ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Absent Member.
Absent Member.
874 views

Logging with McAfee ePO

Our company uses McAfee's ePO. However, since well before I started this job, we have not been pulling the logs. To meet PCI compliance I am now working with our admins to get this logging to work. As I understand it we have our ePO container within our connector appliance. This contains information to connect to a database that stores the events from ePO and retrieve the logs. Assuming that is correct, at least from a high level perspective, I have a question. Do I need to install the JDBC driver on the server where the database resides? I'm sure more questions will come up as ePO is new to me, but any help to get things moving would be great! Thanks!

Labels (2)
Tags (1)
0 Likes
9 Replies
Absent Member.
Absent Member.

I've had this connector running for quite some time now and did have to install the JDBC driver in order to get it working on our systems.

Let me know if you have any other questions.

0 Likes
Absent Member.
Absent Member.

How do the Mcafee events get from the local machines to the database?

0 Likes
Absent Member.
Absent Member.


When the client machines are able to connect to the ePO server they forward their events using the ePO client.  If they have detections while away from the office they will forward the cached events to the ePO server once back on your network.  This can cause a large difference between End Time and Manager Receipt Time which should be remembered when creating trends and querying for events.

0 Likes
Absent Member.
Absent Member.

Thanks for the help, Todd. So once the events get to the ePO server they then need to get sent to a database and then they go to ArcSight?

0 Likes
Absent Member.
Absent Member.

Yes, the ePO server stores the events in the ePO SQL database which is then queried by the ArcSight connector.

0 Likes
Absent Member.
Absent Member.

Ok, when I search in ArcSight for deviceVendor = "Mcafee" AND deviceProduct = "ePolicy Orchestrator" I get results and can see they are coming in from various hosts. However, there isn't anything helpful as far as seeing what events happened. It simply says "unknown event." I also tried to generate some log entries by attempting to disable my Mcafee process. I can see it in my local log and I went to the agent status monitor to send events. I then searched in ArcSight and that event wasn't there. Any thoughts?

0 Likes
Absent Member.
Absent Member.

I haven't encountered any issues with unknown events on our systems.  I'd make sure that your versions and configuration follow the connector documentation and check the connector logs for any errors and if this doesn't solve your issue I would open a support ticket.

You may also want to use an eicar test file to validate your AV detections.  Search for eicar and you will find the string that needs to be inserted into a text file to trigger the AV detection test.

0 Likes
Absent Member.
Absent Member.

Ok, I will look into those things. We have done the eicar test a few times and those aren't showing up in AS either. Thanks again for the input.

0 Likes
Absent Member.
Absent Member.

Was this issue resolved? I see unknown events on my system as well. It seems only some from the EEADMIN table. I see events from other tables fine. EEADMIN is the the table encryption events go to. It seems encryption events don't get read properly by the connector.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.