Cnfiguring the McAfee Windws Event Cllectr Management Utility *Als can prvide client transmissin f ther nn-windws lg files* Utility Install 1. Dwnlad the MFE Nitr Windws Agent (chse latest versin) https://secure.mcafee.cm/apps/dwnlads/my-prducts/cmpnent-prductlist.aspx?regin=us (must have active Grant # with access t SIEM sftware) 2. Run the Setup_x86_[versin #].exe file n yur windws client, r use the WindwsEventCllectrInstaller_x86_[versin #].msi t deply via 3 rd party tls. 3. Click I Agree fr licensing Terms 4. Define any custm install path r chse default, and click Next
5. Enter in the McAfee ERC (receiver) IP address f the cllectr yu want t receive the lgs, adjust the MEF prt if necessary (default 8081 *nte yu need t knw this as yu must define as a listening interface n yur cllectr), chse the SSL ptin if yu require event lgs t be encrypted in transmissin, and click Next. 6. Chse whether r nt yu want the utility t pen after install r nt, and click Finish. Cnfigure Generic Lg File Transmissin 1. Click n Start>Prgrams>McAfee>Event Cllectr Management Utility
2. Click t Highlight EventCllectr and then click the + in the tp bar t add a new Event Cllectin Grup (Grups are used t grup tgether multiple lg types). 3. Prvide the fllwing fr yur grup: Name f Grup - (Use a semi descriptive name f the purpse f this event cllectin grup) Accunt Used t Access Hst Lgs This can be a general accunt that yu define at the default event cllectr level, r can be specific t this lg file lcatin, when cmplete yu can click Validate Against Agent t test the credentials access Debug Lg Level Depending n what yu are ding here, if this is just a flat file, this ptin desn t matter as it will transfer the entire file (*this is relevant if yu are pulling actual lgs frm a windws event viewer)
Click Apply 4. If yu get a dialg bx t Crrect Errrs yu will either need t mdify the cnfiguratin t ensure yu can cnnect, r click n until yu reslve the issue and then later re-enable the grup. 5. Once yu have yur new grup created, yu can then highlight the grup and then click the + ptin t add a hst t yur grup. 6. Cnfigure the Hst Infrmatin
Enter in the Hstname/IP address f the hst yu are cnfiguring Check the Hst Enabled bx (if the hst is nt live, yu will need t cme back in and enable nce it is) Chse the accunt with Access t Hst (if different than the grup settings abve) Chse the Lg cnfiguratin (fr a flat lgfile, yu will chse Generic Lg Tail as seen belw) Give the cnfiguratin a name (This is just a descriptive name that yu chse) Enter in the Data Surce IP f where the lgs are lcated Enter in the full directry path t the lgs (can be either lcal directry r full UNC path if remte directry) Enter the lg file name (Wildcard can be used IE: *.lg fr all files ending in.lg) Chse if yu want the agent t tail frm the beginning f the file r end (can g back in time if the file is nly appended t **be careful if lg files are nt verwritten ften as ging back in time puts larger indexing lad n McAfee ESM DB**) If the lg cntains Multi-Line Events select the check bx If the lg cntains multi-line events yu must chse the delimiter fr the file read If the lg delimiter yu have defined is a regex value, then yu must check the Regex bx If the events are multi-line, then yu need t specify if knwn hw many lines are included in a single event 7. Once everything is defined, then click the Service ptin frm the tp menu bar, and chse t Start the agent service
8. Ensure that all Grups and Hsts within the grups that yu are lking t have cllectin n are selected as Enabled and then yu shuld see Service Started in the bttm left crner f the screen. 9. Yu have nw cmpleted the cnfiguratin f a Generic Lg.