Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
ngerbino Absent Member.
Absent Member.
1684 views

Smart Connector for McAfee ePO Questions

Jump to solution

The documentation for the ePO connector clearly states data mapping fields for ePO Product Events and Host DLP. However, these events do not show up even at all. We have a working ePO connector collecting virsuscan events and we have specified to  collect hdlp and epoproductevents but no events are collected. Several posts have point out that these events are in separate tables not queried or parsed by ArcSght.

the question is then why are they in the documentation.. and yes ArcSight Support we are running the most current version of the connector....

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
sanhyongt1 Absent Member.
Absent Member.

Re: Smart Connector for McAfee ePO Questions

Jump to solution

Hi Nick,

I am using McAfee ePO 4.6.6, HDLP 9.2, McAfee ePO SmartConnector (v6.0.5) and can confirm that epoproductevents and hdlp events are retrieved correctly.

What version of McAfee ePO and Host DLP are you using?

If I am not wrong, the Host DLP events are queried from a table which shows the list of [Threat Events].

You may want to try

1) Re-check and confirm your ODBC connection settings (ODBC name, user credential, any password changed?) and status

2) Re-run runagentsetup.bat, proceed to the epo product parameters section and ensure there is no error while going through the setup

----- OR if it is not the above issue,

1) Tail the agent.log/agent.out.wrapper.log

2) Restart the McAfee ePO SmartConnector

3) Check for any errors in agent.log/agent.out.wrapper.log

4) Generate a HDLP event eg. Device Plug

5) Ensure this HDLP event appear on McAfee ePO Threat Event Dashboard

6) Check for any errors in the logs again.

View solution in original post

0 Likes
16 Replies
Highlighted
sanhyongt1 Absent Member.
Absent Member.

Re: Smart Connector for McAfee ePO Questions

Jump to solution

Hi Nick,

I am using McAfee ePO 4.6.6, HDLP 9.2, McAfee ePO SmartConnector (v6.0.5) and can confirm that epoproductevents and hdlp events are retrieved correctly.

What version of McAfee ePO and Host DLP are you using?

If I am not wrong, the Host DLP events are queried from a table which shows the list of [Threat Events].

You may want to try

1) Re-check and confirm your ODBC connection settings (ODBC name, user credential, any password changed?) and status

2) Re-run runagentsetup.bat, proceed to the epo product parameters section and ensure there is no error while going through the setup

----- OR if it is not the above issue,

1) Tail the agent.log/agent.out.wrapper.log

2) Restart the McAfee ePO SmartConnector

3) Check for any errors in agent.log/agent.out.wrapper.log

4) Generate a HDLP event eg. Device Plug

5) Ensure this HDLP event appear on McAfee ePO Threat Event Dashboard

6) Check for any errors in the logs again.

View solution in original post

0 Likes
ngerbino Absent Member.
Absent Member.

Re: Smart Connector for McAfee ePO Questions

Jump to solution

We are running McAfee ePO 4.6.6 and HDLP 9.1.210.1 and the SmartConnector is the latest - 4.07.

I will try your suggestions. Thanks for the response.

Question - How are you filtering on just the epoproductevents to report on versions of ePO and DATS?

Nick

0 Likes
vdor Absent Member.
Absent Member.

Re: Smart Connector for McAfee ePO Questions

Jump to solution

Which version of the connector are you using? I think the latest is actually 6.0.6.6865.0

0 Likes
ngerbino Absent Member.
Absent Member.

Re: Smart Connector for McAfee ePO Questions

Jump to solution

6.07

Nick Gerbino | Senior Information Security Analyst | CISSP

CarMax, Inc. | 12800 Tuckahoe Creek Parkway, Richmond, Virginia 23238

Office: (804) 747-0422 x6224 | Mobile: (804) 839-9987

Email: Nick_J_Gerbino@carmax.com

0 Likes
ngerbino Absent Member.
Absent Member.

Re: Smart Connector for McAfee ePO Questions

Jump to solution

I did as suggested and did not see any error messages in the agent.log or agent.out.wrapper log files. I can see in the agent.out.wrapper log file where it is connecting the ePO database and detecting versions of the products were are running.

