Commander
Commander
812 views

SmartConnector for McAfee ePO DB (version 5.10)

I installed smartconnector version 7.13 for collecting log McAfee ePO DB 5.10

First I used jdbc driver as below list but found error "unable to detect database version".

sqljdbc42.jar = <ArcSight Home>/user/agent/lib

sqljdbc_auth.dll = <ArcSight Home>/jre/bin

Then I have changed jdbc driver as below list but found error "java.lang.reflect.InvocationTargetException".

mssql-jdbc-8.2.2.jre11.jar = <ArcSight Home>/user/agent/lib

mssql-jdbc_auth-8.2.2.x64.dll = <ArcSight Home>/jre/bin

Has anyone ever seen it? what is root cause.

0 Likes
8 Replies
Fleet Admiral
Fleet Admiral

Hello, 

 

please try with SmartConnector 7.14.

 

Best Regards, 

 

Daniel

Tags (1)
0 Likes
Micro Focus Expert
Micro Focus Expert

Hello,

 

1. Here is SmartConnector guide for McAfee e Policy Orchestrator DB:

https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-McAfee-ePolicy-Orchestrator-DB/ta-p/1584952

2. SmartConnector v7.14 supports ePO DB 5.10

3. Here is the link where you can find compatibility between DB version you have and jdbc driver you can install:

https://docs.microsoft.com/en-us/sql/connect/jdbc/microsoft-jdbc-driver-for-sql-server-support-matrix?view=sql-server-2017

 

4. On page 5 of the SmartConnctor guide you can find what modules this SmartConnector supports (module's version). Please configure SmartConnector to collect events just from the modules you have (by default all modules will be selected).

 

5. If you are using local DB authentication then you don't have to install .dll file in $ARCSIGHT_HOME\jre\bin directory.

 

Thanks,

Mladen

Commander
Commander

Here is the link where you can find compatibility between DB version you have and jdbc driver you can

I don't understand what DB version is compatible for which one of jdbc driver?

If I used MSSQL 2017, What's jdbc driver should be downloaded?

 
 
 

 

 

0 Likes
Fleet Admiral
Fleet Admiral

Hello, 

 

For the second question take a look on the table "SQL version compatibility " from  https://docs.microsoft.com/en-us/sql/connect/jdbc/microsoft-jdbc-driver-for-sql-server-support-matrix?view=sql-server-2017 .

There is one more step that you need to take care about the version of JRE on the SM ( page 9 of McAfeeEPOConfig.pdf ).

When you download the JDBC driver, the version of the jar file depends on the version of the JRE the connector uses:
-  Version 7.2.1 and later use JRE 1.8 and require sqljdbc42.jar (available with Microsoft JDBC Driver 6.0 for SQL Server)

-  Version 7.1.2 and later use JRE 1.7 and require sqljdbc41.jar (available with Microsoft JDBC Driver 6.0 for SQL Server)

-  Prior versions, which run JRE 1.6, require sqljdbc4.jar (available with Microsoft JDBC Driver 4.0 for SQL Server)

 

Note: the java version for SM 7.14 is :

# <SM_PATH>/current/jre/bin/java -version
openjdk version "1.8.0_232"

 I hope that all the information provided will help you.

 

Best Regards, 

Daniel

0 Likes
Commander
Commander

Thanks for information, I have used Connector 7.14 and put sqljdbc42.jar into /$ArcSight_HOME/user/agent/lib and select this event below type msms,tie_vse,hips,rsd,dxl,dlp,endpointsecurity,msme,driveencryption,solidcore,mcafee_agents,siteadvisor,mar,policyauditorrule,policyauditorfile [from config guide]

