UDLA - McAfee ePolicy Orchestrator 5.9 - ePOEvents
The McAfee ePolicy Orchestrator platform enables centralized policy management and enforcement for your endpoints and enterprise security products. McAfee ePO monitors and manages your network, detecting threats and protecting endpoints against these threats. By using McAfee ePO, you can perform many network and client tasks from a single console.
Device Details
Vendor | McAfee |
Device Type | ePolicy Orchestrator |
Supported Model Name/Number | N/A |
Supported Software Version(s) | 5.9 |
Collection Method | Universal Database Log Adapter (UDLA) |
Configurable Log Output? | Yes |
Log Source Type | UDLA - McAfee ePolicy Orchestrator 5.9 - ePOEvents |
Log Processing Policy | LogRhythm Default |
Exceptions | N/A |
Additional Information | N/A |
Prerequisites
IP address and hostname of the Microsoft SQL Database Server used by McAfee ePolicy Orchestrator
ODBC drivers installed on the same host as LogRhythm agent
Account and password to be used by LogRhythm for accessing the McAfee ePolicy Orchestrator log data on the Microsoft SQL Database Server, if necessary
Configuration file UDLA-McAfee-ePO5.9.xml
SQL Server function
dbo.RSDFN_ConvertIntToIPString(AnalyzerIPV4) installed and permissions allowed for SQL account (refer to the Create the SQL Function section below)
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. The System Monitor does not need to be installed on the McAfee ePO 5.9 server, but it needs to establish a network ODBC connection. In addition, the Microsoft SQL client drivers must be installed on the System Monitor host.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Before you begin, download the McAfee ePO 5.9 XML configuration file. You will import this file later to populate the UDLA configuration fields for the Log Source.
The name of the log message source is UDLA - McAfee ePolicy Orchestrator 5.9 - ePOEvents. In addition, when configuring this log source:
For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
LogRhythm does not support troubleshooting connection strings. One example that works is setting up a “System DSN” in ODBC Data Sources and using the connection string below in the Log Source UDLA Settings tab:
DSN=<dsn_name>; UID=<username>; PWD=<password>;
Connectionstrings.com is a good reference for more information on connection strings.
If you want to validate the current settings, click Test.
If the test fails, verify the connection settings and that all values were entered correctly.When the test passes, close the Test dialog box.
Create the SQL Function
The UDLA SQL query uses dbo.RSDFN_ConvertIntToIPString to convert ePO's internal integer IP address representation into standard dotted-decimal notation (for example, 192.168.1.10). This function is not shipped with ePO; it must be manually created in the ePO SQL database before the UDLA integration will work.
Connect to the ePO SQL Server instance and run the following script:
CREATE FUNCTION [dbo].[RSDFN_ConvertIntToIPString]
(
@ipin int
)
RETURNS CHAR(15)
AS
BEGIN
declare @o1 bigint, @o2 bigint, @o3 bigint, @o4 bigint;
declare @ip bigint;
set @ip = (CAST(@ipin as bigint) + 2147483647) + 1;
SET @o1 = @ip / 16777216;
SET @ip = @ip % 16777216;
SET @o2 = @ip / 65536;
SET @ip = @ip % 65536;
SET @o3 = @ip / 256;
SET @ip = @ip % 256;
SET @o4 = @ip;
RETURN
CONVERT(VARCHAR(4), @o1) + '.' +
CONVERT(VARCHAR(4), @o2) + '.' +
CONVERT(VARCHAR(4), @o3) + '.' +
CONVERT(VARCHAR(4), @o4)
ENDGrant execution permissions to the LogRhythm service account:
USE epo_mcafee;
GRANT EXECUTE ON OBJECT::RSDFN_ConvertIntToIPString TO [LogRhythmServiceAccount];
GO
Replace [LogRhythmServiceAccount] with the SQL account configured for LogRhythm access to the ePO database.