Table of Contents
- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache NiFi
- 45. Apache Tomcat
- 46. APC Automatic Transfer Switch
- 47. Apple macOS kernel
- 48. ArcSight Common Event Format (CEF)
- 49. Box
- 50. Brocade switches
- 51. Browser History Logs
- 52. Check Point
- 53. Cisco ACS
- 54. Cisco ASA
- 55. Cisco FireSIGHT
- 56. Cisco IPS
- 57. Cloud Instance Metadata
- 58. Common Event Expression (CEE)
- 59. Dell EqualLogic
- 60. Dell iDRAC
- 61. Dell PowerVault MD series
- 62. Devo
- 63. DHCP logs
- 64. DNS Monitoring
- 65. Docker
- 66. Elasticsearch and Kibana
- 67. F5 BIG-IP
- 68. File Integrity Monitoring
- 69. FreeRADIUS
- 70. Google Chronicle
- 71. Graylog
- 72. HP ProCurve
- 73. IBM QRadar SIEM
- 74. Industrial Control Systems
- 75. Linux Audit System
- 76. Linux system logs
- 77. Log Event Extended Format (LEEF)
- 78. Logstash
- 79. McAfee Enterprise Security Manager (ESM)
- 80. McAfee ePolicy Orchestrator
- 81. Microsoft Active Directory Domain Controller
- 82. Microsoft Azure
- 83. Microsoft Azure Event Hubs
- 84. Microsoft Azure Sentinel
- 85. Microsoft Exchange
- 86. Microsoft IIS
- 87. Microsoft SharePoint
- 88. Microsoft SQL Server
- 89. Microsoft System Center Endpoint Protection
- 90. Microsoft System Center Configuration Manager
- 91. Microsoft System Center Operations Manager
- 92. MongoDB
- 93. Nagios Log Server
- 94. Nessus Vulnerability Scanner
- 95. NetApp
- 96. .NET application logs
- 97. Nginx
- 98. Okta
- 99. Oracle Database
- 100. Osquery
- 101. Postfix
- 102. Promise
- 103. Raijin Database Engine
- 104. Rapid7 InsightIDR SIEM
- 105. RSA NetWitness
- 106. SafeNet KeySecure
- 107. Salesforce
- 108. Snare
- 109. Snort
- 110. Solarwinds Loggly
- 111. Splunk
- 112. Sumo Logic
- 113. Symantec Endpoint Protection
- 114. Synology DiskStation
- 115. Syslog
- 116. Sysmon
- 117. Ubiquiti UniFi
- 118. VMware vCenter
- 119. Windows AppLocker
- 120. Windows Command Line Auditing
- 121. Windows Event Log
- 122. Windows Firewall
- 123. Windows Group Policy
- 124. Windows Management Instrumentation (WMI)
- 125. Windows PowerShell
- 126. Microsoft Windows Update
- 127. Windows USB auditing
- 128. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
80. McAfee ePolicy Orchestrator
McAfee® ePolicy Orchestrator® (McAfee® ePO™) enables centralized policy management and enforcement for endpoints and enterprise security products. McAfee ePO monitors and manages the network, detecting threats and protecting endpoints against these threats.
NXLog can be configured to collect events and audit logs from the ePO SQL databases.
|
Note
|
The instructions and examples in this section were tested with ePolicy Orchestrator 5.10.0 and NXLog running on the same server. |
|
Note
|
ePO will need to have the associated packages installed first, prior to log collection from these sources. For example, VirusScan Enterprise or Host Intrusion Prevention Content must be installed. |
80.1. Collecting ePO Audit Logs
The Audit log contains McAfee ePO user actions and action details which can be viewed from the ePO dashboard.
