SIEM Collector 10.0 ePO Extension Release Notes - McAfee

SIEM Collector ePO Extension ReadmeRequirements• ePO 4.6• McAfee Agent 4.6• .Net Framework 3.5 on the endpointsInstallationTo Deploy and manage the SIEM Collector from ePO there are 2 zip files that must be uploaded intoePO. The first is the software package that is used to deploy the software to the endpoints. The secondis the extension which provides you the ability to manage the policy on the SIEM CollectorSoftware PackageTo install the software package into ePO click the “Menu” button in the upper left hand side of the screen,then select “Software”, then ”Master Repository”. From the Master Repository screen click the “Check InPackage” button at the bottom of the screen. Browse to the Software package zip file then click “Next”.Finally, you will choose the branch to put the software package in and click “Save”.ePO ExtensionTo install the ePO extension into ePO click the “Menu” button in the upper left hand side of the screen.Then select “Software”, then “Extensions”. From the Extensions screen click the “Install Extension”button at the bottom of the screen. Browse to the ePO Extension zip file then click “Next” then click “OK”.SIEM Collector DeploymentTo deploy the SIEM Collector using ePO you must first create a client task, and then assign the clienttask to the desired endpoints. To create the client task click the “Menu” button in the upper left hand sideof the screen. Then select “Policy”, then “Client Task Catalog”. In the “Client Task Types” pane select“McAfee Agent”, then select “Product Deployment”. Click “New Task” at the bottom of the screen. Select“Product Deployment” as the task type then click “OK”. Give the task a name. You may also give thetask a description if desired. Leave “Windows” selected as the target platform. In the “Products andComponents” section select “SIEM Collector”. Then select “Install” as the action and click “Save”. Toassign the newly created policy to endpoints click the “Menu” button in the upper left hand side of thescreen. Then select “Systems”, then “System Tree”. In the “System Tree” on the left hand side of thescreen choose the group of endpoints that you want to deploy the SIEM Collector to. Once that isselected choose “Assigned Client Tasks” from the tabs above the list of endpoints. Click “Actions” at thebottom of the screen and select “New Client Task Assignment”. For the Product select “McAfee Agent”,then select “Product Deployment” for the Task Type, then select the name of the task that you justcreated, then click “Next”. Setup the type of schedule that you want to use for deploying the SIEMCollector and click “Next”. Review your settings and click “Save”. The SIEM Collector will now bedeployed to all endpoints in the selected group according to your schedule.McAfee SIEM Collector ePO Extension Readme Release 10.0 Page 1McAfee, Inc. © 2013. All Rights Reserved

SIEM Collector PolicyHow you choose to manage policy on your network through ePO can be very simple or very complex andis outside of the scope of this document. We will simply provide explanations of the available options inthe SIEM Collector Policy.Receiver Tab• Receiver IP: The IP address of the receiver that you are sending events to from the endpoints.• Receiver Port: The MEF port that the receiver is configured to listen on.• Encryption: Should traffic between endpoints and the receiver be encrypted?• Log Level: Default is Error, can be raised for debugging purposes.• Generate Host IDs: This is most generally used in the situation where the endpoints are usingDHCP to get IP addresses. The data sources must be setup on the receiver to use host id’sinstead of the ip addresses. (The DHCP range should be set on the receiver to allow the eventsthrough the receiver firewall)Windows Events Tab• Collect Windows Events: Should Windows Events be collected from the endpoints?• Configuration Name: Provide a name for the configuration (This is used in the host id if you haveselected the “Generate Host IDs” checkbox on the “Receiver” tab).• Windows Logs: Comma separated list of log group names• WEF Events: Select this checkbox if your log groups contain forwarded events and you wantthose events to be divided out to different data sources on the receiver. The forwarded eventswill be sent to the receiver with the host-id being the hostname of the originating Windowsmachine.File Tale TabYou can setup 0 to many File Tail configurations for each endpoint• Configuration Name: Provide a name for the configuration (This is used in the host id if you haveselected the “Generate Host IDs” checkbox on the “Receiver” tab).• Log Directory: The directory that contains the files to collect events from.• Log File: The name of the file(s) to collect events from. Wildcard expressions may be used.• Tail Mode: “End of File” will start with the current state of the file(s) and collect any new events.“Beginning of File” will start at the beginning of the file(s) and collect all events then continue withany new events.• Multi-Line Events: Are the events multi-line?• Max Lines Per Event: The Number of lines that an event can be.• Event Delimeter: Provide a delimeter for multi-line events.• Event Delimeter is a Regex: Is the event delimeter a regex?McAfee SIEM Collector ePO Extension Readme Release 10.0 Page 2McAfee, Inc. © 2013. All Rights Reserved