McAfee ePolicy Orchestrator

McAfee® ePolicy Orchestrator® (McAfee® ePO™) enables centralized policy management and enforcement for endpoints and enterprise security products. McAfee ePO monitors and manages the network, detecting threats and protecting endpoints against these threats.

NXLog can be configured to collect events and audit logs from the ePO SQL databases.

The instructions and examples in this section were tested with ePolicy Orchestrator 5.10.0 and NXLog running on the same server.
ePO will need to have the associated packages installed first, prior to log collection from these sources. For example, VirusScan Enterprise or Host Intrusion Prevention Content must be installed.

Collecting ePO Audit Logs

The Audit log contains McAfee ePO user actions and action details which can be viewed from the ePO dashboard.

Queries and Reports Dashboard for Audit Entries
Figure 1. Queries and Reports Dashboard for Audit Entries

ePO stores these logs in the dbo.OrionAuditLog table in the SQL database. The following configuration will query dbo.OrionAuditLog using the im_odbc module configured to collect these audit log events. It will then format them to JSON via xm_json.

nxlog.conf
<Extension _json>
    Module       xm_json
</Extension>

<Input in>
    Module       im_odbc
    ConnectionString DSN=MQIS;database=ePO_Host; \
                     uid=user;pwd=password;
    IdType           timestamp
    # With ReadFromLast and MaxIdSQL, NXLog will start reading from the last
    # record when reading from the database for the first time.
    ReadFromLast TRUE
    MaxIdSQL     SELECT MAX(StartTime) AS maxid FROM dbo.OrionAuditLog
    SQL          SELECT StartTime as id,StartTime as EventTime, \
                 * FROM dbo.OrionAuditLog \
                 WHERE StartTime > CAST(? AS datetime)
    Exec         delete($id);to_json();
</Input>
Raw Audit Log Sample of a Successful Logon
EventTime: 2020-02-12 18:36:00
AutoId: 7
UserId: 1
UserName: admin
Priority: 3
CmdName: Logon Attempt
Message: Successful Logon for user "admin" from IP address: 10.0.0.4
Success: TRUE
StartTime: 2020-02-12 18:36:00
EndTime: 2020-02-12 18:36:00
RemoteAddress: 10.0.0.4
LocalAddress: 2001:0:34f1:8072:2c3a:3f1e:f5ff:fffb
TenantId: 1
DetailMessage: NULL
AdditionalDetailsURI: NULL
2020-02-12 18:37:28 McAfeeEPO INFO
id: 2020-02-12 18:37:28
Audit Event Sample in JSON of a Successful Logon
{
  "EventTime": "2019-07-27T09:51:08.630000+02:00",
  "AutoId": 83147,
  "UserId": 1,
  "UserName": "admin",
  "Priority": 3,
  "CmdName": "Logon Attempt",
  "Message": "Successful Logon for user \"admin\" from IP address: 192.168.134.165",
  "Success": true,
  "StartTime": "2019-07-27T09:51:08.630000+02:00",
  "EndTime": "2019-07-27T09:51:08.630000+02:00",
  "RemoteAddress": "192.168.134.165",
  "LocalAddress": "192.168.134.165",
  "TenantId": 1,
  "DetailMessage": null,
  "AdditionalDetailsURI": null,
  "EventReceivedTime": "2019-07-27T11:51:09.641428+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_odbc"
}

Collecting VirusScan Enterprise (VSE) Events

The McAfee VirusScan Enterprise provides strong virus protection with lower maintenance requirements and zero-impact scans for users to protect against malware. These events are stored in the dbo.EPOEvents SQL view.

The following configuration uses the im_odbc module to collect VirusScan events from the dbo.EPOEvents SQL view. The AnalyzerName column determines the source module of the events in the view, therefore the query contains the conditional clause AnalyzerName LIKE 'VirusScan%.

