiver.
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1039
5| Configuring 3rd-party data sources
Option Definition
IP Address/Hostname The IP address and host name associated with the data source device.
Port 1433
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
1040 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1041
5| Configuring 3rd-party data sources
Log format
The log format is specific to this data source.
Log sample
This is a sample log from a Websense Enterprise - SQL Pull device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
action Action
protocol Protocol
ip_src Source IP
ip_dst Dest. IP
Url.Url URL
domain Domain
disposition_code Signature ID
1042 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
bytes_sent Bytes_Sent
bytes_received Bytes_Received
Command Category
WurldTech OpShield
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1043
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname Enter the IP address and host name (optional) associated with OpShield.
Mask 32
Time Zone Select the time zone offset applicable to the data being sent.
1044 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1045
5| Configuring 3rd-party data sources
Option Definition
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Channel Category
Source IP Source IP
Destination IP Destination IP
1046 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
class Event_Class
methodName Method
privilege Access_Privileges
errorMessage Message_Text
deviceSN External_Device_ID
Task
syslog enable
Where x.x.x.x is the IP address of the McAfee Event Receiver, and 7 is the severity level of the logs that are to be sent.
3. (Optional) If a primary server has already been defined, syslog can be sent to a secondary server:
Where x.x.x.x is the IP address of the McAfee Event Receiver, and 7 is the severity level of the logs that are sent.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1047
5| Configuring 3rd-party data sources
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname IP address and host name associated with the data source device
1048 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1049
5| Configuring 3rd-party data sources
Option Definition
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Log sample
This is a sample log from a Xirrus 802.11abgn Wi-Fi Array:
[1.2.3.4] <15>Jan 01 01:01:01: info : Station a1:b2:c3:d4:e5:f6, EAP Response packet (type PEAP) received
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
1050 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
SSID Domain
Yubico YubiKey
Task
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1051
5| Configuring 3rd-party data sources
4. Click Add.
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
Mask 0
1052 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Time Zone Select the time zone offset applicable to the data being sent.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1053
5| Configuring 3rd-party data sources
Option Definition
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
ZeroFox Riskive
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
1054 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask <Default>
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1055
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
1056 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
URL URL.URL
URL Web_Domain.Web_Domain
DNS DNS_Name.DNS_Name
Percentile Severity
AlertPriority Severity
IP src_ip
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1057
5| Configuring 3rd-party data sources
ZScaler Nanolog
Task
Task
1. Select a receiver.
2. Click the Properties icon.
3. From the Receiver Properties window, select Data Sources.
4. Click Add.
Option Definition
1058 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Enabled Select options for processing events. Some options may not be available for your data
source.
IP Address/Hostname The IP address and host name associated with the data source device.
Mask 32
Require Syslog TLS Enable to require the Receiver to communicate over TLS.
Option Definition
Device URL Type the URL address that can be accessed to view event data for this data source (maximum of
512 characters). You can access this URL by clicking the Launch Device URL icon at the bottom of
the Event Analysis view.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1059
5| Configuring 3rd-party data sources
Option Definition
Vendor, Enter the vendor, product, and version of the device where the ESM Common Event Format (CEF)
Product, forwards events.
Version
Date Order
Select the format for the dates on data sources:
• Default — Uses the default date order (month before day). When using client data sources,
clients using this setting inherit the date order of the parent data source.
• Month before day — The month goes before the day (04/23/2018).
• Day before month — The day goes before the month (23/04/2018).
Zone To assign this data source to a zone, select the zone from the list.
External data
Automatically selected when you import events from another receiver. You can clear the
source link
checkbox which would remove the distinction of imported data.
For example, you export logs from receiver 1 into receiver 2. The External data source link is
applied to the logs being sent so that when logs are imported, the ESM can differentiate the
forwarded events.
Export in Use this option when you are exporting raw data source data.
NitoFile
format
Data is Use this option when you are exporting raw data source data.
NitroFile
format
Note: When you export data sources to a remote file, they are exported in NitroFile
format. If you import those files to another Receiver automatically, Data is NitroFile is
selected for each of the data sources you are importing. This indicates that the file is in
NitroFile format. If you import them manually, you must select this box for each data source.
