LogRhythm utilizes its extensive knowledge of log formats from various vendors to process logs. Processing is based on LogRhythm rules which dictate is a log is elevated to an event or to an alarm. Because UDLA log collection users define the log format, the following sample should be used so that LogRhythm can process this UDLA log type. McAfee ePO has several components and modules that write events to various tables in the database. Tables can have single or multiple sources. Each table requires its own Log Source for collection. This example is for the Events table.
In order for the MPE Policy Processing rules provided by LogRhythm for McAfee ePO events to parse the logs correctly, use the following configuration making adjustments for the deployment environment.
Cutting-and-pasting the following Settings into a UDLA configuration in the LogRhythm Client Console may produce characters that are not supported by UDLA.
|ODBC / OLE DB||Select ODBC connection.|
Be sure to replace the variables myServer, myInstance, and myDBName with the appropriate settings for the current environment.
SELECT TOP <Max_Message_Count> AutoID, Counter, EventDateTime, ProductName,
<EventLocalDateTime> TVDEVENTID=<TVDEventID> TVDSEVERITY=<TVDSeverity> ACTIONTAKEN=<ActionTaken> VIRUSNAME=<VirusName> FILENAME=<FileName>
Unique Identifier Field
Message Date Field
State Field Type
Get UTC Date Statement