McAfee Event Receiver OIDs

McAfee products can be accessed through SNMP. The McAfee MIB defines the object identifiers (OIDs) for each object or characteristic of interest. McAfee ESM responds by populating the OID bindings with the results of the health request.

The following tables show the meaning of McAfee ESM and McAfee Event Receiver OIDs.

McAfee ESM health
Request and response OID Units Response value Meaning

1.3.6.1.4.1.23128.1.3.1.1

Percent

4

Percentage combined instantaneous CPU load

1.3.6.1.4.1.23128.1.3.1.2

MB

3518

Total RAM

1.3.6.1.4.1.23128.1.3.1.3

MB

25

Available RAM

1.3.6.1.4.1.23128.1.3.1.4

MB

1468006

Total HDD space partitioned for McAfee ESM database

1.3.6.1.4.1.23128.1.3.1.5

MB

1363148

Free HDD space available for McAfee ESM database

1.3.6.1.4.1.23128.1.3.1.6

seconds since 1970-1-1 00:00:0.0 (GMT)

1283888714

Current system time on the McAfee ESM

1.3.6.1.4.1.23128.1.3.1.7

8.4.2 McAfee ESM version and build stamp

1.3.6.1.4.1.23128.1.3.1.8

4EEE:6669 Machine ID of the McAfee ESM

1.3.6.1.4.1.23128.1.3.1.9

McAfee ESM McAfee ESM model number

McAfee Event Receiver health
Request and response OID Units Response value Meaning

1.3.6.1.4.1.23128.1.3.3.1.x

McAfee Event Receiver

McAfee Event Receiver name

1.3.6.1.4.1.23128.1.3.3.2 .x

2689599744

McAfee ESM unique identifier of the Receiver

1.3.6.1.4.1.23128.1.3.3.3.x

1

Indicates that communication with the McAfee Event Receiver is available (1) or not available (0)

1.3.6.1.4.1.23128.1.3.3.4.x

OK

Indicates the status of the McAfee Event Receiver

1.3.6.1.4.1.23128.1.3.3.5.x

percent 2

Percentage combined instantaneous CPU load

1.3.6.1.4.1.23128.1.3.3.6.x

MB

7155

Total RAM

1.3.6.1.4.1.23128.1.3.3.7.x

MB

5619

Available RAM

1.3.6.1.4.1.23128.1.3.3.8.x

MB

498688

Total HDD space partitioned for McAfee Event Receiver database

1.3.6.1.4.1.23128.1.3.3.9.x

MB

472064

Free HDD space available for McAfee Event Receiver database

1.3.6.1.4.1.23128.1.3.3.10.x

seconds since 1970-1-1 00:00:0.0 (GMT)

1283889234

Current system time on the McAfee Event Receiver

1.3.6.1.4.1.23128.1.3.3.11.x

7.1.3 20070518091421a

Receiver version and build stamp

1.3.6.1.4.1.23128.1.3.3.12.x

5EEE:CCC6

Machine ID of the McAfee Event Receiver

1.3.6.1.4.1.23128.1.3.3.13.x

Receiver

McAfee Event Receiver model number

1.3.6.1.4.1.23128.1.3.3.14.x

alerts per minute

1

Alert rate (per minute) for last 10 minutes

1.3.6.1.4.1.23128.1.3.3.15.x

flows per minute

2

Flow rate (per minute) for last 10 minutes

Note: x = Device ID. To access a list of device IDs, go to System Properties | SNMP Configuration, then click View Device IDs.

Events, flows, and blacklist entries are sent using SNMP traps or inform requests. An alert trap sent from McAfee ESM configured to do Event Forwarding might look something like this:

OID Value Meaning

1.3.6.1.4.1.23128.1.1.1

780

McAfee ESM alert ID

1.3.6.1.4.1.23128.1.1.2

6136598

Device alert ID

1.3.6.1.4.1.23128.1.1.4

2

Device ID

1.3.6.1.4.1.23128.1.1.5

10.0.0.69

Source IP address

1.3.6.1.4.1.23128.1.1.6

27078

Source Port

1.3.6.1.4.1.23128.1.1.7

AB:CD:EF:01:23:45

Source MAC

1.3.6.1.4.1.23128.1.1.8

10.0.0.68

Destination IP address

1.3.6.1.4.1.23128.1.1.9

37258

Destination Port

1.3.6.1.4.1.23128.1.1.10

01:23:45:AB:CD:EF

Destination MAC

1.3.6.1.4.1.23128.1.1.11

17

Protocol

1.3.6.1.4.1.23128.1.1.12

0

VLAN

1.3.6.1.4.1.23128.1.1.13

1 Flow direction

1.3.6.1.4.1.23128.1.1.14

20

Event count

1.3.6.1.4.1.23128.1.1.15

1201791100

First time

1.3.6.1.4.1.23128.1.1.16

1201794638

Last time

1.3.6.1.4.1.23128.1.1.17

288448

Last time (microseconds)

1.3.6.1.4.1.23128.1.1.18

2000002

Signature ID

1.3.6.1.4.1.23128.1.1.19

ANOMALY Inbound High to High

Signature description

1.3.6.1.4.1.23128.1.1.20

5

Action taken

1.3.6.1.4.1.23128.1.1.21

1

Severity

1.3.6.1.4.1.23128.1.1.22

201

Data source type or result

1.3.6.1.4.1.23128.1.1.23

0

Normalized signature ID

1.3.6.1.4.1.23128.1.1.24

0:0:0:0:0:0:0:0

IPv6 source IP address

1.3.6.1.4.1.23128.1.1.25

0:0:0:0:0:0:0:0

IPv6 destination IP address

1.3.6.1.4.1.23128.1.1.26

Application

1.3.6.1.4.1.23128.1.1.27

Domain

1.3.6.1.4.1.23128.1.1.28

Host

1.3.6.1.4.1.23128.1.1.29

User (source)

1.3.6.1.4.1.23128.1.1.30

User (destination)

1.3.6.1.4.1.23128.1.1.31

Command

1.3.6.1.4.1.23128.1.1.32

Object

1.3.6.1.4.1.23128.1.1.33

Sequence Number

1.3.6.1.4.1.23128.1.1.34

Indicates whether generated in a trusted or untrusted environment

1.3.6.1.4.1.23128.1.1.35

ID of session that generated the alert

The numbers mean:
  • 1.3.6.1.4.1.23128 — The McAfee IANA-assigned enterprise number
  • The final number (1–35) — For reporting the various characteristics of the alert