nxlog.conf
<Extension json>
    Module      xm_json
</Extension>

<Input in>
    Module      im_odbc
    ConnectionString DSN=MQIS;database=ePO_Host; \
                     uid=user;pwd=password;
    IdType           timestamp
    # With ReadFromLast and MaxIdSQL, NXLog will start reading from the last
    # record when reading from the database for the first time.
    #ReadFromLast TRUE
    #MaxIdSQL SELECT MAX(ReceivedUTC) AS maxid FROM dbo.EPOEvents
    SQL    SELECT ReceivedUTC as id,ReceivedUTC as EventTime,AutoID,ServerID,\
             AnalyzerName,AnalyzerHostName,\
           dbo.RSDFN_ConvertIntToIPString \
             (cast (AnalyzerIPV4 as varchar(15))) as 'IPv4',\
             AnalyzerDetectionMethod,SourceHostName,\
           dbo.RSDFN_ConvertIntToIPString \
             (cast (SourceIPV4 as varchar(15))) as 'Source IPv4',\
             SourceProcessName,TargetHostName,\
           dbo.RSDFN_ConvertIntToIPString \
             (cast (TargetIPV4 as varchar(15))) as 'Target IPv4',\
              TargetUserName,TargetFileName,ThreatCategory,ThreatEventID,\
              ThreatSeverity,ThreatName,ThreatType,ThreatActionTaken,TenantID\
           FROM dbo.EPOEvents\
           WHERE ReceivedUTC > CAST(? AS datetime) AND AnalyzerName LIKE 'VirusScan%'
    Exec   delete($id);to_json();
</Input>
VirusScan Enterprise Event Sample in JSON of an EICAR Test File
{
  "EventTime": "2019-07-30T14:17:22.067000+02:00",
  "AutoID": 22113,
  "ServerID": "HOST",
  "AnalyzerName": "VirusScan Enterprise",
  "AnalyzerHostName": "HOST",
  "IPv4": "192.168.134.189",
  "AnalyzerDetectionMethod": "OAS",
  "SourceHostName": null,
  "Source IPv4": "192.168.134.189",
  "SourceProcessName": "C:\\Windows\\explorer.exe",
  "TargetHostName": "HOST",
  "Target IPv4": "192.168.134.189",
  "TargetUserName": "DOMAIN\\admin",
  "TargetFileName": "C:\\Users\\admin\\Desktop\\eicar.com",
  "ThreatCategory": "av.detect",
  "ThreatEventID": 1278,
  "ThreatSeverity": 1,
  "ThreatName": "EICAR test file",
  "ThreatType": "test",
  "ThreatActionTaken": "deleted",
  "TenantID": 1,
  "EventReceivedTime": "2019-07-30T16:18:15.279397+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_odbc"
}

Collecting Data Loss Prevention (DLP) Events

The McAfee Data Loss Prevention (DLP) Endpoint is a content-based agent solution to inspect user actions. It scans data-in-use on endpoints, blocks transfer of sensitive data, and it can store its findings as evidence.

The configuration below uses the im_odbc module to collect Data Loss Prevention events from the dbo.EPOEvents SQL view. The AnalyzerName column determines the source module of events in the view, therefore the query contains the conditional clause AnalyzerName LIKE 'Data%.

nxlog.conf
<Extension _json>
    Module  xm_json
</Extension>

<Input in>
    Module           im_odbc
    ConnectionString DSN=MQIS;database=ePO_Host; \
                     uid=user;pwd=password;
    IdType           timestamp
    # With ReadFromLast and MaxIdSQL, NXLog will start reading from the last
    # record when reading from the database for the first time.
    #ReadFromLast TRUE
    #MaxIdSQL SELECT MAX(ReceivedUTC) AS maxid FROM dbo.EPOEvents
    SQL    SELECT ReceivedUTC as id,ReceivedUTC as EventTime,AutoID,ServerID,\
             AnalyzerName,AnalyzerHostName,\
           dbo.RSDFN_ConvertIntToIPString \
             (cast (AnalyzerIPV4 as varchar(15))) as 'IPv4',\
             AnalyzerDetectionMethod,SourceHostName,\
           dbo.RSDFN_ConvertIntToIPString \
             (cast (SourceIPV4 as varchar(15))) as 'Source IPv4',\
             SourceProcessName,TargetHostName,\
           dbo.RSDFN_ConvertIntToIPString \
             (cast (TargetIPV4 as varchar(15))) as 'Target IPv4',\
              TargetUserName,TargetFileName,ThreatCategory,ThreatEventID,\
              ThreatSeverity,ThreatName,ThreatType,ThreatActionTaken,TenantID\
           FROM dbo.EPOEvents\
           WHERE ReceivedUTC > CAST(? AS datetime) AND AnalyzerName LIKE 'Data%'
    Exec   delete($id);to_json();
</Input>
Data Loss Prevention Event Sample of a USB Plugin
{
  "EventTime": "2019-08-24T12:46:15.603000+02:00",
  "AutoID": 94123,
  "ServerID": "HOST",
  "AnalyzerName": "Data Loss Prevention",
  "AnalyzerHostName": "HOST",
  "IPv4": "192.168.134.198",
  "AnalyzerDetectionMethod": "DLP for Windows",
  "SourceHostName": "HOST",
  "Source IPv4": "192.168.134.198",
  "SourceProcessName": "",
  "TargetHostName": "HOST",
  "Target IPv4": "192.168.134.198",
  "TargetUserName": "DOMAIN\\admin",
  "TargetFileName": null,
  "ThreatCategory": "policy",
  "ThreatEventID": 19115,
  "ThreatSeverity": 1,
  "ThreatName": "USB",
  "ThreatType": "DEVICE_PLUG",
  "ThreatActionTaken": "BL|MON|ON",
  "TenantID": 1,
  "EventReceivedTime": "2019-08-24T14:46:16.066322+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_odbc"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 04 March 2020