McAfee Epo

310 views
Skip to first unread message

Vincent Teo

unread,
Mar 10, 2022, 5:37:36 AM3/10/22
to Wazuh mailing list
Hi Wazuh Professional Support , 

I would like to check with you is wazuh servers able to collect McAfee Epo syslog ? If Possible may I know how to configure it .

Regards,
Vincent Teo

Jonathan Martín Valera

unread,
Mar 10, 2022, 6:25:58 AM3/10/22
to Wazuh mailing list

Hi,

Yes, the wazuh-manager can be configured to receive events via remote syslog. You can find the related documentation here https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog

Basically, you will have to add a block like the following in the /var/ossec/etc/ossec.conf file of your wazuh-manager.

  <remote>
    <connection>syslog</connection>
    <port>513</port>
    <protocol>tcp</protocol>
    <allowed-ips>192.168.2.0/24</allowed-ips>
  </remote>

Note: Change port, protocol and allowed-ips values to yours

After restarting wazuh-manager (systemctl restart wazuh-manager) you will start receiving events sent by remote syslog.

You will probably have to create custom decoders and/or rules to generate the alerts in the cases you want.

Checks to validate your configuration and reception of events

  • Verify that the indicated port (in this case 513/TCP) is being listened to.
# netstat -tunap | grep wazuh
tcp        0      0 0.0.0.0:513             0.0.0.0:*               LISTEN      1408/wazuh-remoted  
tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      1407/wazuh-remoted  
tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      1127/wazuh-authd
  • Check if the wazuh-manager is receiving the events. To do this you can temporarily enable the <logall>yes</logall> option in your wazuh-manager /var/ossec/etc/ossec.conf file to store all received events in the /var/ossec/logs/archives/archives.log file. By looking at the contents of that file or monitoring it (for example with tail -f) you can see if the wazuh-manager receives the events sent by McAfee Epo syslog. You can use these events to build the regex of your decoders and/or rules.

Note: Remember to disable when you finish the <logall> and restart the wazuh-manager to avoid all logging of events in that file and possibly unnecessary disk usage.

I hope this information helps you, if you have any questions about it don’t hesitate to ask.

Regards.

Vincent Teo

unread,
Mar 10, 2022, 10:15:20 AM3/10/22
to Jonathan Martín Valera, Wazuh mailing list
Hi Jonathan , 

After I configured the ossec configuration file , my wazuh server successfully listens to port 513 .

image.png

But unfortunately when I try to configure from mcafee epo , and testing the event forwarding connection is show testing connection failed .
image.png
I try to do basic troubleshooting from my end , both servers firewalld is turn off , and from mcafee epo server trying to telnet wazuh-manager with port 513 also successful but will be stuck .I try to telnet to port 1515,1514,55000 wont be the same problem . I change to others port also same for syslog  . Any Idea ?

Regards,
Vincent Teo

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/G7FXox07gPM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/84ef9cd5-ff7a-4e18-8ac5-05a16a6b9f31n%40googlegroups.com.

Jonathan Martín Valera

unread,
Mar 11, 2022, 10:27:25 AM3/11/22
to Wazuh mailing list

Hi,

Can you share the configuration you have applied?

Note the network range you have applied in the <allowed-ips>x.x.x.x.x/xx</allowed-ips> configuration. Perhaps the IP is not included in that range and is blocking such communication.

Have you checked in the wazuh-manager part if it is receiving information from such events?

If possible, I would try to configure remote syslog on the host where you want to send the events (you can find info here https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/), and see if the same problem still occurs (to rule out that it is a problem of the software you are using to send the events).

Regards.

Vincent Teo

unread,
Apr 20, 2022, 1:04:06 PM4/20/22
to Jonathan Martín Valera, Wazuh mailing list
Hi Jonathan ,

Sorry for the late reply , I did some research on the McAfee epo , below is the link of the article . 


Is this possible because of this reason that epo syslog is not able to communicate with wazuh-manager ?

Regards,
Vincent Teo

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7e8cf37c-1e1a-4688-9815-5b11971e4dc6n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages