Syslog - McAfee Network Security Manager

Prerequisites

McAfee Network Security Manager can forward notifications and events via Syslog to a LogRhythm System Monitor Agent.

Following the instructions provided by McAfee, use the master console to enable Syslog forwarding of events to the IP address of the LogRhythm System Monitor Agent that will be collecting the logs. If necessary, enable events to be forwarded for all categories possible.

An output formatting string is required by the McAfee Network Security Manager software because its default configuration does not provide enough information. The following formatting is used for the creation of the rules and must be used:

$IV_ATTACK_TIME$!$IV_QUARANTINE_END_TIME$!$IV_REMEDIATION_END_TIME$!$IV_ALERT_
ID$!$IV_ATTACK_ID$!$IV_ALERT_TYPE$!$IV_ATTACK_SEVERITY$!$IV_ATTACK_CONFIDENCE$!$IV_RELEVANCE
$!$IV_CATEGORY$!$IV_SUB_CATEGORY$!$IV_DIRECTION$!$IV_RESULT_STATUS$!$IV_SOURCE_IP$!$IV_DESTINATION_
IP$!$IV_SOURCE_PORT$!$IV_DESTINATION_PORT$!$IV_APPLICATION_PROTOCOL$!$IV_NETWORK_PROTOCOL$!$
IV_ADMIN_DOMAIN$!$IV_SENSOR_NAME$!$IV_INTERFACE$!$IV_DETECTION_MECHANISM$!$IV_ATTACK_SIGNATURE
$!$IV_MCAFEE_NAC_FORWARDED_STATUS$!$IV_MCAFEE_NAC_MANAGED_STATUS$!$IV_MCAFEE_NAC_ERROR_STATUS
$!$IV_MCAFEE_NAC_ACTION_STATUS$

Configure McAfee Network Security Manager

No additional changes are necessary to configure LogRhythm to work with McAfee Network Security Manger.

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

The name of the log message source is Syslog - McAfee Network Security Manager. In addition, when configuring this log source:

• For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
• For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.