McAfee ePO 5.1 stores its event logs in a Microsoft SQL database which is typically included on the ePO server. Collection from a Microsoft SQL database requires:
- Universal Database Log Adapter (UDLA) Log Source
- A LogRhythm Agent to collect the logs
- Access to the Microsoft SQL database that McAfee ePO 5.1 uses for storing event logs
Identify and note the following prior to configuration:
- The IP address and host name of the Microsoft SQL Database Server used by McAfee ePO 5.1.
The user account and password LogRhythm will use to access the McAfee ePO log data on the Microsoft SQL Database Server, if necessary.
The user account must have the database role of db_owner.
- The LogRhythm System Monitor Agent used to collect the logs from McAfee ePO 5.1.
Configure McAfee ePO 5.1
An account that the LogRhythm agent will need to access the McAfee ePO 5.1 Microsoft SQL database must be available. This can be the default sa account, an account created with administrator access to be used for LogRhythm, or domain credentials.
The user account must be granted the database role of db_owner.
No additional configuration changes are needed for McAfee ePO 5.1.
Configure the ODBC Driver for McAfee ePO 5.1
McAfee ePO 5.1 logs are accessed by LogRhythm via an ODBC driver. The recommended driver must already be installed on the System Monitor host and configured according to the information in Configure UDLA Log Collection.
- Name. SQL Server
- Company Name. Microsoft Corporation
- Version. 2000.85.1132.00
- Date. 4/13/2008
- Download Location. Pre-installed
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. The System Monitor does not need to be installed on the McAfee ePO 5.1 server, but it needs to establish a network ODBC connection. In addition, the Microsoft SQL client drivers must be installed on the System Monitor host.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Before you begin, download the McAfee ePO 5.1 XML configuration file. You will import this file later to populate the UDLA configuration fields for the Log Source.
The name of the log message source is UDLA - McAfee ePolicy Orchestrator 5.1 - ePOEvents. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
Be sure to change the values for Server and Database according to your current deployment configuration.
Also note that the connection to SQL Server uses Windows Integrated Security, so the account under which the LogRhythm Agent is running must have access to the McAfee ePO database.
- If you want to validate the current settings, click Test.
If the test fails, verify the connection settings and that all values were entered correctly.
- When the test passes, close the Test dialog box.