Validate SHA1 If the data you are importing is in NitroFile format, select this option if the data source has a
checksum checksum file.
1060 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
5| Configuring 3rd-party data sources
Option Definition
Note: When imported automatically, Validate SHA1 checksum is selected for any data
source that has a checksum file. If you import them manually, you must select it. The only
exception is when you are importing a data source file that doesn't have a checksum file, but
you want to view it anyway.
"%s{time}","%s{login}","%s{proto}","%s{url}","%s{action}","%s{appname}","%s{appclass}","%d{reqsize}","%d{resp
size}","%d{stime}","%d{ctime}","%s{urlclass}","%s{urlsupercat}","%s{urlcat}","%s{malwarecat}","%s{threatname}
","%d{riskscore}","%s{dlpeng}","%s{dlpdict}","%s{location}","%s{dept}","%s{cip}","%s{sip}","%s{reqmethod}","%
s{respcode}","%s{ua}","%s{referer}"
Log sample
This is a sample log from a Zscaler Nanolog Streaming Service device:
Field mapping
This table shows the mapping between the data source and McAfee ESM fields.
url URL
reqsize Bytes_from_Client
respsize Bytes_from_Server
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1061
5| Configuring 3rd-party data sources
malwarecat Threat_Category
threatname Threat_Name
riskscore Reputation_Score
cip Source IP
sip Destination IP
reqmethod Command
ua User_Agent
1062 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
6| Configuring asset data sources
You must have Asset Manager permissions on the Altiris Management Console.
Task
1. Click the Asset Manager icon, then click the Asset Sources tab.
The Asset Sources tree shows the McAfee ESM devices and Receivers on the system, and their current asset sources.
Note
McAfee ESM can have one asset source; McAfee Event Receivers can have multiple asset sources.
Option Definition
Name Give the data source a name. Use a common naming convention for all asset data sources.
Zone (Optional) The zone where the Active Directory server is located.
Priority Set a priority for this data source if it discovers an asset at the same time as another asset
data source.
IP Address and Port The IP address and port that ESM uses to connect to the Active Directory server.
Use SSL If you want to use an encryption protocol for the data, select Use SSL.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1063
6| Configuring asset data sources
Option Definition
Enable Proxy To use a proxy server, select Enable Proxy and enter the IP address, port, and user
credentials.
Retrieve Data To schedule automatic data retrieval, set the interval. You can also retrieve data manually
(Asset Sources Retrieve).
The LDAP (Active Directory) Asset source uses the Active Directory server for data. If the IP is missing, the SIEM device queries the
host (using the hostname given from the Active Directory server) using NetBIOS and then falls back to DNS if NetBIOS is not able
to resolve the IP. The system uses DNS as a backup to NetBIOS to query for the IP address.
If this process does not resolve the IP address, the asset's IP address isn't added to the Assets table.
Note
The NetBIOS query uses port 137 from the McAfee Event Receiver to their hosts, so port 137 needs to be allowed from the
SIEM device to each of the hosts listed in the LDAP server.
Task
1. Click the Asset Manager icon, then click the Asset Sources tab.
The Asset Sources tree shows the McAfee ESM devices and Receivers on the system, and their current asset sources.
Note
McAfee ESM can have one asset source; McAfee Event Receivers can have multiple asset sources.
1064 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
6| Configuring asset data sources
Option Definition
Name Give the data source a name. Use a common naming convention for all asset data sources.
Zone (Optional) The zone where the Active Directory server is located.
Priority Set a priority for this data source if it discovers an asset at the same time as another asset
data source.
IP Address and Port The IP address and port that ESM uses to connect to the Active Directory server.
Use TLS If you want to use an encryption protocol for the data, select Use TLS.
Search Base The point in the directory tree where you want to start searching. See Active Directory
documentation for more detail.
Retrieve Data To schedule automatic data retrieval, set the interval. You can also retrieve data manually
(Asset Sources Retrieve).
Note
Ensure that VA data is collected only once. Duplicate data collection can cause unpredictable behavior in ESM.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1065
6| Configuring asset data sources
Task
Option Definition
Client ID Type the Frontline client ID number. This field is required for Digital Defense Frontline.
