Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Integrate McAfee IntruShield IPS with SolarWinds LEM

Integrate McAfee IntruShield IPS with SolarWinds LEM

Table of contents

Updated: September 26, 2018

Overview

This article outlines the procedures for configuring McAfee IntruShield IPS to log to your LEM appliance, and configuring the IntruShield connector on your LEM appliance.

Environment

All LEM versions

Steps

 

To configure McAfee IntruShield IPS to log to your LEM appliance:

  1. Open the IntruShield Manager console.
  2. Click the Alert Notification tab, and then select Syslog Forwarder.
  3. Next to Enable Syslog Forwarder, select Yes.
  4. In the appropriate Syslog Server field, enter the IP address or hostname of your LEM appliance.
  5. In the Port field, enter 514.
  6. From the Facilities list, select Local user 0 (local0).
  7. Complete the Severity Mapping section as follows:
    Informational to: Select Informational: informational messages.
    Low to: Select Notice: normal but significant condition.
    Medium to: Select Critical: critical conditions.
    High to: Select Alert: action must be taken immediately.
  8. From the With severity list in the Forward Alerts section, select Informational and above.
  9. Click Apply.
  10. In the Message Preference section, select Customized, and then click Edit.
  11. Paste the following text into the Message field on the Customize Syslog Forwarder Message window.
    SyslogAlertForwarder format string:    
    |$IV_ATTACK_TIME$|$IV_ATTACK_ID$|$IV_ATTACK_NAME$|$IV_SOURCE_IP$|$IV_SOURCE_PORT$|$IV_DESTINATION_IP$|$IV_DESTINATION_PORT$|$IV_NETWORK_PROTOCOL$|$IV_INTERFACE$|$IV_APPLICATION_PROTOCOL$|$IV_RESULT_STATUS$|$IV_DIRECTION$|$IV_CATEGORY$|$IV_SUB_CATEGORY$|$IV_ATTACK_SEVERITY$|$IV_ATTACK_CONFIDENCE$|$IV_ADMIN_DOMAIN$|$IV_SENSOR_NAME$|$IV_ALERT_TYPE$|$IV_DETECTION_MECHANISM$|$IV_ATTACK_SIGNATURE$
    SyslogAuditLogForwarder format string:
    |$IV_AUDIT_ACTION$|$IV_AUDIT_RESULT$|$IV_AUDIT_TIME$|$IV_AUDIT_MESSAGE$|$IV_AUDIT_USER$|$IV_AUDIT_CATEGORY$|$IV_AUDIT_DOMAIN$|$IV_AUDIT_DETAIL_COMMENT$|$IV_AUDIT_DETAIL_DELTA$
    SyslogACLLogForwarder format string:
    |$ACL_NAME$|$ACL_ACTION$|$SOURCE_IP$|$SOURCE_PORT$|$TARGET_IP$|$TARGET_PORT$|$APPLICATION_PROTOCOL$|$SENSOR_NAME$|$INTERFACE$|$ALERT_DIRECTION$
    SyslogFaultForwarder format string:
    |$IV_FAULT_TYPE$|$IV_FAULT_NAME$|$IV_DESCRIPTION$|$IV_FAULT_SOURCE$|$IV_FAULT_COMPONENT$|$IV_FAULT_LEVEL$|$IV_FAULT_TIME$|$IV_SEVERITY$|$IV_ADMIN_DOMAIN$|$IV_OWNER_NAME$|$IV_OWNER_ID$|$IV_ACK_INFORMATION$
  12. Click Save.
  13. Click Apply.

 

To configure the IntruShield connector on your LEM Manager:

  1. On the LEM console toolbar, navigate to Manage > Appliances, and then log into your LEM Manager as an administrator.
  2. Next to your LEM Manager, click the gear icon, and then select Connectors.
  3. In the Connector Configuration window, enter IntruShield in the search box at the top of the Refine Results pane.
  4. Next to the IntruShield connector, click the gear icon, and then select New.
  5. Enter a custom Alias or accept the default.
  6. If you are finished configuring the connector, click Save.
  7. Next to the new connector, click the gear icon (denoted by an icon in the Status column), and then click Start.
  8. To exit the Connector Configuration window, click Close.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

 

 

Last modified

Tags

Classifications

Public