Generic syslog configuration details

Different options are available when configuring a new data source. When some options are selected, additional parameters might appear.

This section outlines the general options available in the Add Data Source configuration screen and provides details.

Option Definition
Use System Profiles System Profiles are a way to use settings that are repetitive in nature, without having to enter the information each time. An example is WMI credentials, which are needed to retrieve Windows Event Logs if WMI is the chosen mechanism.
Data Source Vendor List of all supported vendors.
Data Source Model List of supported products for a vendor.
Data Format The expected format of the received / collected data. Options are Default, CEF, and MEF. Generally, this option is left as Default for supported data sources; it is intended to be used for custom data sources.
Note: If CEF is selected, the generic CEF parsing rule is enabled and rolled into policy for that data source. If selected on supported CEF data sources, the generic parsing rule might override existing parsing rules that are designed to parse data source-specific details. This results in degraded reporting for the specific data source.
Data Retrieval The expected collection method used by the McAfee Event Receiver to collect the data. The default is generally syslog. Typically, this option is changed to match the needs in a specific user's environment. The data needs to remain in the expected format, otherwise the parsing rules cannot parse the events.
Enabled: Parsing/Logging/SNMP Trap Parsing enables the data source to pass events to the parser. Logging enables the data source to pass raw event data to the McAfee Enterprise Log Manager (ELM). SNMP enables reception of SNMP traps for select data sources. If none of the options are checked, the settings are saved to McAfee ESM, but effectively disables the data source. The default is Parsing.
Name This is the name that appears in the Logical Device Groupings tree and the filter lists.
IP Address/Hostname The IP address and host name associated with the data source device.
Syslog Relay Allows data to be collected via relays with the option to group events under specific data sources based on syslog header details. Enable syslog relay on relay sources such as Syslog-NG.
Mask Allows a mask to be applied to an IP address so that a range of IP addresses can be accepted.
Require Syslog TLS When enabled, requires the McAfee Event Receiver to communicate over TLS.
Support Generic Syslog Allows users to select one of the following options: Parse generic syslog , Log unknown syslog event , or Do nothing. These options control how McAfee ESM handles unparsed logs. Parse generic syslog creates an event for every unique unparsed event collected. Log unknown creates a single generic event and increment the count for every unparsed event. Do nothing ignores unparsed events. Use Parse generic syslog sparingly as it can negatively impact McAfee Event Receiver and McAfee ESM performance when there is a high incoming rate of unparsed logs. If unparsed events must be reported in McAfee ESM, use the Log unknown option; otherwise, leave the setting as Do nothing.
Time Zone Set based on the time zone used in the log data. Generally, it is the time zone where the actual data source is located.
Interface Opens the McAfee Event Receiver interface settings to associate ports with streams of information.
Advanced Opens advanced settings for the data source.