How to Integrate McAfee EPO in wazuh siem solutions
Mohammad Shafiuddin Russel
Dear Team
We have integrated mcAfee EPO with Wazuh.
But EPO sending encrypted log.
Pls help us how se could decrypt the log.
Regards
Shafiuddin Russel
2023 Sep 18 12:55:21 192.168.180.107->/var/log/messages Sep 18 12:55:21 192.168.180.107 #026#003#003#000}#001#000#000y#003#003e#007▒W绤▒#014B▒|▒p▒#001▒▒{▒DT▒<▒g#027▒*Y▒#000#000,#000▒#000k#000▒#000j#0009#0008#000▒#000=#0005#000▒#000@#0002#000▒#000g#0003#000▒#000<#000/#000#023#000#026
2023 Sep 18 12:55:27 192.168.180.107->/var/log/messages Sep 18 12:55:25 192.168.180.107 #026#003#003#000}#001#000#000y#003#003e#007▒\ #004#011#023T▒ćK=*#030▒#016#036#013▒n#000▒▒#023▒NZa▒▒#000#000,#000▒#000k#000▒#000j#0009#0008#000▒#000=#0005#000▒#000@#0002#000▒#000g#0003#000▒#000<#000/#000#023#000#026
2023 Sep 18 12:55:27 192.168.180.107->/var/log/messages Sep 18 12:55:25 192.168.180.107 #026#003#003#000}#001#000#000y#003#003e#007▒\▒;4#031▒▒▒W▒أ▒▒{#037臐▒XB▒#000A▒#034e▒#000#000,#000▒#000k#000▒#000j#0009#0008#000▒#000=#0005#000▒#000@#0002#000▒#000g#0003#000▒#000<#000/#000#023#000#026
2023 Sep 18 12:55:31 192.168.180.107->/var/log/messages Sep 18 12:55:31 192.168.180.107 #000▒#001#000#000$#000#015#000 #000#036#006#001#006#002#006#003#005#001#005#002#005#003#004#001#004#002#004#003#003#001#003#002#003#003#002#001#002#002#002#003
2023 Sep 18 12:55:37 192.168.180.107->/var/log/messages Sep 18 12:55:36 192.168.180.107 #000▒#001#000#000$#000#015#000 #000#036#006#001#006#002#006#003#005#001#005#002#005#003#004#001#004#002#004#003#003#001#003#002#003#003#002#001#002#002#002#003
2023 Sep 18 12:55:37 192.168.180.107->/var/log/messages Sep 18 12:55:36 192.168.180.107 #000▒#001#000#000$#000#015#000 #000#036#006#001#006#002#006#003#005#001#005#002#005#003#004#001#004#002
This is usually achieved using syslog .
You can integrate McAfee (now Tellix) EPO with some configurations from EPO Side, and also configuring the Wazuh Manager to receive the logs via Syslog.
From the ePO Side:
In the Wazuh Manager:
- Change the settings for Remote Syslog in the
ossec.conffile of the Wazuh Manager - Restart the Wazuh Manager Service
To configure Wazuh Manager:
Edit the /var/ossec/etc/ossec.conf file:
</ossec_config>
<remote>
<connection>syslog</connection>
<port>6556</port>
<protocol>tcp</protocol>
<allowed-ips>IP-OF-THE-EPO-SERVER</allowed-ips>
</remote>
</ossec_config>
Use the same port configured in the ePO Server (in the example 6556) and specify the IP-OF-THE-EPO-SERVER as an IPv4 address.
Finally, you must restart the Wazuh Manager service in order to apply the configurations:
systemctl restart wazuh-manager
I hope this information could be helpful.
Do let me know how it goes.
Benjamin Nworah
Benjamin Nworah
Apologies for the late response.
McAfee ePO syslog forwarding only supports the TCP protocol and requires Transport Layer Security (TLS).
https://kcm.trellix.com/corporate/index?page=content&id=KB91194
Wazuh does not natively support TLS syslog. An alternative, is to send the logs to a file using rsyslog application and then read this file in real time with a Wazuh agent installed in the same machine. The logs will be sent encrypted from the Wazuh agent to the Wazuh manager for analysis. For more information about the remote Log Collection, please read these documentations:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog
https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html
Once Wazuh manager receives these logs, you might need to create custom decoders and rules for Wazuh to analyze the collected logs. Kindly refer to the following document to achieve this:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#custom-rules-and-decoders.
Please let me know if this helps.
Regards,