Figure 13. Queries and Reports Dashboard for Audit Entries
ePO stores these logs in the dbo.OrionAuditLog table in the SQL database. The
following configuration will query dbo.OrionAuditLog using the
im_odbc module configured to collect these audit log events. It
will then format them to JSON via xm_json.
nxlog.conf ![[Download file]](images/icons/download_icon.png "Download file")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<Input in>
Module im_odbc
ConnectionString DSN=MQIS;database=ePO_Host; \
uid=user;pwd=password;
IdType timestamp
# With ReadFromLast and MaxIdSQL, NXLog will start reading from the last
# record when reading from the database for the first time.
ReadFromLast TRUE
MaxIdSQL SELECT MAX(StartTime) AS maxid FROM dbo.OrionAuditLog
SQL SELECT StartTime as id,StartTime as EventTime, \
* FROM dbo.OrionAuditLog \
WHERE StartTime > CAST(? AS datetime)
Exec delete($id);to_json();
</Input>
Raw Audit Log Sample of a Successful Logon
EventTime: 2020-02-12 18:36:00
AutoId: 7
UserId: 1
UserName: admin
Priority: 3
CmdName: Logon Attempt
Message: Successful Logon for user "admin" from IP address: 10.0.0.4
Success: TRUE
StartTime: 2020-02-12 18:36:00
EndTime: 2020-02-12 18:36:00
RemoteAddress: 10.0.0.4
LocalAddress: 2001:0:34f1:8072:2c3a:3f1e:f5ff:fffb
TenantId: 1
DetailMessage: NULL
AdditionalDetailsURI: NULL
2020-02-12 18:37:28 McAfeeEPO INFO
id: 2020-02-12 18:37:28Audit Event Sample in JSON of a Successful Logon
{
"EventTime": "2019-07-27T09:51:08.630000+02:00",
"AutoId": 83147,
"UserId": 1,
"UserName": "admin",
"Priority": 3,
"CmdName": "Logon Attempt",
"Message": "Successful Logon for user \"admin\" from IP address: 192.168.134.165",
"Success": true,
"StartTime": "2019-07-27T09:51:08.630000+02:00",
"EndTime": "2019-07-27T09:51:08.630000+02:00",
"RemoteAddress": "192.168.134.165",
"LocalAddress": "192.168.134.165",
"TenantId": 1,
"DetailMessage": null,
"AdditionalDetailsURI": null,
"EventReceivedTime": "2019-07-27T11:51:09.641428+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_odbc"
}80.2. Collecting VirusScan Enterprise (VSE) Events
The McAfee VirusScan Enterprise provides strong virus protection
with lower maintenance requirements and zero-impact scans for users to protect
against malware. These events are stored in the dbo.EPOEvents SQL view.
The following configuration uses the im_odbc module to collect
VirusScan events from the dbo.EPOEvents SQL view. The AnalyzerName column
determines the source module of the events in the view, therefore the query
contains the conditional clause AnalyzerName LIKE 'VirusScan%.
nxlog.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<Input in>
Module im_odbc
ConnectionString DSN=MQIS;database=ePO_Host; \
uid=user;pwd=password;
