Loading...

Knowledge Center


How to use Syslog Forwarding to get events from one Enterprise Security Manager to another
Technical Articles ID:   KB81501
Last Modified:  3/29/2018

Environment

McAfee SIEM Enterprise Security Manager (ESM) 10.x.x
McAfee SIEM Enterprise Event Receiver (Receiver) 10.x.x

Summary

This article describes how to configure the McAfee SIEM ESM to forward events from one ESM to another.

Add CEF Event forwarding on the sending ESM
  1. In the ESM Properties, click Event ForwardingAdd.
  2. Add all appropriate information. For example:
     
    • Format = Syslog (Common Event Format)
    • Select Send packet if you require the raw packet on the receiving end. Also, for the packet to work, you must turn on Copy packet in the policy.
      NOTE: Do not enable Copy packet for all rules. Instead, select an event that has triggered, then click OpenShow Rule. With the policy opened, set Copy packet to Enabled, then roll out the policy.
       
  3. Save your changes.
  4. Export your current data source list from the Receiver Properties, by clicking Data SourcesExport. This action produces the .csv file that you will use in the next steps.
When these steps are complete, all events parsed by the SIEM are forwarded, and you are ready to import your data source list. 


Import the data source list on the new Receiver
 
  1. Obtain the Receiver ID for the new Receiver:
    1. Open the Receiver properties to get the Receiver ID.
    2. Under Name and Description, copy the ID. (It looks similar to 14411628758746548).
       
  2. Open your .csv file in your text editor.
    NOTE: Do not open the .csv file in Microsoft Excel. Use a text editor such as Notepad++ for best results.
     
  3. The first column (op) is blank. Add the keyword add to this column. Enter the same keyword to each row except the first one.
  4. The second column (rec_id) contains the Receiver ID of the Receiver that you performed the export on. Replace the Receiver ID with the one previously obtained. Again, you need to replace the Receiver ID for each row except the first one. For example:

    add, 14411628758746548 …..

     
  5. Save the file when you are finished.
  6. Import the data sources on the SIEM Receiver by opening Receiver Properties and clicking Data SourcesImport.
  7. When the import is finished, add one last data source. The data source must be as follows:
    • Vendor: ArcSight
    • Model: Common Event Format (ASP)
    • IP address: IP address of sending ESM
    • (Fill in the rest as needed)
       
  8. Write out data sources and push the policy.
You now see events on the new SIEM Receiver just as they appeared on the original Receiver.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.