Configure Interset

With a fully configured and working Interset and McAfee ESM solution, this information is required.

  • Familiarity with configuring Flume using Ambari. See the Configure Data Ingest documentation.
  • The tenant ID in Interset that contains the data to send to the McAfee Event Receiver ESM (for example, 0).
  • The name (FQDN or IP address) and port of the McAfee Event Receiver.

Task

  1. In Apache Ambari, create the Flume Export Configuration Group.
  2. Configure the system so that events are sent as Syslog to the McAfee Event Receiver.
    1. Copy the esmSyslog.conf file from the /opt/interest/export/conf-templates folder to a local system, and make these substitutions:
      • On each line, change the tenant ID <TID> to the appropriate tenant ID (for example, 0).
      • Change the ESM McAfee Event Receiver location <ESM Syslog Receiver Port> with the port number of the McAfee Event Receiver.
      • Replace any other system variables, such as <ZOOKEEPER_HOST>, with appropriate values.
    2. Upload and save the new esmSyslog.conf file to Ambari for processing.
  3. Repeat step 2 with esmStorySyslog.conf, located in the same template folder, to also send high risk stories to the McAfee Event Receiver. By default, only stories with a risk score greater than 75 are sent. To change this behavior, change the value in the following line as needed:
    interset_auth_events_<TID>_esm.sources.kafkaSource.interceptors.scoreChecker.toCompare = riskScore:greaterThan:75