McAfee Enterprise Security Manager

Data Source Configuration Guide

Data Source: McAfee (Nitro) SIEM Collector

August 15, 2013

 Important Note:

The information contained in this document is confidential and proprietary.

Please do not re-distribute without permission.
Table of Contents
1   Revision History 4  
1.1   Revision Details 4  
2   Introduction 5  
3   Prerequisites 5  
4   SIEM Collector Installation 6  
4.1   SIEM Collector Installation 6  
4.3   Receiver Configuration 7  
4.4   Initial Agent Configuration 9  
5   Data Source Configuration Details 11  
5.1   Windows Server DHCP Logs 11  
5.2   Windows Server DNS Logs 14  
5.3   Windows Server IIS Logs 17  
6   Troubleshooting 19  

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 3 of 19

1 Revision History

1.1 Revision Details

Revision Version Author Date Description

1.0 Brian B. Brown May 21, 2012 Initial template

1.11 Craig A. Simon July 22 2013
1.2 Craig A. Simon August 15, 2013 Text edits, and corrections.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 4 of 19

2 Introduction
When using the McAfee SIEM to collect Microsoft Windows events, there are two main methods
of collection available, WMI and with an agent. Most customers generally use WMI as the main
collection protocol, as it requires little change to the existing environment. It only requires the use
of a privileged account to access the logs on remote windows servers, and to collect the events
from those log files remotely.
However, there are cases where an agent is the most effective solution for log collection. In
some instances, it might be due to limited connectivity. In environments that utilize a secure
enclave firewall rules will NOT allow connectivity into the enclave, but generally will allow limited
access from devices within the enclave to connect out. Other situations where the agent is useful
is where the target events we are interested in importing into the SIEM are not accessible via
WMI: many logs were introduced in Microsoft Windows 2008/Vista or later that WMI can not
access. This will be the use case that we will explore within this paper.
Our purpose will be to properly install and configure the SIEM Collector for both local and remote
log collection. We will look at local log collection in the instances where an end user would like to
install the agent on each server where we will be collecting logs. A remote configuration will allow
an agent to support collection from itself, and other hosts via remote logins and UNC paths.
Once the agent is installed and running, the rest of the document will cover how to create an
agent configuration and data source configuration for the following data sources:
Windows DNS Server
Windows DHCP Server
Windows IIS Server Logs

3 Prerequisites
To install the McAfee SIEM Collector, you will require the following:
1. Windows servers running Windows Server 2003, Windows Server 2008, Windows Server
2008r2, or Window Server 2012. All editions are supported.
2. 256 MB of additional ram for the agent.
3. At least 1 GB of disk space for the agent files.
4. Local or Domain administrative rights on the servers the agent will run on or
communicate with.
5. Any additional requirements needed to allow connectivity. i.e. Firewall rules, HIPS
exclusions, etc.
You will need to download the agent installer. The download can be accessed at the McAfee
download site at the following URL http://www.mcafee.com/us/downloads/downloads.aspx or at
the download site for your specific country.
You will need to provide your grant number to gain access to the downloads. Once there you'll
be able to access and download the McAfee SIEM Collector. At the time of this writing, the
current version is 9.1.1.
The agent installer is available in two forms, one is a setup executable and the second is a .msi
file to support automated deployment. The manual setup mode will be used in this document,
however if you would like to push the agent, please review the agent readme for all the supported
installation flags and options.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 5 of 19

 .NET 3.5 is required for the Agent. On Windows Server 2008 and 2012 you will need to
install the .Net Framework 3.5.1 Features

4 SIEM Collector Installation

4.1 SIEM Collector Installation
First, we will be installing the SIEM Collector to one or more hosts that require its services. To
start the installation, double click on the agent installer executable. This will launch the installer.
If you have not installed .NET 3.5 you will receive the following message.

Please install .NET to continue. To install on Windows Server 2008/R2 start the Add Features
Wizard and select the .NET Framework 3.5.1 Features check box. It will require that you also
install additional roll services and features to install .NET. Select the Add Required Roll
Services button to continue. Click next to continue. The setup will then ask you to configure the
services for IIS. Take the defaults and click next. Then confirm the install by clicking the install
button.

It is recommended that you apply any needed patches to the server and reboot before
continuing.
1. Double click the installer executable to begin installation.
2. Please read the installation overview and click next to continue.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 6 of 19

 3. Read the license agreement and click I Agree to continue.
4. Confirm your installation directory and click next to continue.
5. Now you will see the McAfee Event Receiver Configuration screen. In this window you
configure the agent to communicate with a specific receiver. Just type the IP address of
the receiver that you would like this agent to forward its events to. You can also change
the port and if the agent will use SSL to communicate with the receiver. Please note the
settings used here as we will use these to configure the receiver in the next section.

