ESM data sources

This guide details how to configure data sources to send log data in the proper format to a McAfee Event Receiver.

The information in this document regarding McAfee or third-party products or services is provided for the education and convenience of McAfee customers only.

All information contained herein is subject to change without notice, and is provided AS IS without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance.

A data source holds the location and connection information of your network's sources of data. It acts as a connector to your source of data.

Data Sources exist on a McAfee Event Receiver (ERC).

Define a Data Source for each network item from which you want to collect data.

Data Sources hold your Rules.

Client data sources

Note: If the data source is already a parent or child, or if it is a WMI data source and Use RPC is selected, this option is unavailable.

You can add more than one client data source with the same IP address and use the port number to differentiate them. This allows you to segregate your data using a different port for each data type, then forward the data using the same port it came into.

When you add a client data source, select whether to use the parent data source port or another port.

Client data sources have these characteristics:

  • They don't have VIPS, Policy, or Agent rights.
  • They appear on the system navigation tree but not on the Data Sources table.
  • They share policy and rights as the parent data source.
  • They must be in the same time zone because they use the parent's configuration.
Note: Client WMI data sources can have independent time zones because the query sent to the WMI server determines the time zone.

Correlation data sources

After configuring a correlation data source, you can:

  • Roll out the correlation’s default policy
  • Edit the base rules in this correlation's default policy
  • Add custom rules and components
  • Roll out the policy
  • Enable or disable each rule
  • Set the value of each rule's user-definable parameters

When adding a correlation data source, select McAfee as the vendor and Correlation Engine as the model.

Enabling the correlation data source allows McAfee ESM to send alerts to the receiver correlation engine.