Configuring fault notification events for McAfee Network Security Platform 6.x - 7.x

To integrate fault notifications with McAfee Network Security Platform, you must configure your McAfee Network Security Platform to forward fault notification events.

Procedure

  1. Log in to the McAfee Network Security Platform Manager user interface.
  2. On the Network Security Manager dashboard, click Configure.
  3. Expand the Resource Tree, and then click IPS Settings node.
  4. Click the Fault Notification tab.
  5. From the Alert Notification menu, click the Syslog tab.
  6. Configure the following parameters to forward fault notification events:
    Table 1. McAfee Network Security Platform 6.x - 7.x fault notification parameters

    Parameter

    Description

    Enable Syslog Notification

    Select Yes to enable syslog notifications for McAfee Network Security Platform. You must enable this option to forward events to QRadar.

    Admin Domain

    Select any of the following options:

    • Current - Select this check box to send syslog notifications for alerts in the current domain. This option is selected by default.
    • Children - Select this check box to send syslog notifications for alerts in any child domains within the current domain.
    Server Name or IP Address

    Type the IP address of your QRadar Console or Event Collector. This field supports both IPv4 and IPv6 addresses.

    Port

    Type 514 as the port for syslog events.

    Facilities

    Select a syslog facility value.

    Severity Mapping

    Select a value to map the informational, low, medium, and high alert notification level to a syslog severity.

    The options include the following levels:

    • Emergency - The system is down or unusable.
    • Alert - The system requires immediate user input or intervention.
    • Critical - The system should be corrected for a critical condition.
    • Error - The system has non-urgent failures.
    • Warning - The system has a warning message that indicates an imminent error.
    • Notice - The system has notifications, no immediate action required.
    • Informational - Normal operating messages.
    Forward Faults with severity level

    Select Informational and later.

  7. From the Message Preference field, click Edit to add a custom message filter.
  8. To ensure that fault notifications are formatted correctly, type the following message string:

    |%INTRUSHIELD-FAULT|$IV_FAULT_NAME$|$IV_FAULT_TIME$|

    Note: The custom message string must be entered as a single line with no carriage returns. McAfee Network Security Platform expects the format of the custom message syslog information to contain a dollar sign ($) delimiter before and after each element. If you are missing a dollar sign for an element, the event might not parse properly.
  9. Click Save.
    As fault events are generated by McAfee Network Security Platform, they are forwarded to the syslog destination that you specified.

What to do next

You can log in to the QRadar Console and verify that the Log Activity tab contains fault events from the McAfee Network Security Platform appliance.