McAfee ePolicy Orchestrator

McAfee ePolicy Orchestrator (McAfee ePO) software centralizes and streamlines management of endpoint, network, data security, and compliance solutions. This integration allows you to send McAfee ePolicy Orchestrator logs to your Logz.io SIEM account.

Before you begin, you'll need:

Filebeat
Root access

Configure McAfee ePO server to forward logs to Filebeat

You'll need to configure McAfee ePO server to forward logs to Filebeat over port 6514.

For more information, see Register syslog servers from McAfee.

Install the McAfee certificate on your Filebeat server

McAfee ePO sends encrypted data, so you'll need to install the McAfee certificate on the Filebeat server.

sudo mkdir /etc/filebeat/certificates
sudo openssl req -newkey rsa:2048 -nodes \
-keyout /etc/filebeat/certificates/McAfeeEpo.key -x509 \
-days 365 \
-out /etc/filebeat/certificates/McafeeEpo.crt

Download the Logz.io public certificate to your credentials server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Add TCP traffic as an input

In the Filebeat configuration file (/etc/filebeat/filebeat.yml), add TCP to the filebeat.inputs section.

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

note

Filebeat requires a file extension specified for the log input.

# ...
filebeat.inputs:
- type: tcp
  max_message_size: 10MiB
  host: "0.0.0.0:6514"
  ssl.enabled: true
  ssl.certificate: "/etc/filebeat/certificates/McAfeeEpo.crt"
  ssl.key: "/etc/filebeat/certificates/McAfeeEpo.key"
  ssl.verification_mode: none

  fields:
    logzio_codec: plain

    # Your Logz.io account token. You can find your token at
    #  https://app.logz.io/#/dashboard/settings/manage-accounts
    token: <<LOG-SHIPPING-TOKEN>>
    type: mcafee_epo
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h

If you're running Filebeat 7, paste this code block. Otherwise, you can leave it out.

# ... For Filebeat 7 only ...
filebeat.registry.path: /var/lib/filebeat
processors:
- rename:
    fields:
    - from: "agent"
      to: "filebeat_agent"
    ignore_missing: true
- rename:
    fields:
    - from: "log.file.path"
      to: "source"
    ignore_missing: true

If you're running Filebeat 6, paste this code block.

# ... For Filebeat 6 only ...
registry_file: /var/lib/filebeat/registry

Set Logz.io as the output

If Logz.io is not an output, add it now. Remove all other outputs.

Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe.

# ...
output.logstash:
  hosts: ["<<LISTENER-HOST>>:5015"]
  ssl:
    certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see Filebeat troubleshooting.

Configure McAfee ePO server to forward logs to Filebeat​

Install the McAfee certificate on your Filebeat server​

Download the Logz.io public certificate to your credentials server​

Add TCP traffic as an input​

Set Logz.io as the output​

Start Filebeat​

Check Logz.io for your logs​