Syslog - McAfee ePO
Device Details
| Device Name | Syslog - McAfee ePO |
|---|---|
| Vendor | McAfee |
| Device Type | ePolicy Orchestrator v5.10 |
| Supported Model Name/Number | N/A |
| Supported Software Version | All |
| Collection Method | Syslog |
| Configurable Log Output | Yes |
| Log Source Type | Syslog - McAfee ePO |
| Log Processing Policy | LogRhythm Default v2.0 |
| Exceptions | N/A |
| Additional Information | https://kcm.trellix.com/corporate/index?page=content&id=KB54677 |
McAfee ePO sends encrypted syslogs, and therefore must use the System Monitor Agent's secure syslog port (6514 by default) instead of the standard syslog port.
ePO syslog forwarding only supports the TCP protocol and requires Transport Layer Security (TLS). Refer to the ePO Documentation for more information.
For information on enabling the secure syslog for a System Monitor Agent, refer to Configure a Secure Syslog Agent.
Supported Log Messages
(List of LR Tags used to parse the log information for each message type)
| Type | Product Version | Supported Schema Fields |
|---|---|---|
| McAfee ePO Catch-All | N/A | <tag1>, <tag2>, <tag3> |
| EVID : 1027/1292/18054 Security Messages | N/A | <dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <sname>, <process>, <dname>, <domainimpacted>, <account>, <object> |
| EVID : 1048 : EPO - Scan Error | N/A | <dname>, <dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <object>, <process>, <domainimpacted>, <account>, <action>, <subject>, <severity> |
| EVID : 1092/1095 Behavior Messages | N/A | <dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vmid>, <policy>, <process>, <object>, <vendorinfo>, <version>, <severity> |
| EVID : 1119 : EPO - Update Failed | N/A | <dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vendorinfo>, <version>, <vmid>, <threatname>, <subject>, <result>, <action>, <severity> |
| EVID : 1202/1203 Task Messages | N/A | <dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vmid>, <severity>, <vendorinfo>, <version>, <object> |
| EVID : 2401/02/11/12/13/22/27 Update Messages | N/A | <dname>, <dmac>, <dip>, <domainimpacted>, <account>, <vmid>, <severity>, <responsecode>, <action>, <vendorinfo>, <version>, <objecttype> |
| Evid 18900 : McAfee ePO Policy Auditor Messages | N/A | <dname>, <dmac>, <dip>, <domainimpacted>, <account>, <vmid>, <severity>, <vendorinfo>, <version>, <result> |
| Evid 18905 : McAfee ePO Policy Assessment Messages | N/A | <dname>, <dmac>, <dip>, <domainimpacted>, <account>, <vmid>, <severity>, <vendorinfo>, <version>, <result> |
| Evid 19101/9115/19125/19136 : McAfee ePO DLP | N/A | <dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vmid>, <threatname>, <policy>, <severity>, <vendorinfo>, <version>, |
| Evid 207(20/48/61/76/78/95), 208(31/46): McAfee Ep | N/A | <dip>, <dname>, <dmac>, <vmid>, <Severity>, <action>, <domainimpacted>, <account>, <process>, <processid>, <parentprocessname>, <object>, <hash>, <objecttype>, <reason>, <vendorinfo>, <version>, <parentprocesspath>, <domainorigin>, <login> |
| Evid 20835 : McAfee ePO App Control Messages | N/A | <dname>, <dip>, <dmac>, <vmid>, <severity>, <action>, <process>, <processid>, <domainorigin>, <login>, <object>, <parentprocessname>, <parentprocesspath>. <command>, <hash>, <vendorinfo>, <version> |
| Evid 30030 : McAfee ePO Drive Encryption Messages | N/A | <dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vmid>, <severity>, <vendorinfo>, <version>, <objecttype> |
| EVID : 1202 : EPO - Scan Started | N/A | <dname>, <dmac>, <dip>, <domainimpacted>, <account>, <vmid>, <action>, <subject>, <result>, <threatname>, <severity>, <vendorinfo>, <version> |
| EVID : 18059 : EPO - Network Threat Blocked | N/A | <vmid>, <subject>, <threatname>, <action>, <result>, <sip>, <smac>, <dname>, <dip>, <dport>, <dmac>, <severity>, <vendorinfo>, <version>, <domainimpacted>, <account> |
| EVID : 18060 : EPO - Exploit Attempt Detected | N/A | <vmid>, <subject>, <threatname>, <action>, <result>, <domainorigin>, <login>, <process>, <sip>, <smac>, <dname>, <account>, <object>, <dip>, <dport>, <dmac>, <severity>, <vendorinfo>, <version> |
| EVID : 20559|20500|20503|20504 Device Logs | N/A | <dname>, <dmac>, <dip>, <domainimpacted>, <account>, <vmid>, <severity>, <vendorinfo>, <version> |
| N/A | <dname>, <dip>, <dmac>, <vmid>, <severity>, <vendorinfo>, <domainimpacted>, <account>, <process>, <object>, <action>, <version>, <subject> | |
| EPO:1095:ePO-AccessProtectionViolationNot Blocked | N/A | <vmid>, <subject>, <threatname>, <action>, <result>, <domainorigin>, <login>, <process>, <dname>, <domainimpacted>, <account>, <object>, <severity>, <vendorinfo>, <version>, <dmac>, <dip> |
| EVID : 1203 : EPO - On-Demand Scan End | N/A | <vmid>, <action>, <subject>, <threatname>, <severity>, <vendorinfo>, <version>, <dmac>, <sip>, <domainimpacted>, <account>, <result> |
| Evid : 1024 Epo Infected File Deleted | N/A | <dip>, <dmac>, <vendorinfo>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <sname>, <process>, <dname>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <status>, <version>, <size> |
| EVID : 1284 EPO - On-Demand Scan End | N/A | <dip>, <dmac>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <process>, <dname>, <domainimpacted>, <account>, <object>, <objectname>, <status>, <vendorinfo>, <version> |
