PREVIOUS Antivirus

NEXT Box (PC/Server)

av.mcafee

  • Events generated by McAfee EPO Console are stored in its database in a table named EPOEventsMT or EPOEvents.
  • These events have to be extracted from the database and sent to Devo.
  • We can use Logstash inside the In-house Relay and configure it to read the DB via JDBC and send the events in syslog format through port 13000. 
  • The events must be tagged with av.mcafee.epo.events which is the generic tag for this technology.
Logstash stores in a file the ID of the last record read, so the next time the query is run, only the new records are retrieved and sent to Devo. 

Requirements for SQL Server DB

  • DB user with reading permissions required for the Logstash configuration.
  • Function to convert some fields from signed int to a varchar IP address (e.g. 127.0.0.1). If there is none out of the box, you can create one:

    CREATE FUNCTION [dbo].[IntegerToIPAddress] (@ipin int)
    RETURNS CHAR(15)
    AS
    BEGIN
    declare @o1 bigint, @o2 bigint, @o3 bigint, @o4 bigint;
    declare @ip bigint;
    -- This is the magic epo conversion size...
    set @ip = (CAST(@ipin as bigint) + 2147483647) + 1;
    SET @o1 = @ip / 16777216;
    SET @ip = @ip % 16777216;
    SET @o2 = @ip / 65536;
    SET @ip = @ip % 65536;
    SET @o3 = @ip / 256;
    SET @ip = @ip % 256;
    SET @o4 = @ip;
    RETURN
    CONVERT(VARCHAR(4), @o1) + '.' +
    CONVERT(VARCHAR(4), @o2) + '.' +
    CONVERT(VARCHAR(4), @o3) + '.' +
    CONVERT(VARCHAR(4), @o4)
    END

Steps to install and configure Logstash in the In-house Relay

1. Install Logstash 2.4 in the In-house Relay

  • Logstash requirements: Java 7
  • Follow the installation steps described here.
  • Relevant folders:

    LS_HOME=/var/lib/logstash
    LS_LOG_DIR=/var/log/logstash
    LS_CONF_DIR=/etc/logstash/conf.d
    program=/opt/logstash/bin/logstash

2. Install the Logstash SYSLOG plugin

# /opt/logstash/bin/logstash-plugin install logstash-output-syslog

3. Install the SQL Server JDBC driver (version 4.1)

  • Download the ZIP file from here
  • Copy the zip to the In-house Relay
  • Decompress into /var/lib/logstash 

4. Create a Logstash configuration file

  • Create the config file in the following path: /etc/logstash/conf.d (e.g. /etc/logstash/conf.d/epo-viaRelay.conf)
  • The parameters to be updated are marked with  <PARAM>

    input {
    	jdbc {
            jdbc_driver_library => "/var/lib/logstash/sqljdbc_4.1/enu/sqljdbc41.jar"
            jdbc_driver_class => "com.microsoft.sqlserver.jdbc.SQLServerDriver"
            jdbc_connection_string => "jdbc:sqlserver://<IP_SERVER_EPO>\EPOSERVER:<PORT>;databaseName=<db_instance_name>"
            jdbc_user => "<username>"
            jdbc_password => "<password>"
            schedule => "* * * * *"   #each 1 minute
            use_column_value => true
            tracking_column => "autoid"
            last_run_metadata_path => "/var/lib/logstash/.logstash_jdbc_last_run"
            statement => "select autoid,AutoGUID,ServerID,CONVERT(varchar(24),DetectedUTC,120) as detectedUTC,dbo.IntegerToIPAddress(SourceIPV4) as SourceIP,dbo.IntegerToIPAddress(TargetIPV4) as TargetIP,TargetUserName,TargetFileName,SourceHostName,TargetHostName,ThreatCategory,ThreatEventID,ThreatSeverity,ThreatName,ThreatActionTaken,ThreatHandled from dbo.EPOEventsMT where autoid > :sql_last_value"
        }
    }
    # filter {
    #
    # }
    
    output {
    
    	syslog {
            facility => "local7"
            severity => "informational"
        	host => "localhost"
        	port => 13000 
            sourcehost => "<NAME_SERVER_EPO>"
        	appname => "av.mcafee.epo.events"
            protocol => "tcp"
            codec => line {
                format => "mcafeeEPO,%{autoid},%{autoguid},%{serverid},%{detectedutc},%{sourceip},%{targetip},%{targetusername},%{targetfilename},%{sourcehostname},%{targethostname},%{threatcategory},%{threateventid},%{threatseverity},%{threatname},%{threatactiontaken},%{threathandled}"
            }
    	}
    }

5. Configure Logstash to start at boot time as a service

  • Check here the steps to follow.
  • Execute the following command:

    # update-rc.d - f logstash defaults 50

6. Start Logstash service

# /etc/init.d/logstash start

Now you can check that the events are being stored in Devo.

  • Log into the Devo web application and go to the account you are sending the events to.
  • Open the finder and go to table av.mcafee.epo.events where the events are sent to.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US

PREVIOUS Antivirus

NEXT Box (PC/Server)