Configuring alert events for McAfee Network Security Platform 2.x - 5.x

To collect alert notification events from McAfee Network Security Platform, administrators must configure a syslog forwarder to send events to IBM QRadar.

Before you begin

To collect alert notification events from McAfee Network Security Platform, you need McAfee Network Security Platform Manager.

Procedure

  1. Log in to the McAfee Network Security Platform Manager user interface.
  2. On the Network Security Manager dashboard, click Configure.
  3. From the Resource Tree, click root node (Admin-Domain-Name).
  4. Click Alert Notification > Syslog Forwarder.
  5. Configure the Syslog Server details parameters.
    Parameter Value
    Enable Syslog Forwarder Yes
    Port 514
  6. Click Edit.
  7. Select one of the following versions:
    Table 1. McAfee Network Security Platform 2.x - 5.x custom message formats

    Version

    Description

    Unpatched McAfee Network Security Platform 2.x systems
    |$ALERT_ID$|$ALERT_TYPE$|$ATTACK_TIME$|"$ATTACK_NAME$"|$ATTACK_ID$|$ATTACK_SEVERITY$|$ATTACK_SIGNATURE$|$ATTACK_CONFIDENCE$|$ADMIN_DOMAIN$|$SENSOR_NAME$|$INTERFACE$|$SOURCE_IP$|$SOURCE_PORT$|$DESTINATION_IP$|$DESTINATION_PORT$|
    McAfee Network Security Platform that has patches applied to update to 3.x - 5.x.
    |$IV_ALERT_ID$|$IV_ALERT_TYPE$|$IV_ATTACK_TIME$|"$IV_ATTACK_NAME$"|$IV_ATTACK_ID$|$IV_ATTACK_SEVERITY$|$IV_ATTACK_SIGNATURE$|$IV_ATTACK_CONFIDENCE$|$IV_ADMIN_DOMAIN$|$IV_SENSOR_NAME$|$IV_INTERFACE$|$IV_SOURCE_IP$|$IV_SOURCE_PORT$|$IV_DESTINATION_IP$|$IV_DESTINATION_PORT$|
    Note: The custom message string must be entered as a single line without carriage returns or spaces. McAfee Network Security Platform appliances that do not have software patches applied, use different message strings from patched systems. The format of the custom message must contain a dollar sign ($) as a delimiter before and after each alert element. If you are missing a dollar sign for an element, the alert event might not be formatted properly.

    If you are not sure which event message format to use, contact McAfee customer support.

  8. Click Save.

    When alert events are generated by McAfee Network Security Platform, they are forwarded to the syslog destination that you specified. The log source is automatically discovered after enough events are forwarded by the McAfee Network Security Platform appliance. It typically takes a minimum of 25 events to automatically discover a log source.

What to do next

Administrators can log in to the QRadar Console and verify that the log source is created on the QRadar Console and that the Log Activity tab displays events from the McAfee Network Security Platform appliance.