I'm trying to integrate McAfee ePO with RSA SA 10.6.4.1.
I've created the DSN with the DB and server name, and port number. Left the driver value as default.
I've also entered the ODBC username and password configuration parameters, and tested connection - successful.
However, I receive no logs from McAfee ePO. I looked up the /var/log/messages file, and I find the following warning -
NwLogCollector: [OdbcCollection] [warning] Invalid audit log format for:Test Connection Success!
I'm not sure what this means.
McAfee EPO has many different modules in it.
Which module are you trying to collect from? AV? HIDS?
The AV module. We're going for the system and virus logs.
Please consider upgrading from 10.6.4.1 to a version of NetWitness 11.x the 10.6.x.x versions will be End of Life in October 2019. You must upgrade to a version of 10.6.6.x prior to upgrading to 11.3.
Here is some documentation pertaining to NetWitness 11.3 features and functionality:
v11.3 Release Notes
NetWitness Known Issues (11.x)
Introduction Blog Post (Marketing)
Physical Host Upgrade Checklist 10.6.6.x to 11.3
Physical Host Upgrade Guide 10.6.6.x to 11.3
Update Guide 11.x.x.x to 11.3
Getting Started Guide
NetWitness Respond User Guide
NetWitness Investigate Quick Start Guide
NetWitness UEBA Quick Start Guide
NetWitness Endpoint Quick Start Guide
Changes to ESA script outputs
Recovery Tool User Guide
Have you followed the guide here? https://community.rsa.com/docs/DOC-40219
There are a couple of different options to pick depending on AV version
Thanks Dave, it's working now! just took a while to manifest.