Logging with McAfee ePO
Our company uses McAfee's ePO. However, since well before I started this job, we have not been pulling the logs. To meet PCI compliance I am now working with our admins to get this logging to work. As I understand it we have our ePO container within our connector appliance. This contains information to connect to a database that stores the events from ePO and retrieve the logs. Assuming that is correct, at least from a high level perspective, I have a question. Do I need to install the JDBC driver on the server where the database resides? I'm sure more questions will come up as ePO is new to me, but any help to get things moving would be great! Thanks!
I've had this connector running for quite some time now and did have to install the JDBC driver in order to get it working on our systems.
Let me know if you have any other questions.
When the client machines are able to connect to the ePO server they forward their events using the ePO client. If they have detections while away from the office they will forward the cached events to the ePO server once back on your network. This can cause a large difference between End Time and Manager Receipt Time which should be remembered when creating trends and querying for events.
Ok, when I search in ArcSight for deviceVendor = "Mcafee" AND deviceProduct = "ePolicy Orchestrator" I get results and can see they are coming in from various hosts. However, there isn't anything helpful as far as seeing what events happened. It simply says "unknown event." I also tried to generate some log entries by attempting to disable my Mcafee process. I can see it in my local log and I went to the agent status monitor to send events. I then searched in ArcSight and that event wasn't there. Any thoughts?
I haven't encountered any issues with unknown events on our systems. I'd make sure that your versions and configuration follow the connector documentation and check the connector logs for any errors and if this doesn't solve your issue I would open a support ticket.
You may also want to use an eicar test file to validate your AV detections. Search for eicar and you will find the string that needs to be inserted into a text file to trigger the AV detection test.
Was this issue resolved? I see unknown events on my system as well. It seems only some from the EEADMIN table. I see events from other tables fine. EEADMIN is the the table encryption events go to. It seems encryption events don't get read properly by the connector.