Company Name On FusionVM, the name of the company that must be scanned. If this field is left blank, all
companies that the user belongs to are scanned. If you enter more than 1 company,
separate the names with a comma.
Data Retrieval (Qualys QualysGuard) Select the method to retrieve the VA data. HTTP/HTTPS is the
default. The other options are SCP, FTP, NFS, CIFS, and Manual upload.
Note: A Qualys QualysGuard log file manual upload has a file size limit of 2 GB.
Domain Type the domain of the Windows box (optional, unless your domain controller or server
exists in a domain).
Exported scan file The directory where exported scan files reside.
directory
Exported scan file The exported scan file format (XML, NBE).
format
Install directory The location where Saint was installed on the server. The installation directory for a Saint
appliance scanner is /usr/local/sm/.
IP Address • eEye REM: The IP address of the eEye server that is sending trap information.
• eEye Retina: The IP address of the client holding exported scan files (.rtd).
• McAfee® Vulnerability Manager: The IP address of the server on which it is installed.
• Nessus, OpenVAS, LanGuard, and Rapid7 Metasploit Pro: The IP address of the client
holding exported scan files.
• NGS: The IP address of the system that is storing the Squirrel reports.
1066 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
6| Configuring asset data sources
Option Definition
• Rapid7, Lumension, nCircle, and Saint: The IP address of the respective server.
Mount Directory If you select nfs in the Method field, the Mount Directory fields are added. Enter the
mount directory set when you configured nfs.
Method The method to use to retrieve the exported scan files (SCP, FTP, NFS, or CIFS mount).
LanGuard always uses CIFS.
Password • McAfee® Vulnerability Manager: If using Windows authentication mode for SQL Server,
the password of the Windows box. If not, the password of the SQL Server.
• Nessus, OpenVAS, LanGuard, and Rapid7 Metasploit Pro: The password of SCP or FTP.
• NGS: The password for the SCP and FTP methods.
• Qualys and FusionVM: The password for the Qualys Front Office or FusionVM user
name.
• Rapid7 Nexpose, Lumension, nCircle, and Saint: The password to use when connecting
to the web server.
• Digital Defense Frontline: The web interface password.
Port Port Rapid7 Nexpose, Lumension, nCircle, McAfee® Vulnerability Manager, or Saint web
server are listening on. The default for Rapid7 Nexpose is 3780, for Lumension is 205, for
nCircle is 443, for McAfee® Vulnerability Manager is 1433, and for Saint is 22.
Project/Workspace Name of a particular project or workspace, or leave it blank to grab all projects or work
Name spaces.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1067
6| Configuring asset data sources
Option Definition
Schedule Receiver or Indicate the frequency with which you want the VA data to be retrieved from the Receiver
DEM data retrieval or McAfee Database Event Monitor:
Note: eEye REM does not support data retrieval from the source so the data must
be retrieved from the Receiver or McAfee Database Event Monitor.
Schedule VA data Indicate the frequency with which you want the VA data to be retrieved from the VA source.
retrieval
Session Saint: The session data is gathered from. To include all sessions, type All.
SNMP If you select authNoPriv or authPriv in the SNMP security level field, this field is active.
authentication Enter the password for the authentication protocol selected in the SNMP authentication
password protocol field.
SNMP If you select authNoPriv or authPriv in the SNMP security level field, this field is active.
authentication Select the type of protocol for this source: MD5 or SHA1 (SHA1 and SHA see the same
protocol protocol type). Make sure that your REM Events Server configuration matches your
selection.
SNMP Community SNMP community set when you configured the REM Events Server.
SNMP privacy If you select authPriv in the SNMP security level field, this field is active. Enter the
password password for the DES or AES privacy protocol. In FIPS mode, AES is the only option
available.
1068 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
6| Configuring asset data sources
Option Definition
SNMP privacy If you select authPriv in the SNMP security level field, this field is active and you can
protocol select either DES or AES. In FIPS mode, AES is the only option available.
SNMP authentication and privacy fields become active based on the security level you
select. Make sure that your REM Events Server configuration matches your selection.
SNMP version Version of SNMP for the source. The SNMP fields are activated based on the version
selected.
