To integrate fault notifications with McAfee Network Security Platform, you must
configure your McAfee Network Security Platform to forward fault notification events.
Procedure
-
Log in to the McAfee Network Security Platform Manager user interface.
-
On the Network Security Manager dashboard, click
Configure.
-
Expand the Resource Tree, and then click IPS
Settings node.
-
Click the Fault Notification tab.
-
From the Alert Notification menu, click the
Syslog tab.
-
Configure the following parameters to forward fault notification events:
Table 1. McAfee Network Security Platform 6.x - 7.x fault notification
parameters
Parameter
|
Description
|
Enable Syslog Notification |
Select Yes to enable syslog notifications for McAfee Network Security
Platform. You must enable this option to forward events to QRadar.
|
Admin Domain |
Select any of the following options:
- Current - Select this check box to send syslog notifications for alerts
in the current domain. This option is selected by default.
- Children - Select this check box to send syslog notifications for alerts
in any child domains within the current domain.
|
Server Name or IP Address |
Type the IP address of your QRadar
Console or Event Collector. This field
supports both IPv4 and IPv6 addresses.
|
Port |
Type 514 as the port for syslog events.
|
Facilities |
Select a syslog facility value.
|
Severity Mapping |
Select a value to map the informational, low,
medium, and high alert notification level to a syslog
severity.
The options include the following levels:
- Emergency - The system is down or unusable.
- Alert - The system requires immediate user input or intervention.
- Critical - The system should be corrected for a critical condition.
- Error - The system has non-urgent failures.
- Warning - The system has a warning message that indicates an imminent
error.
- Notice - The system has notifications, no immediate action required.
- Informational - Normal operating messages.
|
Forward Faults with severity level |
Select Informational and later.
|
-
From the Message Preference field, click Edit
to add a custom message filter.
-
To ensure that fault notifications are formatted correctly, type the
following message string:
|%INTRUSHIELD-FAULT|$IV_FAULT_NAME$|$IV_FAULT_TIME$|
Note: The custom message string must be entered as a single line with no carriage returns. McAfee
Network Security Platform expects the format of the custom message syslog information to contain a
dollar sign ($) delimiter before and after each element. If you are missing a dollar sign for an
element, the event might not parse properly.
-
Click Save.
As fault events are generated by McAfee Network Security Platform, they are forwarded to
the syslog destination that you specified.
What to do next
You can log in to the QRadar
Console and verify that the
Log Activity tab contains fault events from the McAfee Network Security
Platform appliance.