Configuring alert events for McAfee Network Security Platform 8.x - 10.x

To collect alert notification events from McAfee Network Security Platform, administrators must configure a syslog forwarder to send events to IBM QRadar

Before you begin

To collect alert notification events from McAfee Network Security Platform, you need McAfee Network Security Platform Manager.

Procedure

  1. Log in to the McAfee Network Security Platform Manager user interface.
  2. Click the Manager tab.
  3. From the navigation menu, select Setup > Notification > IPS Events > Syslog.
  4. In the Enable Syslog Notification pane, select Yes
  5. Click Save.
  6. On the Syslog page, Click New. If you are using version 10.x, click the + sign.
  7. On the Add a Syslog Notification Profile page, configure the following parameters:
    Table 1. McAfee Network Security Platform 8.x - 10.x syslog notification profile parameters

    Parameter

    Description

    Admin Domain

    Select any of the following options:

    • Current - Send syslog notifications for alerts in the current domain. This option is selected by default.
    • Children - Include alerts for all child domains within the current domain. (Not applicable to NTBA)
    Notification Profile Name The name of the profile where notifications are sent from.
    Target Server
    Add a server profile:
    1. Click Add.
    2. Type the target server profile name.
    3. Type the IP address of your QRadar Console or Event Collector
    4. From the Protocol list, select UDP.
    5. Type 514 in the Port field.
    6. Click Save.
    Facility Select a syslog facility value from the list.
    Severity Mapping

    Select a value to map the informational, low, medium, and high alert notification levels to a syslog severity.

    • Emergency - The system is down or unusable.
    • Alert - The system requires immediate user input or intervention.
    • Critical - The system should be corrected for a critical condition.
    • Error - The system has non-urgent failures.
    • Warning - The system has a warning message that indicates an imminent error.
    • Notice - The system has notifications, no immediate action required.
    • Informational - Normal operating messages.
    • Debug - Debug level messages.
    Notify for All Alerts

    Enable this option.

    Notify on Quarantine Events

    Disable this option.

    Message

    To ensure that alert notifications are formatted correctly, type the following message string:

    |$IV_ALERT_ID$|$IV_ALERT_TYPE$|$IV_ATTACK_TIME$|"$IV_ATTACK_NAME$"|$IV_ATTACK_ID$|$IV_ATTACK_SEVERITY$|$IV_ATTACK_SIGNATURE$|$IV_ATTACK_CONFIDENCE$|$IV_ADMIN_DOMAIN$|$IV_SENSOR_NAME$|$IV_INTERFACE$|$IV_SOURCE_IP$|$IV_SOURCE_PORT$|$IV_DESTINATION_IP$|$IV_DESTINATION_PORT$|$IV_DIRECTION$|$IV_SUB_CATEGORY$
    Note: The custom message string must be entered as a single line without carriage returns or spaces. McAfee Network Security Platform expects the format of the custom message to contain a dollar sign ($) as a delimiter before and after each alert element. If you are missing a dollar sign for an element, then the alert event might not be formatted properly.

    You might require a text editor to properly format the custom message string as a single line.

  8. Click Save.
    The new notification profile displays on the Syslog page. As alert events are generated by McAfee Network Security Platform, they are forwarded to the syslog destination that you specified. The log source is automatically discovered in QRadar after enough events are forwarded by the McAfee Network Security Platform appliance. It typically takes a minimum of 25 events to automatically discover a log source.

What to do next

Administrators can log in to the QRadar Console and verify that the log source is created on the QRadar Console and that the Log Activity tab displays events from the McAfee Network Security Platform appliance.