IBM Security QRadar

Hello QRadar Experts,

Has anyone successfully integrated McAfee ePO using the TLS syslog? Do i need to import a certificate into the ePO server, because the below technote from mcAfee is saying no need to import certificate from the qradar syslog server to the ePO after registering the syslog server on the ePO.

https://kc.mcafee.com/corporate/index?page=content&id=KB91194

However, after the integration, the log source is shown with a status of "NA", and from tcpdump command i can see logs from the same log source. 

I also checked the qradar.error file, i can see a message "unable to automatically detect the log source<ip_of_epo>, and closing sockets".

Kindly assist.

------------------------------
benlinux
------------------------------

Hello,

we did it at 2 installations with the Gateway Logsource function and it is working. Depending which certificates you use (self issued from qradar or from an internal CA) you have to install them visa versa.

Kindly
Martin

------------------------------
Martin Schmitt
------------------------------

Original Message:
Sent: Mon January 10, 2022 07:22 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello QRadar Experts,

Has anyone successfully integrated McAfee ePO using the TLS syslog? Do i need to import a certificate into the ePO server, because the below technote from mcAfee is saying no need to import certificate from the qradar syslog server to the ePO after registering the syslog server on the ePO.

https://kc.mcafee.com/corporate/index?page=content&id=KB91194

However, after the integration, the log source is shown with a status of "NA", and from tcpdump command i can see logs from the same log source. 

I also checked the qradar.error file, i can see a message "unable to automatically detect the log source<ip_of_epo>, and closing sockets".

Kindly assist.

------------------------------
benlinux
------------------------------

Hello Martin,

Thank you for your response.

I'm using the generated cert (syslog-tls.cert) from QRadar, and if i get you correctly, are you saying i need to import this certificate into the McAfee ePO.

If that is the case, there seems to be no documentation on how to import the cert into the ePO from McAfee, rather i can't only find a technote (see the link below) saying you don't need to import the certificate into ePO.
https://kc.mcafee.com/corporate/index?page=content&id=KB91194

Thank You,


------------------------------
benlinux
------------------------------

Original Message:
Sent: Tue January 11, 2022 03:13 AM
From: Martin Schmitt
Subject: McAfee ePO integration using TL syslog

Hello,

we did it at 2 installations with the Gateway Logsource function and it is working. Depending which certificates you use (self issued from qradar or from an internal CA) you have to install them visa versa.

Kindly
Martin

------------------------------
Martin Schmitt

Original Message:
Sent: Mon January 10, 2022 07:22 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello QRadar Experts,

Has anyone successfully integrated McAfee ePO using the TLS syslog? Do i need to import a certificate into the ePO server, because the below technote from mcAfee is saying no need to import certificate from the qradar syslog server to the ePO after registering the syslog server on the ePO.

https://kc.mcafee.com/corporate/index?page=content&id=KB91194

However, after the integration, the log source is shown with a status of "NA", and from tcpdump command i can see logs from the same log source. 

I also checked the qradar.error file, i can see a message "unable to automatically detect the log source<ip_of_epo>, and closing sockets".

Kindly assist.

------------------------------
benlinux
------------------------------

Hi,

as far as i remember (but we used certs from an internal company cer Auth instead of self signed) when you configure TLS (Sylog Server QRAdar Authentication) only you need the root Cert of qradar in the trusted store of epo only. 
If you choose (Syslog Client Auth, the epo) you need the root cert of the epo in the qradar trust store as well.
You can find the CLI commands here:
QRadar: Custom SSL certificate troubleshooting
There is also an App available to manage the certs on QRadar
QRadar Certificate Management
IBM Security App Exchange - QRadar Certificate Management - QRadar v7.3.3 FP6+/7.4.2+
The QRadar Side TLS config is and the Option for Gateway Log Source is described here:
TLS Syslog protocol configuration options
Kindly
Martin

------------------------------
Martin Schmitt
------------------------------

Original Message:
Sent: Tue January 11, 2022 04:37 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello Martin,

Thank you for your response.

I'm using the generated cert (syslog-tls.cert) from QRadar, and if i get you correctly, are you saying i need to import this certificate into the McAfee ePO.

If that is the case, there seems to be no documentation on how to import the cert into the ePO from McAfee, rather i can't only find a technote (see the link below) saying you don't need to import the certificate into ePO.
https://kc.mcafee.com/corporate/index?page=content&id=KB91194

Thank You,


------------------------------
benlinux

Original Message:
Sent: Tue January 11, 2022 03:13 AM
From: Martin Schmitt
Subject: McAfee ePO integration using TL syslog

Hello,

we did it at 2 installations with the Gateway Logsource function and it is working. Depending which certificates you use (self issued from qradar or from an internal CA) you have to install them visa versa.

