AlienVault have already development a database plugin to connect to the ePO Database, collect and parse the data into the OSSIM Database, but I have struggled to get this to work with our MS-SQL Database cluster, resulting in 'ParserDatabase [INFO]: Can't connect to MS-SQL database' errors.
The steps for enabling the plugin and collecting the data are:
- Enabling the Plugin
- Creating a local configuration file
- Configuring the database connection
- Troubleshooting connection errors
Enabling the Plugin
- ssh onto the sensor you wish to use to collect the data from the McAfee database
- From the menu select Configure Sensor > Configure Data Source Plugins
- Select mcafee-epo from the list using the spacebar (hint: jump to 'm' by using the m key)
- Select OK
- Select Back
- Select 'Apply all changes' from the main menu
During the final stages the OSSIM-Agent will be restarted and is now ready for your database configuration.
Configure the plugin
We now need to configure the plugin to connect to our MS-SQL database. This is done by providing connection details within the cfg file for the plugin.
Firstly from the sensor Main Menu select the 'Jailbreak System' option and agree to the notice.
Create a new local configuration file for the plugin called mcafee-epo.cfg.local and place the [config] data in this file:
# nano /etc/ossim/agent/plugins/mcafee-epo.cfg.local
[config]
type=detector
enable=yes
custom_functions_file=/etc/ossim/agent/plugins/custom_functions/mcafee_epo_custom_functions.cfg
source=database
source_type=mssql
source_ip=<serverip>\<instancename>
source_port=
user=<sql db username>
password=<sal db password>
db=<database name>
sleep=60
process=
start=no
stop=no
This config data will survive any updates rolled out by AlienVault.
Once the mcafee-epo.cfg.local file has been saved restart the ossim-agent:
# /etc/init.d/ossim-agent restart
[ ok ] Restarting OSSIM Agent: ossim-agent.
Once the ossim-agent has restarted check the agent log for connection status messages.
# tail -F /var/log/alienvault/agent/agent.log | grep ParserDatabase
If the connection is successful you should see a message similar to:
2016-09-30 16:17:24,339 ParserDatabase [INFO]: Connected to DB after 1 tries
If the connection fails you should see a message similar to:
2016-09-30 16:12:07,627 ParserDatabase [INFO]: Can't connect to MS-SQL database
2016-09-30 16:12:07,628 ParserDatabase [INFO]: We cant connect to data base, retrying in 10 seconds....try:0
If the connection fails we can check connectivity to the MS-SQL server as detailed below.
Troubleshooting connection errors
We can check connectivity to an MS-SQL Database from the command line using python:
# python
>>> import pymssql
>>> con = pymssql.connect(host="<serverip>\<instance>", user="<sql db username>", password="<sql db password>", database="<ePO database name>")
>>> cursor = con.cursor()
>>> cursor.execute("SELECT TOP 1 AutoID FROM EPOEvents ORDER BY AutoID DESC")
>>> print cursor.fetchall()
This should return the AutoID of the most recent Event in the EPOEvents table
use ctrl + d to exit back to the prompt
In most cases the server, instance, port or credentials are the cause of any connection issues.
If you are using a named instance for your database server such as SQLSRV1\DB1 do not enter a port number, the SQL Browser service will assign the appropriate dynamic port number, even if the instance is using a fixed port, do not enter it in the connection string or the config for the agent plugin.
Viewing the Security Events
Once you have the sensor collecting the data check to see if the events are being collected correctly
In the web console navigate to Analysis > Security Events (SIEM)
Select Mcafee-epo from the Data Sources drop down and select GROUPED under the events list.
In the web console navigate to Analysis > Security Events (SIEM)
Select Mcafee-epo from the Data Sources drop down and select GROUPED under the events list.
Hi Richard, I am working to configure the ePO log collection with OSSIM server. I have done all the configure you suggest in your post. But still I am not getting any out when I am running the command # tail -F /var/log/alienvault/agent/agent.log | grep ParserDatabase
ReplyDeleteThere is only one difference in your and mine configuration, In your blog you are using SQL local authentication and I am using Windows Authentication in my configuration. Will it impact the configuration?
It probably can't connect. Windows Authentication is for Windows systems only and AlienVault OSSIM runs on Linux. Please configure your SQL Server to accept SQL Server Local Authentication via TCP, so it can work fine.
Delete"Great article, resonated with me from start to finish.
ReplyDeleteMcafee UK | Mcafee Number"
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteGood article,thanks for sharing about valuble information.are you facing any thing in viruses and malwares.if you want to know more details then visit.
ReplyDeleteMcafee Customer Service | Mcafee Phone Number |
Mcafee Number | Mcafee UK |
Thanks for sharing the valuable information.Your blog was very helpful and efficient For Me.if you are facing any problems with Mcafee UK then Please Contact McAfee Customer Service Number 0800-014-8929 .Mcafee Customer Service | Mcafee Phone Number
ReplyDeleteNice blog! it's so informative and one more thing is your providing new updates . If you want any tech support regarding Netgear Support call us toll free number (UK) 0800 820 3300 Netgear Support UK
ReplyDeleteLooking for Wordpress live chat, visit on: Wordpress live chat
ReplyDeleteIts really a very nice post! If your user is facing problem with McAfee refund service and looking for McAfee support, call us McAfee Refund Phone Number UK +44-800 048 7408.
ReplyDeleteMy name is Alena walker and I am a tech assistant of Mcafee antivirus. We are provided all type of solution regarding Mcafee activation, login, installation, product key activation, Mcafee error, etc For more information visit us www.mcafee.com/activate
ReplyDeleteHow to get a refund by mcafee for auto-renewals
McAfee Firewall settings in Windows 10
How to uninstall McAfee
Activate McAfee Security Scan Plus
Redeem McAfee Retail Card
For fixing McAfee update issues on Windows it is advised for the user to get the McAfee repair tool downloaded and to run it on the system also the user should try completing the update through another internet connection, if still needed then to know more the user should reach out to the experts at +44-800-368-9065 they are available 24*7 also they can be contacted through live chats and emails.
ReplyDeleteMcAfee Help Number UK
Mcafee $2.99 onwards 1 year livesafe -$6.99 2 year livesafe $9.99 3 year livesafe $12.99
ReplyDeleteJust purchase full Mcafee version at above link
Cheap Mcafee Livesafe and Antivirus Plus
Nice post| I really appreciate this knowledgeable information regarding McAfee Subscription Refund and more information so visit at this site www.mcafeesupportnumber.co.uk/blog/refund/.
ReplyDeletethanks for sharing this information about how to cancel mcafee subscription and get refund
ReplyDelete