SNMPv3 Engine ID (Optional) SNMPv3 Engine ID of the trap sender, if an SNMPv3 profile is used.
Sudo password (Optional) Type the password to access the Saint installation directory.
Time out This field allows you to use the default time-out value for a source or provide a specific
time-out value. This is useful if you have much VA data from a vendor and the default time-
out setting is not allowing you to return all or any of the data. You can increase the time-out
value to allow more VA data retrieval time. If you provide a value, it is used for all
communications.
Token (Optional) Authentication token that can be set in the Metasploit Global Settings.
Use HTTP Proxy If you select to use the HTTP proxy, the Proxy IP Address, Proxy Port, Proxy Username,
and Proxy Password fields become active.
Use Passive mode If you select ftp in the Method field, this field becomes active. Select when to use passive
mode.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1069
6| Configuring asset data sources
Option Definition
Use sudo Select this option if you have access to the Saint installation directory and want to use this
access.
Use System Profile Select whether to use a previously defined profile. If you select this option, all SNMP fields
(eEye REM) are deactivated. When you select one of the existing system profiles, the fields are
populated with the information in the profile selected.
User name
Type the user name for McAfee® Vulnerability Manager. If you are using Windows
authentication mode for the SQL Server, enter the user name of the Windows box. If not, it
is the user name of the SQL Server.
• Nessus, OpenVAS, and Rapid7 Metasploit Pro: The user name of SCP or FTP.
• NGS: The user name for the SCP and FTP methods.
• Qualys or FusionVM: The Front Office or FusionVM user name with which to
authenticate.
• Rapid7 Nexpose, Lumension, nCircle, and Saint: The user name to use when
connecting to the web server.
• Digital Defense Frontline: The web interface user name.
Wildcard expression
A wildcard expression used to describe the name of exported scan files. The wildcard
expression can use an asterisk (*) or question mark (?) with the standard definition of
"wildcard" in a file name.
If you have both NBE and XML files, you must specify if you want NBE or XML files in this
field (for example, *.NBE or *.XML). If you only use an asterisk (*), you get an error.
1070 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
7| Troubleshooting
Troubleshooting
Find a solution to your data source configuration issue.
If there are errors saying events are being discarded because the Last Time value is more than one hour in the future, or the
values are incorrect, the Time Zone settings for the data source or ESM might need to be adjusted.
When creating custom ASP rules, the Key and Value table located in the Parsing tab displays potential field mappings based on
the log text entered in the Sample Log Data section. None of the data from the Key and Value table is populated by default.
Actual field assignments are set in the Field Assignment tab by dragging and dropping the key onto the wanted field.
When analyzing parsed event details, fields on the Custom Types tab are not present if the data intended to be captured for that
specific field is absent from the received logs.
If you suspect a data source is not operating correctly, use the Health feature to view its status.
Task
1. From the device tree, select the data source, then click Properties.
2. In the Data Source Properties window, click Health.
The Data Source Health Check window displays status information.
3. Search the output for errors or warnings that indicate a problem with the data source.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1071
7| Troubleshooting
Task
Note
For syslog data sources, you should see incoming traffic on port 514 UDP. Slower data sources might need a few
minutes of observation before a packet is observed, and faster ones such as a firewall are almost immediate. If no
packets are observed, you may have a firewall or endpoint issue.
3. Check the IP and Ethernet numbers. If these are correct, the problem is likely on the endpoint. For non-syslog data sources,
perform a connection test from the GUI while running tcpdump. (WMI will 'pull' data over port 135, SQL will pull data over
port 1433, and so on.)
Note
If the IP and port information is correct and incoming traffic is not seen in the tcpdump, the problem could be related to
a firewall or network issue preventing inbound traffic over the specified port. Consult your network administrator.
4. Enter iptables –n –v –L|grep x.x.x.x. Ensure there is a rule in place for the data source IP address that will let it through
the firewall.
Note
Typical output from iptables includes the port and IP address of the data source.
5. In McAfee ESM, select the data source from the device tree.
6. Open the Device Status dashboard. Scroll down to find the vipsid number of the data source.
7. Use SSH to connect to the McAfee Event Receiver and enter ls –al /var/log/data/inline/thirdparty.logs/<vipsID
number>/in.