IdType timestamp
# With ReadFromLast and MaxIdSQL, NXLog will start reading from the last
# record when reading from the database for the first time.
#ReadFromLast TRUE
#MaxIdSQL SELECT MAX(ReceivedUTC) AS maxid FROM dbo.EPOEvents
SQL SELECT ReceivedUTC as id,ReceivedUTC as EventTime,AutoID,ServerID,\
AnalyzerName,AnalyzerHostName,\
dbo.RSDFN_ConvertIntToIPString \
(cast (AnalyzerIPV4 as varchar(15))) as 'IPv4',\
AnalyzerDetectionMethod,SourceHostName,\
dbo.RSDFN_ConvertIntToIPString \
(cast (SourceIPV4 as varchar(15))) as 'Source IPv4',\
SourceProcessName,TargetHostName,\
dbo.RSDFN_ConvertIntToIPString \
(cast (TargetIPV4 as varchar(15))) as 'Target IPv4',\
TargetUserName,TargetFileName,ThreatCategory,ThreatEventID,\
ThreatSeverity,ThreatName,ThreatType,ThreatActionTaken,TenantID\
FROM dbo.EPOEvents\
WHERE ReceivedUTC > CAST(? AS datetime) AND AnalyzerName LIKE 'VirusScan%'
Exec delete($id);to_json();
</Input>
VirusScan Enterprise Event Sample in JSON of an EICAR Test File
{
"EventTime": "2019-07-30T14:17:22.067000+02:00",
"AutoID": 22113,
"ServerID": "HOST",
"AnalyzerName": "VirusScan Enterprise",
"AnalyzerHostName": "HOST",
"IPv4": "192.168.134.189",
"AnalyzerDetectionMethod": "OAS",
"SourceHostName": null,
"Source IPv4": "192.168.134.189",
"SourceProcessName": "C:\\Windows\\explorer.exe",
"TargetHostName": "HOST",
"Target IPv4": "192.168.134.189",
"TargetUserName": "DOMAIN\\admin",
"TargetFileName": "C:\\Users\\admin\\Desktop\\eicar.com",
"ThreatCategory": "av.detect",
"ThreatEventID": 1278,
"ThreatSeverity": 1,
"ThreatName": "EICAR test file",
"ThreatType": "test",
"ThreatActionTaken": "deleted",
"TenantID": 1,
"EventReceivedTime": "2019-07-30T16:18:15.279397+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_odbc"
}80.3. Collecting Data Loss Prevention (DLP) Events
The McAfee Data Loss Prevention (DLP) Endpoint is a content-based agent solution to inspect user actions. It scans data-in-use on endpoints, blocks transfer of sensitive data, and it can store its findings as evidence.
The configuration below uses the im_odbc module to collect Data
Loss Prevention events from the dbo.EPOEvents SQL view. The AnalyzerName
column determines the source module of events in the view, therefore the query
contains the conditional clause AnalyzerName LIKE 'Data%.
nxlog.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<Input in>
Module im_odbc
ConnectionString DSN=MQIS;database=ePO_Host; \
uid=user;pwd=password;
IdType timestamp
# With ReadFromLast and MaxIdSQL, NXLog will start reading from the last
# record when reading from the database for the first time.
#ReadFromLast TRUE
#MaxIdSQL SELECT MAX(ReceivedUTC) AS maxid FROM dbo.EPOEvents
SQL SELECT ReceivedUTC as id,ReceivedUTC as EventTime,AutoID,ServerID,\
AnalyzerName,AnalyzerHostName,\
dbo.RSDFN_ConvertIntToIPString \
(cast (AnalyzerIPV4 as varchar(15))) as 'IPv4',\
AnalyzerDetectionMethod,SourceHostName,\
dbo.RSDFN_ConvertIntToIPString \
(cast (SourceIPV4 as varchar(15))) as 'Source IPv4',\
SourceProcessName,TargetHostName,\
dbo.RSDFN_ConvertIntToIPString \
(cast (TargetIPV4 as varchar(15))) as 'Target IPv4',\
TargetUserName,TargetFileName,ThreatCategory,ThreatEventID,\
ThreatSeverity,ThreatName,ThreatType,ThreatActionTaken,TenantID\
FROM dbo.EPOEvents\
WHERE ReceivedUTC > CAST(? AS datetime) AND AnalyzerName LIKE 'Data%'
Exec delete($id);to_json();
</Input>
Data Loss Prevention Event Sample of a USB Plugin
{
"EventTime": "2019-08-24T12:46:15.603000+02:00",
"AutoID": 94123,
"ServerID": "HOST",
"AnalyzerName": "Data Loss Prevention",
"AnalyzerHostName": "HOST",
"IPv4": "192.168.134.198",
"AnalyzerDetectionMethod": "DLP for Windows",
"SourceHostName": "HOST",
"Source IPv4": "192.168.134.198",
"SourceProcessName": "",
"TargetHostName": "HOST",
"Target IPv4": "192.168.134.198",
"TargetUserName": "DOMAIN\\admin",
"TargetFileName": null,
"ThreatCategory": "policy",
"ThreatEventID": 19115,
"ThreatSeverity": 1,
"ThreatName": "USB",
"ThreatType": "DEVICE_PLUG",
"ThreatActionTaken": "BL|MON|ON",
"TenantID": 1,
"EventReceivedTime": "2019-08-24T14:46:16.066322+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_odbc"
}