Kindly
Martin

------------------------------
Martin Schmitt

Original Message:
Sent: Mon January 10, 2022 07:22 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello QRadar Experts,

Has anyone successfully integrated McAfee ePO using the TLS syslog? Do i need to import a certificate into the ePO server, because the below technote from mcAfee is saying no need to import certificate from the qradar syslog server to the ePO after registering the syslog server on the ePO.

https://kc.mcafee.com/corporate/index?page=content&id=KB91194

However, after the integration, the log source is shown with a status of "NA", and from tcpdump command i can see logs from the same log source. 

I also checked the qradar.error file, i can see a message "unable to automatically detect the log source<ip_of_epo>, and closing sockets".

Kindly assist.

------------------------------
benlinux
------------------------------

Hello Experts,

After the integration of mcafee ePO v 5.10 with QRadar using the TLS syslog, i noticed that the events are not parsed/mapped.

I drilled into some of the events, and the payload appears as shown below.


Kindly assist if you have resolved this issue.

------------------------------
benlinux
------------------------------

Original Message:
Sent: Tue January 11, 2022 06:57 AM
From: Martin Schmitt
Subject: McAfee ePO integration using TL syslog

Hi,

as far as i remember (but we used certs from an internal company cer Auth instead of self signed) when you configure TLS (Sylog Server QRAdar Authentication) only you need the root Cert of qradar in the trusted store of epo only. 
If you choose (Syslog Client Auth, the epo) you need the root cert of the epo in the qradar trust store as well.
You can find the CLI commands here:
QRadar: Custom SSL certificate troubleshooting
There is also an App available to manage the certs on QRadar
QRadar Certificate Management
IBM Security App Exchange - QRadar Certificate Management - QRadar v7.3.3 FP6+/7.4.2+
The QRadar Side TLS config is and the Option for Gateway Log Source is described here:
TLS Syslog protocol configuration options
Kindly
Martin

------------------------------
Martin Schmitt

Original Message:
Sent: Tue January 11, 2022 04:37 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello Martin,

Thank you for your response.

I'm using the generated cert (syslog-tls.cert) from QRadar, and if i get you correctly, are you saying i need to import this certificate into the McAfee ePO.

If that is the case, there seems to be no documentation on how to import the cert into the ePO from McAfee, rather i can't only find a technote (see the link below) saying you don't need to import the certificate into ePO.
https://kc.mcafee.com/corporate/index?page=content&id=KB91194

Thank You,


------------------------------
benlinux

Original Message:
Sent: Tue January 11, 2022 03:13 AM
From: Martin Schmitt
Subject: McAfee ePO integration using TL syslog

Hello,

we did it at 2 installations with the Gateway Logsource function and it is working. Depending which certificates you use (self issued from qradar or from an internal CA) you have to install them visa versa.

Kindly
Martin

------------------------------
Martin Schmitt

Original Message:
Sent: Mon January 10, 2022 07:22 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello QRadar Experts,

Has anyone successfully integrated McAfee ePO using the TLS syslog? Do i need to import a certificate into the ePO server, because the below technote from mcAfee is saying no need to import certificate from the qradar syslog server to the ePO after registering the syslog server on the ePO.

https://kc.mcafee.com/corporate/index?page=content&id=KB91194

However, after the integration, the log source is shown with a status of "NA", and from tcpdump command i can see logs from the same log source. 

I also checked the qradar.error file, i can see a message "unable to automatically detect the log source<ip_of_epo>, and closing sockets".

Kindly assist.

------------------------------
benlinux
------------------------------

I have the same situation. According to my research even if the log source type is "McAfee ePolicy Orchestrator" selected, logs are only parsed if collected via jdbc or snmp. orherwise you need to modify the parser. This information is from my personal research and needs to be verified.

------------------------------
Ahmet Seker
------------------------------

Original Message:
Sent: Tue January 18, 2022 03:51 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello Experts,

After the integration of mcafee ePO v 5.10 with QRadar using the TLS syslog, i noticed that the events are not parsed/mapped.

I drilled into some of the events, and the payload appears as shown below.


Kindly assist if you have resolved this issue.

------------------------------
benlinux

Original Message:
Sent: Tue January 11, 2022 06:57 AM
From: Martin Schmitt
Subject: McAfee ePO integration using TL syslog

Hi,

as far as i remember (but we used certs from an internal company cer Auth instead of self signed) when you configure TLS (Sylog Server QRAdar Authentication) only you need the root Cert of qradar in the trusted store of epo only. 
If you choose (Syslog Client Auth, the epo) you need the root cert of the epo in the qradar trust store as well.
You can find the CLI commands here:
QRadar: Custom SSL certificate troubleshooting
There is also an App available to manage the certs on QRadar
QRadar Certificate Management
IBM Security App Exchange - QRadar Certificate Management - QRadar v7.3.3 FP6+/7.4.2+
The QRadar Side TLS config is and the Option for Gateway Log Source is described here:
TLS Syslog protocol configuration options
Kindly
Martin

------------------------------
Martin Schmitt

Original Message:
Sent: Tue January 11, 2022 04:37 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello Martin,

Thank you for your response.