but found this error below

2020-04-14_10-30-34.png

and in agent.log 

[2020-04-14 10:52:43,565][ERROR][default.com.arcsight.agent.loadable.agent._McAfeeEPODatabaseAgent][processQuery()] Failed to process query [[select max(AutoId) from SAEEvent]] on database URL[jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>], bitmechanic URL[jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>]
[2020-04-14 10:52:43,565][ERROR][default.com.arcsight.agent.loadable.agent._McAfeeEPODatabaseAgent][processQuery()] Failed to process query [[select max(EventAutoID) from PAFileIntegrityEvents]] on database URL[jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>], bitmechanic URL[jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>]
[2020-04-14 10:52:43,565][ERROR][default.com.arcsight.agent.loadable.agent._McAfeeEPODatabaseAgent][setDeviceConnectionState] Device connection to [jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>|sa] down.(Unable to get max record for [jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>], cannot continue.)
[2020-04-14 10:52:43,565][ERROR][default.com.arcsight.agent.loadable.agent._McAfeeEPODatabaseAgent][processQuery()] Failed to process query [[select max(AutoId) from RSDDetectedSource]] on database URL[jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>], bitmechanic URL[jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>]
[2020-04-14 10:52:43,565][ERROR][default.com.arcsight.agent.sdk.b.a.v][run]
java.lang.RuntimeException: Unable to get max record for [jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>], cannot continue.
at com.arcsight.agent.sdk.b.a.j.b(j.java:892)
at com.arcsight.agent.sdk.b.a.v.run(v.java:100)
[2020-04-14 10:52:43,565][ERROR][default.com.arcsight.agent.sdk.b.a.v][run]
java.lang.RuntimeException: Unable to get max record for [jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>], cannot continue.
at com.arcsight.agent.sdk.b.a.j.b(j.java:892)
at com.arcsight.agent.sdk.b.a.v.run(v.java:100)
[2020-04-14 10:52:43,565][ERROR][default.com.arcsight.agent.sdk.b.a.v][run]
java.lang.RuntimeException: Unable to get max record for [jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>], cannot continue.
at com.arcsight.agent.sdk.b.a.j.b(j.java:892)
at com.arcsight.agent.sdk.b.a.v.run(v.java:100)
[2020-04-14 10:52:43,565][ERROR][default.com.arcsight.agent.sdk.b.a.v][run]
java.lang.RuntimeException: Unable to get max record for [jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>], cannot continue.
at com.arcsight.agent.sdk.b.a.j.b(j.java:892)
at com.arcsight.agent.sdk.b.a.v.run(v.java:100)
[2020-04-14 10:52:43,565][WARN ][default.com.arcsight.agent.sdk.b.a.v][run] Waiting [60000] to retry initialization for [jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>]
[2020-04-14 10:52:43,565][WARN ][default.com.arcsight.agent.sdk.b.a.v][run] Waiting [60000] to retry initialization for [jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>]
[2020-04-14 10:52:43,565][WARN ][default.com.arcsight.agent.sdk.b.a.v][run] Waiting [60000] to retry initialization for [jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>]
[2020-04-14 10:52:43,565][WARN ][default.com.arcsight.agent.sdk.b.a.v][run] Waiting [60000] to retry initialization for [jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>]
[2020-04-14 10:52:43,581][INFO ][default.com.arcsight.util.AgentUtil][logfuLog] WatchDog[TFM[3qqvIdnEBABCAArJhqMX5NQ==_00003]]: {3qqvIdnEBABCAArJhqMX5NQ==_00003.lastCheckpointTime=0, 3qqvIdnEBABCAArJhqMX5NQ==_00003RSClose.lastCheckpointTime=1586836358737}
[2020-04-14 10:52:43,581][INFO ][default.com.arcsight.util.AgentUtil][logfuLog] WatchDog[TFM[3qqvIdnEBABCAArJhqMX5NQ==_00005]]: {3qqvIdnEBABCAArJhqMX5NQ==_00005RSClose.lastCheckpointTime=1586836358737, 3qqvIdnEBABCAArJhqMX5NQ==_00005.lastCheckpointTime=0}
[2020-04-14 10:52:43,752][INFO ][default.com.arcsight.agent.loadable.agent._McAfeeEPODatabaseAgent][setDeviceConnectionState] Device connection to [jdbc:sqlserver://192.168.102.83:1433;DatabaseName=<DatabaseName>|sa] up.

0 Likes
Micro Focus Expert
Micro Focus Expert

Hello Moar,

Thanks for update.

Do you have all these modules you mentioned (msms,tie_vse,hips,rsd,dxl,dlp,endpointsecurity,msme,driveencryption,solidcore,mcafee_agents,siteadvisor,mar,policyauditorrule,policyauditorfile ) configured to send events to DB?

What is DB version?

How about to run the query manually on DB using the same user to login on DB which you used in SmartConnector configuration? Does it work?

select max(AutoId) from SAEEvent

select max(EventAutoID) from PAFileIntegrityEvents

select max(AutoId) from RSDDetectedSource

 

Mladen

0 Likes
Commander
Commander

Hi Mladen, @Mladen 

Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64)

Invalid object name 'SAEEvent'.

Invalid object name 'PAFileIntegrityEvents'.

Invalid object name 'RSDDetectedSource'.

0 Likes
Commander
Commander

All of module that they have as listed below.

dlp,endpointsecurity,mcafee_agents

Nothing for error now.

Thanks.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.