UDLA - McAfee ePolicy Orchestrator - Universal ePOEvents
The McAfee ePolicy Orchestrator platform enables centralized policy management and enforcement for your endpoints and enterprise security products. McAfee ePO monitors and manages your network, detecting threats and protecting endpoints against these threats. By using McAfee ePO, you can perform many network and client tasks from a single console.
Device Details
Vendor | McAfee |
Device Type | ePolicy Orchestrator |
Supported Model Name/Number | N/A |
Supported Software Version(s) | All |
Collection Method | Universal Database Log Adapter (UDLA) |
Configurable Log Output? | Yes |
Log Source Type | UDLA - McAfee ePolicy Orchestrator - Universal ePOEvents |
Log Processing Policy | LogRhythm Default |
Exceptions | N/A |
Additional Information | N/A |
Prerequisites
Before you start log collection from ePolicy Orchestrator, you must ensure you have the following:
- IP address and host name of the Microsoft SQL database server used by McAfee ePolicy Orchestrator.
- Account and password to be used by LogRhythm for accessing the McAfee ePolicy Orchestrator log data on the Microsoft SQL database server, if required.
- ODBC (Open Database Connectivity) drivers installed on the same host as the LogRhythm agent.
- Working ODBC data source connection and connection string to McAfee ePolicy Orchestrator database server.
- Configuration file UDLA-McAfee-ePO-Universal-ePO-Events.xml (see below to download the file).
- SQL Server function dbo.RSDFN_ConvertIntToIPString (AnalyzerIPV4) installed and permissions allowed for SQL account.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Before you begin, download the McAfee ePO Universal ePO Events XML configuration file. You will import this file later to populate the UDLA configuration fields for the Log Source.
The name of the log message source is UDLA - McAfee ePolicy Orchestrator - Universal ePOEvents. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
LogRhythm does not support troubleshooting connection strings. One example that works is setting up a “System DSN” in ODBC Data Sources and using the connection string below in the Log Source UDLA Settings tab:
DSN=<dsn_name>; UID=<username>; PWD=<password>;
Connectionstrings.com is a good reference for more information on connection strings.
- If the console is installed on the same host as the LogRhythm agent, click Test to validate the current settings.
If the test fails, verify the connection settings and that all values were entered correctly. - When the test passes, close the Test dialog box.