If the file size of Data.xxxxxx is larger than zero, data is being stored on the McAfee Event Receiver.
Task
1. Ensure the correct parser is selected. In instances where there is more than one possible parser, choose the one with (ASP)
in the title.
2. Ensure the delivery and format settings are set to default values (unless you are using MEF or non-syslog data sources).
3. Make sure the data source settings and policy are current.
1072 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
7| Troubleshooting
a. Select the McAfee Event Receiver from the device tree and click Policy Editor.
b. On the Policy Editor page, click Operations → Rollout.
c. On the Rollout page, select the McAfee Event Receiver and click OK.
5. For syslog data sources, enable logging of unknown events.
Note
Default policy rules are disabled by default and should not be enabled at the default level.
Task
Task
1. On the Configuration page, select the McAfee Event Receiver and click Properties.
2. Click Data Sources.
3. If the Write button is dimmed, make a minor change (add a space and remove it) to a data source.
4. Click Write.
5. If the Rollout page opens, select Rollout policy to all devices now.
6. If the Rollout page does not open, roll out policy manually.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1073
7| Troubleshooting
1074 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
8| Generic syslog configuration details
This section outlines the general options available in the Add Data Source configuration screen and provides details.
Option Definition
Use System System Profiles are a way to use settings that are repetitive in nature, without having to enter the
Profiles information each time. An example is WMI credentials, which are needed to retrieve Windows Event
Logs if WMI is the chosen mechanism.
Data Format The expected format of the received / collected data. Options are Default, CEF, and MEF. Generally,
this option is left as Default for supported data sources; it is intended to be used for custom data
sources.
Note: If CEF is selected, the generic CEF parsing rule is enabled and rolled into policy for that
data source. If selected on supported CEF data sources, the generic parsing rule might override
existing parsing rules that are designed to parse data source-specific details. This results in
degraded reporting for the specific data source.
Data Retrieval The expected collection method used by the McAfee Event Receiver to collect the data. The default is
generally syslog. Typically, this option is changed to match the needs in a specific user's environment.
The data needs to remain in the expected format, otherwise the parsing rules cannot parse the
events.
Enabled: Parsing enables the data source to pass events to the parser. Logging enables the data source to pass
Parsing/ raw event data to the McAfee Enterprise Log Manager (ELM). SNMP enables reception of SNMP traps
for select data sources. If none of the options are checked, the settings are saved to McAfee ESM, but
effectively disables the data source. The default is Parsing.
McAfee Enterprise Security Manager Data Source Configuration Reference Guide 1075
8| Generic syslog configuration details
Option Definition
Logging/SNMP
Trap
Name This is the name that appears in the Logical Device Groupings tree and the filter lists.
IP Address/ The IP address and host name associated with the data source device.
Hostname
Syslog Relay Allows data to be collected via relays with the option to group events under specific data sources
based on syslog header details. Enable syslog relay on relay sources such as Syslog-NG.
Mask Allows a mask to be applied to an IP address so that a range of IP addresses can be accepted.
Require Syslog When enabled, requires the McAfee Event Receiver to communicate over TLS.
TLS
Support Allows users to select one of the following options: Parse generic syslog , Log unknown syslog
Generic Syslog event , or Do nothing. These options control how McAfee ESM handles unparsed logs. Parse generic
syslog creates an event for every unique unparsed event collected. Log unknown creates a single
generic event and increment the count for every unparsed event. Do nothing ignores unparsed
events. Use Parse generic syslog sparingly as it can negatively impact McAfee Event Receiver and
McAfee ESM performance when there is a high incoming rate of unparsed logs. If unparsed events
must be reported in McAfee ESM, use the Log unknown option; otherwise, leave the setting as Do
nothing.
Time Zone Set based on the time zone used in the log data. Generally, it is the time zone where the actual data
source is located.
Interface Opens the McAfee Event Receiver interface settings to associate ports with streams of information.
1076 McAfee Enterprise Security Manager Data Source Configuration Reference Guide
COPYRIGHT
Copyright © 2022 Musarubra US LLC.
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.