2
responses

Hello,

We are currently working on collecting the logs from McAfee EPO (without pooling the database ) using the agent as the syslog server .

In the EPO we can configure a syslog server to send our events , in that case the syslog server is our agent

We try some configuration but still not working

<Extension clean_fields_mcafee_epo>
Module xm_rewrite
Keep time, host, source, sourcetype, event, classification, os, dc, severity, module, stanza, collector_hostname, collector_received_at
</Extension>

<Input i_mcafee_epo_raw>
Module im_ssl
ListenAddr 127.0.0.1:1572
CAFile "McAfeeEpo\Apache2\conf\ssl.crt\ca.cer"
CertFile "McAfeeEpo\Apache2\conf\ssl.crt\cert.crt"
CertKeyFile "McAfeeEpo\Apache2\conf\ssl.crt\cert.key"
AllowUntrusted TRUE
FlowControl TRUE
<Exec>
parse_syslog();
$source = "mcafee_epo";
log_info("event : " +$event);
</Exec>
</Input>

<Output onul>
Module om_null
</Output>

<Route r_raw_epo>
Path i_mcafee_epo_raw => onul
</Route>

I was wondering I we need to use the module xm_syslog as the module

AskedNovember 2, 2021 - 11:00am

Answer (1)