Submit a ticketCall us
Home > Success Center > Log & Event Manager (LEM) > Integrate McAfee IntruShield IPS with SolarWinds LEM

Integrate McAfee IntruShield IPS with SolarWinds LEM

Table of contents
Created by Rodim Suarez, last modified by MindTouch on Jun 23, 2016

Views: 97 Votes: 0 Revisions: 4

Overview

This article outlines the procedures for configuring McAfee IntruShield IPS to log to your LEM appliance, and configuring the IntruShield connector on your LEM appliance.

Environment

All LEM versions

Steps

 

To configure McAfee IntruShield IPS to log to your LEM appliance:

  1. Open the IntruShield Manager console.
  2. Click the Alert Notification tab, and then select Syslog Forwarder.
  3. Select Yes next to Enable Syslog Forwarder.
  4. Enter the IP address or hostname of your LEM appliance the appropriate Syslog Server field.
  5. Enter 514 in the Port field.
  6. Select Local user 0 (local0) from the Facilities list.
  7. Complete the Severity Mapping section as follows:
    Informational to: Select Informational: informational messages.
    Low to: Select Notice: normal but significant condition.
    Medium to: Select Critical: critical conditions.
    High to: Select Alert: action must be taken immediately.
  8. Select Informational and above from the With severity list in the Forward Alerts section.
  9. Click Apply.
  10. Select Customized in the Message Preference section, and then click Edit.
  11. Paste the following text into the Message field on the Customize Syslog Forwarder Message window.
    SyslogAlertForwarder format string:
    |$IV_ATTACK_TIME$|$IV_ATTACK_ID$|$IV_ATTACK_NAME$|$IV_SOURCE_IP$|$IV_SOURCE_PORT$|$IV_DESTINATION_IP$|$IV_DESTINATION_PORT$|$IV_NETWORK_PROTOCOL$|$IV_INTERFACE$|$IV_APPLICATION_PROTOCOL$|$IV_RESULT_STATUS$|$IV_DIRECTION$|$IV_CATEGORY$|$IV_SUB_CATEGORY$|$IV_ATTACK_SEVERITY$|$IV_ATTACK_CONFIDENCE$|$IV_ADMIN_DOMAIN$|$IV_SENSOR_NAME$|$IV_ALERT_TYPE$|$IV_DETECTION_MECHANISM$|$IV_ATTACK_SIGNATURE$
    SyslogAuditLogForwarder format string:
    |$IV_AUDIT_ACTION$|$IV_AUDIT_RESULT$|$IV_AUDIT_TIME$|$IV_AUDIT_MESSAGE$|$IV_AUDIT_USER$|$IV_AUDIT_CATEGORY$|$IV_AUDIT_DOMAIN$|$IV_AUDIT_DETAIL_COMMENT$|$IV_AUDIT_DETAIL_DELTA$
    SyslogACLLogForwarder format string:
    |$ACL_NAME$|$ACL_ACTION$|$SOURCE_IP$|$SOURCE_PORT$|$TARGET_IP$|$TARGET_PORT$|$APPLICATION_PROTOCOL$|$SENSOR_NAME$|$INTERFACE$|$ALERT_DIRECTION$
    SyslogFaultForwarder format string:
    |$IV_FAULT_TYPE$|$IV_FAULT_NAME$|$IV_DESCRIPTION$|$IV_FAULT_SOURCE$|$IV_FAULT_COMPONENT$|$IV_FAULT_LEVEL$|$IV_FAULT_TIME$|$IV_SEVERITY$|$IV_ADMIN_DOMAIN$|$IV_OWNER_NAME$|$IV_OWNER_ID$|$IV_ACK_INFORMATION$
  12. Click Save.
  13. Click Apply.

 

To configure the IntruShield connector on your LEM Manager:

  1. Open your LEM Console and log into your LEM Manager as an administrator.
  2. Click the gear icon next to your LEM Manager (left), and then select Tools.
  3. In the Tool Configuration window, enter IntruShield in the search box at the top of the Refine Results pane.
  4. Click the gear icon next to the IntruShield connector, and then select New.
  5. Enter a custom Alias or accept the default.
  6. If you are finished configuring the connector, click Save.
  7. Click the gear icon next to the new connector, denoted by an icon in the Status column, and then click Start.
  8. Click Close to close the Tool Configuration window.

 

 

 

Last modified
20:02, 22 Jun 2016

Tags

Classifications

Public