6. When you click Next, the agent will be installed.

4.2 Receiver Configuration

Now that we have the agent installed on one or more hosts, we need to allow agent
communications to the receiver(s). The default configuration of a receiver is with a fully enabled
firewall, when we enable agent communications, the receiver will modify the firewall configuration.
This is done within NitroView, the client application of the SIEM. First launch an instance of
NitroView and authenticate to your SIEM with an administrative account.
1. Select a receiver that would like to enable.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 7 of 19

 2. Click properties on the menu for the receiver. Properties are the most upper left white
button in the UI.

3. Once in the Receiver Properties window select the Receiver Configuration Tab, and then
click the Interface button.
4. Now select the Communication Tab. You can enter a port number that the receiver will
listen on for all agent communications. The default MEF (McAfee Event Format) port is
8081, and any value can be used as long as it is not in conflict anywhere else in the
system.

5. Enter your chosen port and click OK, and OK a second time to return to the main
NitroView screen.
6. You will need to perform these steps on any other receivers in your environment.
7. Next, we need to allow for an initial data source for the agent to identify it to the receiver.
To do this we will configure a data source for the agent itself.
8. Click on the plus icon on the upper right corner of the NitroView screen. The plus won’t
display unless you have your receiver selected as below.

9. Once in the Add Data Source dialog we can add the data source to the receiver.
a. In the Data Source Vendor pull down select Microsoft.
b. In the Data Source Model pull down select WMI Event Log
c. In the Data Retrieval pull down select MEF (McAfee Event Format)

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 8 of 19

 d. Now we need to fill out the remaining two fields Name and IP address. The
name field is for your use only, so it can be mostly anything. Then use the IP
address of the host that we will configure to host the agent.
e. The state of the use encryption checkbox must match the setting made in the
agent configuration selection below. If you will configure your agent to use
encryption then this checkbox must also be checked.

f. Click ok, then write your data source to the receiver and roll out policy.

Note: Why do we have both IP address and Host ID fields?

When we create a data source on a receiver, a single data source can have only one IP
address, and that IP address can only be used once on a receiver. In the case where a
customer would like to collect their Windows Server events via WMI, and then would like
to use an agent to collect DNS and DHCP server logs from the same server. That will not
work since each data source would use the same source IP address for all three data
sources. That is where the Host ID field comes into play. You can create a data source
without an IP address and instead use the Host ID field as a free form ID to identify the
source. For example you could create a host ID with the value dns_dc1.mydomain.com
and dhcp_dc1.mydomain.com, then use those values in the data source configuration,
NOT the IP address.

4.3 Initial Agent Configuration

We will now setup an initial configuration for the agent, which will allow us to collect the standard
windows log files, both locally and remotely.
1. Launch the SIEM Collector Management Utility (SCMU) by navigating to Start / All
Programs / McAfee / Event Collector Management Utility.
2. Select the receiver node on the left, and confirm the receiver IP address and port value.
Make any changes as necessary.
3. Select the Event Collector node on the left panel. Right click on the Event Collector node
and click on Add Group.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 9 of 19

 4. A group is a container object that will contain hosts. One or more hosts can be added to
a group to ease management of agents that will remotely collect events from many hosts.
For this example we will create a group called Local Server and another one called
Remote Servers.
5. Once you have clicked the Add Group button, you group object will be created, and the
properties of the group will be displayed in the right hand panel.

6. On this screen you can change the name of your new group, and the credentials that will
be used for collection. Once your settings match those in the image above, you can click
on Apply.
7. Now right click on your newly created group, and click on Add Host.

8. On the host properties on the right, type in the DNS name or IP address of the host we
will be collecting events from. Then press the <TAB> key on your keyboard, which will
enable the fields New Configuration and Edit Configuration below. In this example I am
using the FQDN of my server.
9. Pull down the New Configuration menu and select Windows Event Log. That will enable
the fields Configuration Name and the list of logs found on the local server. You will need
to name this configuration something to save it. You also need to select one or more log
files to be collected and parsed. In this example I am using the configuration name of
Local Windows Logs. I have selected the standard three system logs to collect -
Application, System, and Security.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 10 of 19

 10. Once your agent configuration is complete, click the Save button.
11. Now right click on the group you created and select Enable Group. This will enable the
group and all hosts contained within it. Then click Apply. This will write out the new
configuration and restart the service.

