Hello Vedran,
Thank you for your response. I have upgraded the mcafee epo dsm with the latest rpm file from IBM Fix entral.
But Vedran, this cannot be the issue, the first thing is to get the payload in the right format, the parsing and mapping happen only if the payload makes sense to QR,
I have opened a case, and I think the SE is misinterpreting my issue. I am running ePO 5.10, and the supported procotol for this version is TLS syslog. We were using JDBC, but this is not supported in v 5.10.
Also, I have engaged McAfee Support team, and the SE said the issue is most likely from QR, and no further fine-tuning is needed from ePO side. The below tech note from McAfee states that the event can be unreadable if the SIEM platform does not have a matching cipher suite.
https://kc.mcafee.com/corporate/index?page=content&id=KB91194Regards,
------------------------------
benlinux
------------------------------
Original Message:
Sent: Thu February 24, 2022 05:03 AM
From: Vedran Goricki
Subject: mcAfee ePO Payload
Hi
Check what version of the McAfee DSM you have on QR
rpm -qa | grep -i mcafee
Check the latest version on IBM fix central if the new version is on fix central update
Install Content pak for McAfee ePO
I have installed on QR McAfee ePO log source with default setting – no custom certs and it works
Sorry didn't see the picture and this is the first time i have seen that in McAfee ePO log is some thing like "e;
If nothing helps open the case with IBM
Regards
Vedran
------------------------------
Vedran Goricki
Original Message:
Sent: Thu February 24, 2022 04:44 AM
From: benlinux
Subject: mcAfee ePO Payload
Hello Vedran,
Thank you for your responding, but it seems you missed my question.
The payload is unreadable, as shown below. I can't parsed a payload that is not readable.
Regards,
------------------------------
benlinux
Original Message:
Sent: Thu February 24, 2022 02:02 AM
From: Vedran Goricki
Subject: mcAfee ePO Payload
Hi,
IBM didn't make correct DSM parser for McAfee ePO - it has wrong format and the regex the used are wrong, You have to do custom parsing. Try to parse (Override settings) on Event ID
Regex <EventID>(.*?)<EventID> Capture group $1
Most of the events will be parsed. Some events does not have QID mapped. I didn't find those event ID in McAfee documentations.
And when You get correct event name all other info must be parsed as well .
Regards
Vedran
------------------------------
Vedran Goricki
Original Message:
Sent: Tue February 22, 2022 03:43 AM
From: benlinux
Subject: mcAfee ePO Payload
Hello experts,
Has anyone successfully integrated McAfee ePO with QRadar using the TLS Syslog..??
I am having issues with the payload getting to QRadar, the payload appears unreadable and hence the events are neither parsed nor mapped.
Kindly assist.
------------------------------
benlinux
Original Message:
Sent: Mon January 24, 2022 06:25 AM
From: benlinux
Subject: mcAfee ePO Payload
Hello,
I will appreciate if someone can assist with this.
Thanks
------------------------------
benlinux
Original Message:
Sent: Tue January 18, 2022 03:15 AM
From: benlinux
Subject: mcAfee ePO Payload
Hello QRadar Experts,
I integrated mcafee ePO v 5.10 with QRadar using the TLS syslog, but i noticed that the events are not parsed/mapped.
I drilled into some of the events, and the payload appears as shown below.
Kindly assist if you have resolved this issue.
------------------------------
benlinux
------------------------------