To collect alert notification events from McAfee Network Security Platform,
administrators must configure a syslog forwarder to send events to IBM
QRadar
Before you begin
To collect alert notification events from McAfee Network Security Platform, you need McAfee
Network Security Platform Manager.
Procedure
-
Log in to the McAfee Network Security Platform Manager user
interface.
- Click the Manager tab.
-
From the navigation menu, select
.
-
In the Enable Syslog Notification pane, select
Yes
- Click Save.
- On the Syslog page, Click New. If you are
using version 10.x, click the + sign.
-
On the Add a Syslog Notification Profile page, configure the following
parameters:
Table 1. McAfee Network Security Platform 8.x - 10.x syslog notification profile
parameters
Parameter
|
Description
|
Admin Domain |
Select any of the following options:
- Current - Send syslog notifications for alerts in the current domain.
This option is selected by default.
- Children - Include alerts for all child domains within the current
domain. (Not applicable to NTBA)
|
Notification Profile Name |
The name of the profile where notifications are sent from. |
Target Server |
Add a server profile:
- Click Add.
- Type the target server profile name.
- Type the IP address of your QRadar Console or Event Collector
- From the Protocol list, select UDP.
- Type 514 in the Port field.
- Click Save.
|
Facility |
Select a syslog facility value from the list. |
Severity Mapping |
Select a value to map the informational, low,
medium, and high alert notification levels to a syslog
severity.
- Emergency - The system is down or unusable.
- Alert - The system requires immediate user input or intervention.
- Critical - The system should be corrected for a critical condition.
- Error - The system has non-urgent failures.
- Warning - The system has a warning message that indicates an imminent
error.
- Notice - The system has notifications, no immediate action required.
- Informational - Normal operating messages.
- Debug - Debug level messages.
|
Notify for All Alerts |
Enable this option.
|
Notify on Quarantine Events |
Disable this option.
|
Message |
To ensure that alert notifications are formatted correctly, type the following message
string:
|$IV_ALERT_ID$|$IV_ALERT_TYPE$|$IV_ATTACK_TIME$|"$IV_ATTACK_NAME$"|$IV_ATTACK_ID$|$IV_ATTACK_SEVERITY$|$IV_ATTACK_SIGNATURE$|$IV_ATTACK_CONFIDENCE$|$IV_ADMIN_DOMAIN$|$IV_SENSOR_NAME$|$IV_INTERFACE$|$IV_SOURCE_IP$|$IV_SOURCE_PORT$|$IV_DESTINATION_IP$|$IV_DESTINATION_PORT$|$IV_DIRECTION$|$IV_SUB_CATEGORY$
Note: The custom message string must be entered as a single line without carriage returns or spaces.
McAfee Network Security Platform expects the format of the custom message to contain a dollar sign
($) as a delimiter before and after each alert element. If you are missing a dollar sign for an
element, then the alert event might not be formatted properly.
You might require a text editor to properly format the custom message string as a single
line.
|
-
Click Save.
The new notification profile displays on the Syslog page. As alert
events are generated by McAfee Network Security Platform, they are forwarded to the syslog
destination that you specified. The log source is automatically discovered in QRadar after enough events are
forwarded by the McAfee Network Security Platform appliance. It typically takes a minimum of 25
events to automatically discover a log source.
What to do next
Administrators can log in to the QRadar
Console and verify that the log source
is created on the QRadar
Console and that
the Log Activity tab displays events from the McAfee Network Security
Platform appliance.