Logging with McAfee ePO

benfaltys · ‎2013-05-07

Our company uses McAfee's ePO. However, since well before I started this job, we have not been pulling the logs. To meet PCI compliance I am now working with our admins to get this logging to work. As I understand it we have our ePO container within our connector appliance. This contains information to connect to a database that stores the events from ePO and retrieve the logs. Assuming that is correct, at least from a high level perspective, I have a question. Do I need to install the JDBC driver on the server where the database resides? I'm sure more questions will come up as ePO is new to me, but any help to get things moving would be great! Thanks!

Todd · ‎2013-05-10

I've had this connector running for quite some time now and did have to install the JDBC driver in order to get it working on our systems.

Let me know if you have any other questions.

benfaltys · ‎2013-05-10

How do the Mcafee events get from the local machines to the database?

Todd · ‎2013-05-10

When the client machines are able to connect to the ePO server they forward their events using the ePO client. If they have detections while away from the office they will forward the cached events to the ePO server once back on your network. This can cause a large difference between End Time and Manager Receipt Time which should be remembered when creating trends and querying for events.

benfaltys · ‎2013-05-10

Thanks for the help, Todd. So once the events get to the ePO server they then need to get sent to a database and then they go to ArcSight?

Todd · ‎2013-05-10

Yes, the ePO server stores the events in the ePO SQL database which is then queried by the ArcSight connector.

benfaltys · ‎2013-05-10

Ok, when I search in ArcSight for deviceVendor = "Mcafee" AND deviceProduct = "ePolicy Orchestrator" I get results and can see they are coming in from various hosts. However, there isn't anything helpful as far as seeing what events happened. It simply says "unknown event." I also tried to generate some log entries by attempting to disable my Mcafee process. I can see it in my local log and I went to the agent status monitor to send events. I then searched in ArcSight and that event wasn't there. Any thoughts?

Todd · ‎2013-05-10

I haven't encountered any issues with unknown events on our systems. I'd make sure that your versions and configuration follow the connector documentation and check the connector logs for any errors and if this doesn't solve your issue I would open a support ticket.

You may also want to use an eicar test file to validate your AV detections. Search for eicar and you will find the string that needs to be inserted into a text file to trigger the AV detection test.

benfaltys · ‎2013-05-10

Ok, I will look into those things. We have done the eicar test a few times and those aren't showing up in AS either. Thanks again for the input.

rudugamp · ‎2014-07-28

Was this issue resolved? I see unknown events on my system as well. It seems only some from the EEADMIN table. I see events from other tables fine. EEADMIN is the the table encryption events go to. It seems encryption events don't get read properly by the connector.

ConnApp

Smart Connector