NetWitness Community

VishamRawat · ‎2019-05-13

Hi,

I've integrated McAfee ePO 5.9.1 via ODBC to RSA SA. I'm receiving logs as well. However, on closer inspection, what I've noticed is that only ePO administrative event logs are being sent to SA. I'm not receiving the anti-virus threat event logs, which is what I'm actually after.

Any ideas on how to receive ePO threat event logs?

I've added the DB name in the McAfee ePO DSN, and it is this DB that contains all the threat event logs as well. Yet, all I'm receiving are the admin logs.

Need assistance.

DaveGlover · ‎2019-05-13

What version of AV are you on?

There should be a secondary "event source" that you need to set up for the AV events.

VishamRawat · ‎2019-05-14

Hi Dave,

I've got to integrate several products from within the McAfee suite. I've managed to integrate

1. ePolicy Orchestrator 5.9.1

2. VSE 8.8

3. HIPS 8.0

I'm having problems integrating the following products

4. MSME 8.5 : For McAfee Security for Microsoft Exchange, I'm unable to find the parser and event source type, both of which are listed as 'mcafeesecurity'.

5. ENS 10.2.x. : For McAfee Endpoint Security ENS, I'm unable to find the event source type 'epolicyens10_5autoid'.

Please note, my RSA SA version is 10.6.4.1, and the documents say it qualifies for integration (anything 10.0 and above).

Also, as an added note, I've also been asked to integrate

6. McAfee VirusScan Enterprise for Linux VSES

7. McAfee VirusScan Enterprise for Storage VSEL

They have VSES 1.2 and VSEL 1.9 and 2.3 deployed. Now, in the documentation I see that VSE 8.8 can be integrated, which I've done as well, but I'm not sure what to do with VSES and VSEL.

Any insight on the above?

NetWitness Community

McAfee ePO antivirus threat event logs to RSA SA