I'm using the generated cert (syslog-tls.cert) from QRadar, and if i get you correctly, are you saying i need to import this certificate into the McAfee ePO.

If that is the case, there seems to be no documentation on how to import the cert into the ePO from McAfee, rather i can't only find a technote (see the link below) saying you don't need to import the certificate into ePO.
https://kc.mcafee.com/corporate/index?page=content&id=KB91194

Thank You,


------------------------------
benlinux

Original Message:
Sent: Tue January 11, 2022 03:13 AM
From: Martin Schmitt
Subject: McAfee ePO integration using TL syslog

Hello,

we did it at 2 installations with the Gateway Logsource function and it is working. Depending which certificates you use (self issued from qradar or from an internal CA) you have to install them visa versa.

Kindly
Martin

------------------------------
Martin Schmitt

Original Message:
Sent: Mon January 10, 2022 07:22 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello QRadar Experts,

Has anyone successfully integrated McAfee ePO using the TLS syslog? Do i need to import a certificate into the ePO server, because the below technote from mcAfee is saying no need to import certificate from the qradar syslog server to the ePO after registering the syslog server on the ePO.

https://kc.mcafee.com/corporate/index?page=content&id=KB91194

However, after the integration, the log source is shown with a status of "NA", and from tcpdump command i can see logs from the same log source. 

I also checked the qradar.error file, i can see a message "unable to automatically detect the log source<ip_of_epo>, and closing sockets".

Kindly assist.

------------------------------
benlinux
------------------------------

Hello,

I resolved samee issue by DSM Parser changing for McAfee ePO

------------------------------
Roman Gugnyak
------------------------------

Original Message:
Sent: Fri June 17, 2022 06:43 AM
From: Ahmet Seker
Subject: McAfee ePO integration using TL syslog

I have the same situation. According to my research even if the log source type is "McAfee ePolicy Orchestrator" selected, logs are only parsed if collected via jdbc or snmp. orherwise you need to modify the parser. This information is from my personal research and needs to be verified.

------------------------------
Ahmet Seker

Original Message:
Sent: Tue January 18, 2022 03:51 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello Experts,

After the integration of mcafee ePO v 5.10 with QRadar using the TLS syslog, i noticed that the events are not parsed/mapped.

I drilled into some of the events, and the payload appears as shown below.


Kindly assist if you have resolved this issue.

------------------------------
benlinux

Original Message:
Sent: Tue January 11, 2022 06:57 AM
From: Martin Schmitt
Subject: McAfee ePO integration using TL syslog

Hi,

as far as i remember (but we used certs from an internal company cer Auth instead of self signed) when you configure TLS (Sylog Server QRAdar Authentication) only you need the root Cert of qradar in the trusted store of epo only. 
If you choose (Syslog Client Auth, the epo) you need the root cert of the epo in the qradar trust store as well.
You can find the CLI commands here:
QRadar: Custom SSL certificate troubleshooting
There is also an App available to manage the certs on QRadar
QRadar Certificate Management
IBM Security App Exchange - QRadar Certificate Management - QRadar v7.3.3 FP6+/7.4.2+
The QRadar Side TLS config is and the Option for Gateway Log Source is described here:
TLS Syslog protocol configuration options
Kindly
Martin

------------------------------
Martin Schmitt

Original Message:
Sent: Tue January 11, 2022 04:37 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello Martin,

Thank you for your response.

I'm using the generated cert (syslog-tls.cert) from QRadar, and if i get you correctly, are you saying i need to import this certificate into the McAfee ePO.

If that is the case, there seems to be no documentation on how to import the cert into the ePO from McAfee, rather i can't only find a technote (see the link below) saying you don't need to import the certificate into ePO.
https://kc.mcafee.com/corporate/index?page=content&id=KB91194

Thank You,


------------------------------
benlinux

Original Message:
Sent: Tue January 11, 2022 03:13 AM
From: Martin Schmitt
Subject: McAfee ePO integration using TL syslog

Hello,

we did it at 2 installations with the Gateway Logsource function and it is working. Depending which certificates you use (self issued from qradar or from an internal CA) you have to install them visa versa.