5 Data Source Configuration Details

Note: If there are configuration details for multiple versions of the Data Source then
add details for all versions here and remove this box.

5.1 Windows Server DNS Logs

Assumptions – To collect Windows DNS server logs, you will need a properly functioning SIEM
Collector. It is assumed that you have followed the preceding instructions and have tested your
SIEM Collector to ensure that communications are working properly.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 11 of 19

 Requirements - As the windows DNS Server functions it posts some events into the Windows
Event Logs, such as performance data for the server. The data that we are interested in however
is never stored in the Windows Event Logs. We will then need to modify the Windows Server
configuration to create a plain text log file that contains all DNS requests. It’s this log file that will
be parsed by the McAfee SIEM Agent. First we will configure the server to create the needed
logs
1. To enable windows server DNS debugging, from the Windows Server Manager open the
Server Rolls / DNS Server / DNS / <SERVER NAME> and then right click on the Server
Name and select properties.
2. Click on the Debug Logging Tab.
a. Then click on the check box for Log packets for debugging. Make sure that the
next eight checkboxes are selected.

b.
c. Lastly you need to setup a location and filename for the logs to use. I created a
logs directory under c:\winows\system32\dns so my final path and name settings
are.

d.
e. Then click OK to commit your changes, which will take effect immediately. To
confirm that you are now logging correctly look at the log file you specified above.
As an example, a DNS request for bing.com, may result in the following events.
i. 12/27/2012 11:49:36 AM 0634 PACKET 0000000002899210 UDP Rcv ::1 2cbd Q
[0001 D NOERROR] A (3)www(4)bing(3)com(0)

ii. 12/27/2012 11:49:36 AM 0634 PACKET 0000000002AD9210 UDP Snd 10.0.2.1 ae7d
Q [1001 D NOERROR] A (3)www(4)bing(3)com(0)

iii. 12/27/2012 11:49:36 AM 0634 PACKET 0000000002941170 UDP Rcv 10.0.2.1 ae7d
R Q [9081 DR NOERROR] A (3)www(4)bing(3)com(0)

iv. 12/27/2012 11:49:36 AM 0634 PACKET 0000000002899210 UDP Snd ::1 2cbd R
Q [8081 DR NOERROR] A (3)www(4)bing(3)com(0)

3. Now we can configure the agent to read and parse the newly created log files. In this
example, we will be using a remote machine to read the logs off of our Domain
Controller.
a. First start the Event Collector Management Utility (ECMU).
b. Create or select a group to host our new data source. Then right click on the group
and select Add Host.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 12 of 19

 c. From the new host window, type in the Domain Controller FQDN or IP address.
d. Under the Logs section select New Configuration / Generic Log Tail. Then Name the
configuration and fill out the rest of the options as below.

e.
What is this Event Delimiter field and how do I use it?
The event delimiter is a regular expression that the agent uses to determine when one
event stop and the next one starts. Therefore it is very important that you use the
proper delimiter for your specific Operating System.
For windows 2003 - ^\d{8.EN_US}\s+\d{1,2}:\d{1,2}:\d{1,2}\s+\d+\s+PACKET
For windows 2008 - ^(?:\d{1,2}\/){2.EN_US}\d{4.EN_US}
Since my DNS server is Windows 2008R2, I have selected the 2008 pattern above.

f. Once your configuration is correct, then click the save button.

4. To create a Data Source on the receiver, follow these steps

a. Select your receiver and then click on the plus button to create a new data
source.
b. Select the data source vendor of Microsoft and the model as Windows DNS
(ASP).
c. Select the format of Default and the data retrieval of MEF.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 13 of 19

 d. Select the parsing and logging options as you require.
e. The name and IP address of the source need to be added to the proper fields.
f. Then select the use encryption checkbox so that it matches the setting of the
agent.

5.2 Windows Server DHCP Logs

Assumptions – To collect Windows DHCP server logs, you will need a properly functioning SIEM
Collector. It is assumed that you have followed the preceding instructions and have tested your
SIEM Collector to ensure that communications are working properly.

