To collect alert notification events from McAfee Network Security Platform,
administrators must configure a syslog forwarder to send events to IBM
QRadar.
Before you begin
To collect alert notification events from McAfee Network Security Platform, you need McAfee
Network Security Platform Manager.
Procedure
-
Log in to the McAfee Network Security Platform Manager user interface.
-
On the Network Security Manager dashboard, click
Configure.
-
From the Resource Tree, click root node
(Admin-Domain-Name).
-
Click .
-
Configure the Syslog Server details parameters.
Parameter |
Value |
Enable Syslog Forwarder |
Yes |
Port |
514 |
-
Click Edit.
-
Select one of the following versions:
Table 1. McAfee Network Security Platform 2.x - 5.x custom message
formats
Version
|
Description
|
Unpatched McAfee Network Security Platform 2.x systems |
|$ALERT_ID$|$ALERT_TYPE$|$ATTACK_TIME$|"$ATTACK_NAME$"|$ATTACK_ID$|$ATTACK_SEVERITY$|$ATTACK_SIGNATURE$|$ATTACK_CONFIDENCE$|$ADMIN_DOMAIN$|$SENSOR_NAME$|$INTERFACE$|$SOURCE_IP$|$SOURCE_PORT$|$DESTINATION_IP$|$DESTINATION_PORT$|
|
McAfee Network Security Platform that has patches applied to update to 3.x -
5.x. |
|$IV_ALERT_ID$|$IV_ALERT_TYPE$|$IV_ATTACK_TIME$|"$IV_ATTACK_NAME$"|$IV_ATTACK_ID$|$IV_ATTACK_SEVERITY$|$IV_ATTACK_SIGNATURE$|$IV_ATTACK_CONFIDENCE$|$IV_ADMIN_DOMAIN$|$IV_SENSOR_NAME$|$IV_INTERFACE$|$IV_SOURCE_IP$|$IV_SOURCE_PORT$|$IV_DESTINATION_IP$|$IV_DESTINATION_PORT$|
|
Note: The custom message string must be entered as a single line without carriage returns or spaces.
McAfee Network Security Platform appliances that do not have software patches applied, use different
message strings from patched systems. The format of the custom message must contain a dollar sign
($) as a delimiter before and after each alert element. If you are missing a dollar sign for an
element, the alert event might not be formatted properly.
If you are not sure which event message format to use, contact McAfee customer support.
-
Click Save.
When alert events are generated by McAfee Network Security Platform, they are forwarded to the
syslog destination that you specified. The log source is automatically discovered after enough
events are forwarded by the McAfee Network Security Platform appliance. It typically takes a minimum
of 25 events to automatically discover a log source.
What to do next
Administrators can log in to the QRadar
Console and verify that the log source
is created on the QRadar
Console and that
the Log Activity tab displays events from the McAfee Network Security
Platform appliance.