| EVID 1087EPO - Access Protection Violation Blocked | N/A | <dname>, <dip>, <dmac>, <vendorinfo>, <action>, <vmid>, <severity>, <version>, <domainimpacted>, <account> |
| N/A | <dip>, <vendorinfo>, <vmid>, <subject>, <threatname>, <action>, <result>, <domainorigin>, <login>, <process>, <dname>, <domainimpacted>, <account>, <object>, <severity>, <objectname>, <hash>, <version>, <dmac> | |
EVID : 35112 : EPO ATP - Object Contained | N/A | <vmid>, <subject>, <threatname>, <action>, <result>, <sname>, <domainorigin>, <login>, <parentprocessname>, <dname>, <domaimpacted>, <account>, <process>, <object>, <severity>, <vendorinfo>, <version>, <dmac>, <dip> |
| EVID : 1278 : EPO - File Infected | N/A | <dip>, <dmac>, <vendorinfo>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <sname>, <process>, <dname>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <status>, <version> |
| EVID 1034 : EPO - No Viruses Found | N/A | <dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vendorinfo>, <version>, <object>, <vmid>, <severity> |
| EVID : 1 EPO - Booting Disabled | N/A | <dip>, <domainimpacted>, <account>, <dmac>, <vendorinfo>, <version>, <object>, <vmid>, <severity>, <dname> |
| Evid 35002 : EPO - Firewall Event | N/A | <dname>, <domainimpacted>, <account>, <dmac>, <vendorinfo>, <version>, <object>, <vmid>, <severity>, <action>, <subject>, <threatname>, <severity>, <result>, <sip>, <dip>, <dport>, <protname>, <policy>, <sport>, <size> |
| EVID : 1064 EPO - Service Started | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <action>, <subject>, <result>, <threatname>, <severity> |
| EVID : 1118 EPO - Update Successful | N/A | <dname>, <dip>, <domainorigin>, <account>, <dmac>, <vendorinfo>, <version>, <vmid>, <action>, <subject>, <result>, <threatname>, <severity> |
| EVID : 1121 EPO - Update Cancelled | N/A | <dname>, <dip>, <domainorigin>, <account>, <dmac>, <vendorinfo>, <version>, <vmid>, <action>, <subject>, <result>, <threatname>, <severity> |
| EVID : 18600 EPO - Informational Event | N/A | <dname>, <dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <process>, <domainimpacted>, <account>, <action>, <subject>, <threatname>, <severity>, <domainorigin>, <url> |
| EVID : 30000 EPO - Logon Event | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname> |
| EVID : 30001 EPO - Password Changed Event | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname> |
| EVID : 30004 EPO - System Boot Event | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname> |
| EVID : 30006 EPO - Self-recovery Event | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname> |
| EVID : 30012 EPO - Crypt Volume Complete Event | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>, <status>, <object> |
| EVID : 30017 EPO - General Exception Event | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>, <status> |
| EVID : 30020 EPO - Upgrade Start | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname> |
| EVID : 30033 EPO - Automatic Booting Deactivated | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname> |
| EVID : 30035 EPO - Provider Not Installed | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname> |
| EVID : 30045 EPO - Activation Failure | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>, <responsecode> |
| EVID : 30112 EPO - Cred Provider Enabled | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname> |
| EVID : 30115 EPO - Incompatible Product Detected | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>, <object> |
| EVID 34865 - Protect Mcafee Process | N/A | <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <dname>, <subject>, <action>, <threatname>, <process>, <severity>, <hash> |
| EVID 40702 - Endpoint Task Started | N/A | <dip>, <dmac>, <account>, <domainimpacted>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname> |
| EVID : 1025 EPO - Infected File Cleaned | N/A | <dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <size>, <status> |
| EVID : 1280 : EPO - File Deleted | N/A | <dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <size>, <status> |
| EVID : 1282 : EPO - File Delete Failed | N/A | <dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <size>, <status> |
| EVID : 1423 : EPO - Delete Pending | N/A | <dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <size>, <status>, <sname>, <process>, <dname> |
| EVID : 1428 : EPO - File Still Exists | N/A | <dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <size>, <status>, <sname, <process>, <dname> |
| EVID 1087 : Epo-On-access Scan started | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <action>, <subject>, <result>, <threatname>, <severity> |
| EVID 1088 : EPO - On-access Scan Stopped | N/A | <dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <action>, <subject>, <result>, <threatname>, <severity> |
| General Catch All Level | N/A | <dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vendorinfo>, <version>, <object>, <vmid>, <severity> |
Revision History
KB Version | Log Type | Change Type | Details |
|---|---|---|---|
| KB 7.1.586.0 | Syslog - McAfee ePO v5.10 | New Log Source Type | New Device Support |