UDLA - McAfee ePolicy Orchestrator 5.9 - ePOEvents
The McAfee ePolicy Orchestrator platform enables centralized policy management and enforcement for your endpoints and enterprise security products. McAfee ePO monitors and manages your network, detecting threats and protecting endpoints against these threats. By using McAfee ePO, you can perform many network and client tasks from a single console.
Device Details
Vendor | McAfee |
Device Type | ePolicy Orchestrator |
Supported Model Name/Number | N/A |
Supported Software Version(s) | 5.9 |
Collection Method | Universal Database Log Adapter (UDLA) |
Configurable Log Output? | Yes |
Log Source Type | UDLA - McAfee ePolicy Orchestrator 5.9 - ePOEvents |
Log Processing Policy | LogRhythm Default |
Exceptions | N/A |
Additional Information | N/A |
Prerequisites
- IP address and hostname of the Microsoft SQL Database Server used by McAfee ePolicy Orchestrator
- ODBC drivers installed on the same host as LogRhythm agent
- Account and password to be used by LogRhythm for accessing the McAfee ePolicy Orchestrator log data on the Microsoft SQL Database Server, if necessary
- Configuration file UDLA-McAfee-ePO5.9.xml
- SQL Server function dbo.RSDFN_ConvertIntToIPString (AnalyzerIPV4) installed and permissions allowed for SQL account
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. The System Monitor does not need to be installed on the McAfee ePO 5.9 server, but it needs to establish a network ODBC connection. In addition, the Microsoft SQL client drivers must be installed on the System Monitor host.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Before you begin, download the McAfee ePO 5.9 XML configuration file. You will import this file later to populate the UDLA configuration fields for the Log Source.
The name of the log message source is UDLA - McAfee ePolicy Orchestrator 5.9 - ePOEvents. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
LogRhythm does not support troubleshooting connection strings. One example that works is setting up a “System DSN” in ODBC Data Sources and using the connection string below in the Log Source UDLA Settings tab:
DSN=<dsn_name>; UID=<username>; PWD=<password>;
Connectionstrings.com is a good reference for more information on connection strings.
- If you want to validate the current settings, click Test.
If the test fails, verify the connection settings and that all values were entered correctly. - When the test passes, close the Test dialog box.