epo_connector.png

0 Likes
vdor Absent Member.
Absent Member.

Re: Smart Connector for McAfee ePO Questions

Jump to solution

Nick,

What I like to do in these instances is look through the agent.log and find the select query that the connector is using to retrieve the events. I then go into SQL Server management studio and run that query on the appropriate DB/Tables to see if it returns anything. This ensures that the tables the connector's setup to look at are actually populated, so you can then rule out database problems or actual ePO issues which might result in no (recent) events.

Often times I've found that even though the ePO modules are installed and the tables exist in the DB, they may not necessarily be utilized by the ePO admins, so there just aren't any events.

You should be able to find the select query somewhere early in the log when the connect is first started. You'll see a query that selects some sort of row ID to get the database version and then you should see one that actually is selecting events based off of a variable like time or ID.

0 Likes
Established Member.. paulnip1
Established Member..

Re: Smart Connector for McAfee ePO Questions

Jump to solution

Hi Nick,

Any luck on getting the McAfee DAT version? I'm running logger 5.5.0.7067.1 and connector 7.0.7.7279.0 and I'm having the same problem. Our ePO is running 5.1 and VSE is version 8.8. Field mapping for DAT version according to the Arcsight documentation is not giving me any information. My device custom string values are giving me the followings:

Device Custom String 4: OAS

Device Custom String 4 Label: Analyzer Detection Method

Device Custom String 6: Blank

Device Custom String 6 Label: DATVersion (but no version number)

Any suggestions are greatly appreciated.

Paul

0 Likes
ngerbino Absent Member.
Absent Member.

Re: Smart Connector for McAfee ePO Questions

Jump to solution

Paul

Yes. We getting the DAT version in the Device Version field.
Connector is 6.4.0.6661.0

ePO is 4.6.8

VSE is 8.8


Hope this helps

Capture.JPG

0 Likes
Established Member.. paulnip1
Established Member..

Re: Smart Connector for McAfee ePO Questions

Jump to solution

Hi Nick,

Thank you very much for your quick reply. However, I’m seeing the following in my logger, any suggestion? I had restarted the Smart connector.

Regards

Paul

0 Likes
Established Member.. paulnip1
Established Member..

Re: Smart Connector for McAfee ePO Questions

Jump to solution

Hi Nick,

Thank you very much for your quick reply. However, I’m seeing the following in my logger, any suggestion? I had restarted the Smart connector.

capture1.png

Regards

Paul

0 Likes
ngerbino Absent Member.
Absent Member.

Re: Smart Connector for McAfee ePO Questions

Jump to solution

Paul

I think I see where our disconnect is. What ePO events are you looking at?

I get the data for DAT correctly when looking at an event Name is "Update Task".

Capture1.JPG


0 Likes
Established Member.. paulnip1
Established Member..

Re: Smart Connector for McAfee ePO Questions

Jump to solution

Hi Nick,

Thanks again for your reply. I couldn't see any "update task" under event "Name". I'm only seeing "Port blocking rule violation detected and NOT blocked" and "Access protection rule violationdetected and NOT blocked" categories. Did I missed something in the SmartConnector configuration?

Capture2.JPG

Best regards

Paul

0 Likes
ngerbino Absent Member.
Absent Member.

Re: Smart Connector for McAfee ePO Questions

Jump to solution

Paul

In your connector configuration, do you have the "event types" set to include epoproductevents?  This is on the Connector Appliance under Manage and looking at the ePO Connector.

0 Likes
Established Member.. paulnip1
Established Member..

Re: Smart Connector for McAfee ePO Questions

Jump to solution

Hi Nick,

I did. I had selected the following 4 items:

virusscan

eporollup

epoproductevents

solidcore

Thanks again

Paul

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.