Hello QRadar Experts,
Has anyone successfully integrated McAfee ePO using the TLS syslog? Do i need to import a certificate into the ePO server, because the below technote from mcAfee is saying no need to import certificate from the qradar syslog server to the ePO after registering the syslog server on the ePO.
https://kc.mcafee.com/corporate/index?page=content&id=KB91194However, after the integration, the log source is shown with a status of "NA", and from tcpdump command i can see logs from the same log source.
I also checked the qradar.error file, i can see a message "unable to automatically detect the log source<ip_of_epo>, and closing sockets".
Kindly assist.
------------------------------
benlinux
------------------------------
Original Message:
Sent: Thu June 17, 2021 09:14 AM
From: benlinux
Subject: Mcafee ePO v5.10 integration using JDBC
Hello Bruce,
Thank you, I will be integrating it with the client tomorrow. For the Parsing issue, there is a Mcafee epo app on IBM APP exchange, why not look that up.
Regards,
------------------------------
benlinux
Original Message:
Sent: Thu June 17, 2021 08:49 AM
From: Bruce Hutchinson
Subject: Mcafee ePO v5.10 integration using JDBC
Let me know if you have parsing issue with TLS syslog. I have an open ticket for over 90 days. Stored and unknown events.
------------------------------
Bruce Hutchinson
Original Message:
Sent: Wed June 16, 2021 10:28 AM
From: benlinux
Subject: Mcafee ePO v5.10 integration using JDBC
Hello Johan,
Thank you for the feedback, when i checked the qradar.error, i see an error related to JDBC driver, and as mentioned my client is running v7.4.2.
I will use the TLS syslog protocol.
Regards,
------------------------------
benlinux
Original Message:
Sent: Wed June 16, 2021 09:41 AM
From: Johan Lopez
Subject: Mcafee ePO v5.10 integration using JDBC
Hello,
What error do you see when try to connect via JDBC? As i know there a problem with the JDBC driver in 7.4.2, i created a case and i received this answer:
I can confirm that this is known defect in "PROTOCOL-JDBC-7.4-20201123202423.noarch" version which is currently installed on your console.
L3 team has opened defect internally and they are working on it. We have also have an APAR published for the public tracking on work progress. Please check on below URL for work around and also please subscribe it for future updates on the fix. The permanent fix will be released in next JDBC protocol release.
https://www.ibm.com/support/pages/apar/IJ31104
I'll would recomend you use the TLS Syslog protocol, it is easier than JDBC and work the same.
------------------------------
Johan Lopez
Security Analyst L2
Original Message:
Sent: Wed June 16, 2021 05:20 AM
From: benlinux
Subject: Mcafee ePO v5.10 integration using JDBC
Hello Experts,
I am trying to integrate Mcafee ePO v5.10 to qradar v 7.4.2 FP4 using JDBC, i am unable to connect to the back end SQL database using a read-only account that was created. I could telnet from QRadar to the DB using the default port 1433.
From the below screen shot, i can see that QRadar supports only v3.5 to v5.9. Please I want to know if anyone has successfully integrated mcafee epo v 5.10 using the JDBC.
Regards,
------------------------------
benlinux
------------------------------