Kindly
Martin

------------------------------
Martin Schmitt

Original Message:
Sent: Mon January 10, 2022 07:22 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello QRadar Experts,

Has anyone successfully integrated McAfee ePO using the TLS syslog? Do i need to import a certificate into the ePO server, because the below technote from mcAfee is saying no need to import certificate from the qradar syslog server to the ePO after registering the syslog server on the ePO.

https://kc.mcafee.com/corporate/index?page=content&id=KB91194

However, after the integration, the log source is shown with a status of "NA", and from tcpdump command i can see logs from the same log source. 

I also checked the qradar.error file, i can see a message "unable to automatically detect the log source<ip_of_epo>, and closing sockets".

Kindly assist.

------------------------------
benlinux
------------------------------

Hello, 

I am using 5.10, and from IBM doc, jdbc and snmp is not supported, only TLS is supported.

Also i have updated the DSM as suggested by IBM support team, and the issue was not resolved. I don't think it has anything to do with the DSM. The DSM is there to parse the payload, and not to fix the issue of the payload not readable. 

The issue here is that my payload is unreadable. This is not a parsing issue.

Thank You,

------------------------------
benlinux
------------------------------

Original Message:
Sent: Thu June 23, 2022 05:34 AM
From: Roman Gugnyak
Subject: McAfee ePO integration using TL syslog

Hello,

I resolved samee issue by DSM Parser changing for McAfee ePO

------------------------------
Roman Gugnyak

Original Message:
Sent: Fri June 17, 2022 06:43 AM
From: Ahmet Seker
Subject: McAfee ePO integration using TL syslog

I have the same situation. According to my research even if the log source type is "McAfee ePolicy Orchestrator" selected, logs are only parsed if collected via jdbc or snmp. orherwise you need to modify the parser. This information is from my personal research and needs to be verified.

------------------------------
Ahmet Seker

Original Message:
Sent: Tue January 18, 2022 03:51 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello Experts,

After the integration of mcafee ePO v 5.10 with QRadar using the TLS syslog, i noticed that the events are not parsed/mapped.

I drilled into some of the events, and the payload appears as shown below.


Kindly assist if you have resolved this issue.

------------------------------
benlinux

Original Message:
Sent: Tue January 11, 2022 06:57 AM
From: Martin Schmitt
Subject: McAfee ePO integration using TL syslog

Hi,

as far as i remember (but we used certs from an internal company cer Auth instead of self signed) when you configure TLS (Sylog Server QRAdar Authentication) only you need the root Cert of qradar in the trusted store of epo only. 
If you choose (Syslog Client Auth, the epo) you need the root cert of the epo in the qradar trust store as well.
You can find the CLI commands here:
QRadar: Custom SSL certificate troubleshooting
There is also an App available to manage the certs on QRadar
QRadar Certificate Management
IBM Security App Exchange - QRadar Certificate Management - QRadar v7.3.3 FP6+/7.4.2+
The QRadar Side TLS config is and the Option for Gateway Log Source is described here:
TLS Syslog protocol configuration options
Kindly
Martin

------------------------------
Martin Schmitt

Original Message:
Sent: Tue January 11, 2022 04:37 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello Martin,

Thank you for your response.

I'm using the generated cert (syslog-tls.cert) from QRadar, and if i get you correctly, are you saying i need to import this certificate into the McAfee ePO.

If that is the case, there seems to be no documentation on how to import the cert into the ePO from McAfee, rather i can't only find a technote (see the link below) saying you don't need to import the certificate into ePO.
https://kc.mcafee.com/corporate/index?page=content&id=KB91194

Thank You,


------------------------------
benlinux

Original Message:
Sent: Tue January 11, 2022 03:13 AM
From: Martin Schmitt
Subject: McAfee ePO integration using TL syslog

Hello,

we did it at 2 installations with the Gateway Logsource function and it is working. Depending which certificates you use (self issued from qradar or from an internal CA) you have to install them visa versa.

Kindly
Martin

------------------------------
Martin Schmitt

Original Message:
Sent: Mon January 10, 2022 07:22 AM
From: benlinux
Subject: McAfee ePO integration using TL syslog

Hello QRadar Experts,

Has anyone successfully integrated McAfee ePO using the TLS syslog? Do i need to import a certificate into the ePO server, because the below technote from mcAfee is saying no need to import certificate from the qradar syslog server to the ePO after registering the syslog server on the ePO.

https://kc.mcafee.com/corporate/index?page=content&id=KB91194

However, after the integration, the log source is shown with a status of "NA", and from tcpdump command i can see logs from the same log source. 

I also checked the qradar.error file, i can see a message "unable to automatically detect the log source<ip_of_epo>, and closing sockets".

Kindly assist.

------------------------------
benlinux
------------------------------