Hi,
as far as i remember (but we used certs from an internal company cer Auth instead of self signed) when you configure TLS (Sylog Server QRAdar Authentication) only you need the root Cert of qradar in the trusted store of epo only.
If you choose (Syslog Client Auth, the epo) you need the root cert of the epo in the qradar trust store as well.
You can find the CLI commands here:
QRadar: Custom SSL certificate troubleshootingThere is also an App available to manage the certs on QRadar
QRadar Certificate Management
IBM Security App Exchange - QRadar Certificate Management - QRadar v7.3.3 FP6+/7.4.2+The QRadar Side TLS config is and the Option for Gateway Log Source is described here:
TLS Syslog protocol configuration optionsKindly
Martin
------------------------------
Martin Schmitt
------------------------------
Original Message:
Sent: Tue January 11, 2022 04:37 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog
Hello Martin,
Thank you for your response.
I'm using the generated cert (syslog-tls.cert) from QRadar, and if i get you correctly, are you saying i need to import this certificate into the McAfee ePO.
If that is the case, there seems to be no documentation on how to import the cert into the ePO from McAfee, rather i can't only find a technote (see the link below) saying you don't need to import the certificate into ePO.
https://kc.mcafee.com/corporate/index?page=content&id=KB91194
Thank You,
------------------------------
benlinux
Original Message:
Sent: Tue January 11, 2022 03:13 AM
From: Martin Schmitt
Subject: McAfee ePO integration using TL syslog
Hello,
we did it at 2 installations with the Gateway Logsource function and it is working. Depending which certificates you use (self issued from qradar or from an internal CA) you have to install them visa versa.
Kindly
Martin
------------------------------
Martin Schmitt
Original Message:
Sent: Mon January 10, 2022 07:22 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog
Hello QRadar Experts,
Has anyone successfully integrated McAfee ePO using the TLS syslog? Do i need to import a certificate into the ePO server, because the below technote from mcAfee is saying no need to import certificate from the qradar syslog server to the ePO after registering the syslog server on the ePO.
https://kc.mcafee.com/corporate/index?page=content&id=KB91194
However, after the integration, the log source is shown with a status of "NA", and from tcpdump command i can see logs from the same log source.
I also checked the qradar.error file, i can see a message "unable to automatically detect the log source<ip_of_epo>, and closing sockets".
Kindly assist.
------------------------------
benlinux
------------------------------