First you must confirm that the Windows DHCP server is logging events to a local log file that we
can parse with the McAfee Agent. To confirm the setting, open the DHCP management
application open your server and the ipv4 scope, then right click on the DHCP scope and under
general confirm that the Enable DHCP Audit Logging is checked.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 14 of 19

 The default location for the audit logs is c:\windows\system32\dhcp
To configure the SIEM Collector, perform the following steps:
1. Open the MacAfee SIEM Agent Collector Management Utility and navigate to the group
you have created.
2. Right click on the group and create a host if necessary.
3. Once the host is selected, then fill out the rest of the form as below:
a. Host Name / IP – The host you are currently configuring.
b. Under new configuration, select Generic Log Tail.
c. Data Source IP – The ip address of the host where the DHCP logs live.
d. Log Directory – Generally the default path is c:\windows\system32\dhcp
e. Log File – Using the wildcard dhcp*.log will allow the ipv4 and ipv6 log files to be
collected and parsed.
f. Tail Mode – Beginning of file

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 15 of 19

 a. To create the Data Source on the Receiver, follow the steps below:
i. Select your receiver and then click on the plus button to create a new
data source.
ii. Select the data source vendor of Microsoft and the model as Windows
DHCP (ASP).
iii. Select the format of Default and the data retrieval of MEF.
iv. Select the parsing and logging options as you require.
v. The name and IP address of the source need to be added to the proper
fields.
vi. Then select the use encryption checkbox so that it matches the setting of
the agent.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 16 of 19

 12. Once the agent and receiver settings are correct, you can then go to the agent
configuration and enable the group and server, if they are disabled, and then you can
start the agent.
13. Once the receiver receives DHCP events, you will start to see events being ingested into
the SIEM.

14.

5.3 Windows Server IIS Logs

Note: It’s important to make sure that your IIS server is logging in W3C Extended format,
not the default IIS format. To confirm or set the logging format for your IIS server, open the
IIS Manager Application, select your website, then select the logging button. Make sure the
format says W3C or W3C Extended format. Also please make sure that all the fields are
enabled.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 17 of 19

 1. First please verify the log format and location as detailed above. Once the log format and location
are set, then you can go about configuring the agent.
a. To configure the Agent, you may want to create a new group or host as necessary. Then
select the new host and add the IP address of the IIS server that you want to receive and
parse events from.
b. Under logs, select a Generic Log Tail and then name your configuration. In this example,
I have named my configuration IIS.
c. Fill out the fields as shown below:

d. Please note that the path above also includes the W3SVC1 directory. This is required.
2. To then create the data source on the ESM, please follow the steps below:
a. First add your data source, as the Vendor of Microsoft, and the Model as Internet
Information Services (ASP)
b. Set the Data Format as Default and the Data Retrieval as MEF.
c. Then name the data source, enter the IP address of the Host and Select the proper setting
for encryption based on your agent settings.
d. Set the proper Time Zone for the data source that you have just created and then click
OK.
e. Write the Data Source and then push out the new policy.
3. Once your Agent and Data Source settings are complete, you can then start the agent service and
watch for IIS events to be ingested into the SIEM.
4. You new events will look similar to these:

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 18 of 19

6 Troubleshooting

1. How do I use the IP address vs Host ID when creating data sources in the McAfee
SIEM?
a. It’s important to understand the dynamic of an IP address and a Host ID. The IP
address and Host ID simply allow the SIEM to determine where an event
originated, however since a single IP address can only be associated with a
single data source when we are setting up multiple data sources from a single
host, we need have another identifier then the IP address. That is the Host ID.
For example if I was going to set up a Windows server that is running DHCP, and
DNS as well, your configuration might look like this.
i. Setup the initial agent and data source using the IP address first. This
allows the receiver to modify its firewall and allow all packets from that
source into the receiver. So initially I might set the agent to parse the
standard windows logs (System, Application, and Security) and use the
systems IP in its data source definition.
ii. Then you can add each additional configuration to the agent, in each
successive configuration you will then NOT enter an IP address but
instead add a Host ID. For Example my Host ID for my DNS and DHCP
servers might be “Server1-DNS” and then “Server1-DHCP”.
2. How do I setup debug logging to see what is happening with the agent.
a. When using debug logging to determine what might be causing an issue, I
enable debugging on the agent as a whole. Open your Windows Event Collector
Management Utility, and select the Event Collector node on the left of the
display. Move the log level sider all the way to the top for Full Diagnostic, then
save your changes. You will now get a debug.log file that lives in the agent
directory. Do not run for too long with debugging enabled as it will quickly
consume a lot of space.
3. When I originally set up the agent, I thought that I had the configuration correct, however
I didn’t. Now when I try and restart the agent and have it reread and parse my old data it
will not, it only reads and parses new data. How do I resolve this?
a. You can always delete the bookmark files that tell the agent what it has parsed
already.
i. To perform this task first you must stop the agent service.
ii. Then delete the bookmark files. These are stored here be default:
<AgentHome>\Plugins\<RandomGUID>_log.bookmark
iii. Once the bookmarks are deleted and the agent is restarted, it will reread
all the data files that it has already consumed.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 19 of 19