Loading...

Knowledge Center


How to set up an example syslog server for use with ePolicy Orchestrator
Technical Articles ID:   KB87927
Last Modified:  6/11/2019
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) - all supported versions

For details of ePO supported environments, see KB51569.

Summary

ePO 5.3.2 introduced the ability to forward received threat events directly to a syslog server, which is defined in ePO as a Registered Server. This article guides you through setting up a syslog server in a Windows environment for use in testing.

NOTE: This article is not intended to be definitive. There are many different syslog implementations on Windows and various types of UNIX; this article is intended as a quick guide to help ePO administrators set up a Windows syslog environment for testing.

Prerequisites
Before you begin, you must have an ePO 5.9 installation, or an ePO 5.3.2 installation with Hotfix 1185471 applied. Without Hotfix 1185471 applied to ePO 5.3.2, you can complete the installation of the syslog server, but ePO is not able to communicate with the syslog server.

IMPORTANT: If you use ePO 5.3.2 with Hotfix 1185471 applied, and you have additional Agent Handlers, an extra step is required. In this scenario, you must replace two files on the Agent Handler with the Hotfix versions taken from the McAfee ePO server. See KB87469 for details.

NOTE: The ePO platform provides the technical mechanism to support the integration of third-party syslog servers, but the setup, configuration, or troubleshooting of third-party syslog
Servers, is not supported.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

For the purposes of this article, the following software is required:
  • Bitnami Elk Stack: A bundled implementation of three syslog components:

    https://bitnami.com/stack/elk

    The current version, at the time of writing this article, is 5.6.3.0.

  • OpenSSL: Required to generate a certificate because ePO only supports encrypted connections to communicate with the syslog server: Specifically the ePO syslog integration is only supported for TCP with TLS receivers following RFC 5424 and RFC 5425 (known as syslog-ng)

    https://slproweb.com/products/Win32OpenSSL.html

On the system that hosts the syslog server:
  1. Install OpenSSL and accept the defaults (for example, install to the default directory, C:\OpenSSL-Win32).
  2. Install Bitnami Elk Stack and accept the defaults (for example, install to the default directory, C:\Bitnami\elk-5.6.3-0).
  3. At the end of the installation, select the Launch Bitnami Elk Stack option and click OK.
    A web browser and the Bitnami Elk Stack management tool open.
  4. Close the web browser. In the management tool, click the Manage Servers tab, and click Stop All to stop the Elk Stack services.
  5. Generate a self-signed certificate for the syslog server:
    1. Open an admin command prompt.
    2. Change directory (CD) to: C:\OpenSSL-Win32\bin
    3. Run the following command:

      openssl req -newkey rsa:2048 -nodes -keyout C:\syslogselfsigned.key -x509 -days 365 -out C:\syslogselfsigned.crt -config openssl.cfg

      NOTE: You can change the path and file names for -keyout and -out if needed. You can also adjust the -days option, which defines how long the certificate is valid. For this example, it is set to 365 days.
  6. Type the relevant information, such as country code, when prompted. For the common name, enter the fully qualified domain name (FQDN) of the syslog server.
    This step generates C:\syslogselfsigned.crt and C:\syslogselfsigned.key.
  7. Create a folder named SSL in C:\Bitnami\elk-5.6.3-0\logstash.
  8. Copy (or move) C:\syslogselfsigned.crt and C:\syslogselfsigned.key to the C:\Bitnami\elk-5.6.3-0\logstash\SSL folder.
  9. Edit C:\Bitnami\elk-5.6.3-0\logstash\conf\logstash.conf. Replace the existing content with the following, and save the file:

    input {
    tcp {
    port => 6514
    ssl_cert => 'c:\bitnami\elk-5.6.3-0\logstash\ssl\syslogselfsigned.crt'
    ssl_key => 'c:\bitnami\elk-5.6.3-0\logstash\ssl\syslogselfsigned.key'
    ssl_enable => true
    ssl_verify => false
    }
    }

    output {
    elasticsearch {
    hosts => ["127.0.0.1:9200"]
    }
    }
     
  10. If you changed the name of the certificate or key files in step 4, ensure that you set the correct values in logstash.conf. If you did not change the name, go to the next step.
  11. In the Elk Stack management tool, click the Manage Servers tab, and click Start All to start the services.
  12. Click the Welcome tab, and click Go To Application. This step starts the Elk console in a web browser. Click Access ELK and enter the credentials you specified during the installation. The Kibana interface is displayed.
    The message Configure an index pattern displays.
  13. For the purposes of testing, create an "everything" pattern. Deselect the Index contains time-based events option and enter an asterisk * in the Index name or pattern field.
    The Create button now displays.
  14. Click Create to create a pattern named *.
  15. Click the Discover tab on the left option bar, where all events are displayed. Only one single entry is present.

On the McAfee ePO server:
  1. Configure your McAfee ePO server to use the newly created syslog server:
    1. Add a new Registered Server and select Syslog for the type.
    2. Enter the FQDN of the syslog server.
    3. Enter 6514 for the port, or whatever port was specified in logstash.conf, if it was changed.
  2. Click Enable event forwarding.
  3. Click Test Connection.
    You see a Syslog connection success message. If you refresh the Kibana console on the syslog server, you also see that the test event from the McAfee ePO server has been received.
  4. On the McAfee ePO server, click Save to save the syslog Registered Server.

    All threat events received by ePO are now automatically forwarded to the syslog server.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.