Create a Sample McAfee ePolicy Orchestrator (ePO) Event Log Source
LogRhythm utilizes its extensive knowledge of log formats from various vendors to process logs. Processing is based on LogRhythm rules which dictate is a log is elevated to an event or to an alarm. Because UDLA log collection users define the log format, the following sample should be used so that LogRhythm can process this UDLA log type. McAfee ePO has several components and modules that write events to various tables in the database. Tables can have single or multiple sources. Each table requires its own Log Source for collection. This example is for the Events table.
In order for the MPE Policy Processing rules provided by LogRhythm for McAfee ePO events to parse the logs correctly, use the following configuration making adjustments for the deployment environment.
Cutting-and-pasting the following Settings into a UDLA configuration in the LogRhythm Client Console may produce characters that are not supported by UDLA.
| Parameter Name | Setting |
|---|---|
| ODBC / OLE DB | Select ODBC connection. |
Connection String | Driver={SQL Server};Server=myServer\myInstance;Database=myDBName; Be sure to replace the variables myServer, myInstance, and myDBName with the appropriate settings for the current environment. |
Query Statement | SELECT TOP <Max_Message_Count> AutoID, Counter, EventDateTime, ProductName, |
Output Format | <EventLocalDateTime> TVDEVENTID=<TVDEventID> TVDSEVERITY=<TVDSeverity> ACTIONTAKEN=<ActionTaken> VIRUSNAME=<VirusName> FILENAME=<FileName> |
Unique Identifier Field | AutoID |
Message Date Field | EventLocalDateTime |
State Field Type | Increment |
State Field | AutoID |
State Field |
|
Get UTC Date Statement | SELECT GetUTCDate() |
