Configure event forwarding from McAfee SIEM

Event forwarding allows you to send events from McAfee ESM to another device or facility via Syslog  (if
enabled). Define the destination, include the packet, and obfuscate the IP address data. You can filter event
data before it is forwarded.

Task
1 From the McAfee ESM dashboard, click and select Configuration.
2 On the system navigation tree, select McAfee ESM, then click the Properties icon .
3 Click Event Forwarding and configure the destination to forward event data to a syslog server.

  • Choose between the UDP or TCP transport protocol : Select UDP
  • Select the time format for the header of syslog event forwarding. Select Standard,then you can select a time zone to use when sending event forwarding logs.
  • If your policy copies a packet, select the Send Packet option to forward packet information (if available) at the end of the syslog message in Base 64 encoding.

Set up event forwarding filters
Limit the event data forwarded to a syslog on McAfee ESM.

Task
1 From the McAfee ESM dashboard, click and select Configuration.
2 On the system navigation tree, select McAfee ESM, then click the Properties icon .
3 Click Event Forwarding.
4 Click Add, then click Event Filters.
5 Fill in the filter fields:
•To filter by a specific device, click and select a device.
• To filter by destination or source IP address, type a single IP address (161.122.15.13) or a range of IP
addresses (192.168.0.0/16).
• Filter by destination port (one is allowed).
• Filter by protocol (one is allowed).
• Filter by device type (maximum of 10).
• Filter by normalized IDs.
• To filter by event severity, select Greater than or equal and a severity number between 0 and 100

Event forwarding formats

Select Syslog(Standard Event Format).

Forwarding events with Standard Event Format
When setting up event forwarding with SEF from one McAfee ESM to another McAfee ESM, complete the
following steps:
1 From the McAfee ESM that is forwarding the events, export data sources, custom types, and custom rules.
2 On the McAfee ESM with the receiver you are forwarding events to, import the data sources, custom types,
and custom rules that you exported.
3 On the McAfee ESM receiving the events from another McAfee ESM, add an McAfee ESM data source.
4 On the sending McAfee ESM, add the event forwarding destination as follows:
•From the McAfee ESM dashboard, click and select Configuration.
•On the system navigation tree, select McAfee ESM, then click the Properties icon .
• Click Event Forwarding, then click Add.
• On the Add Event Forwarding Destination page, select syslog (Standard Event Format) in the Format field, then
complete the remaining fields with the information for the McAfee ESM you are forwarding to, and click
OK.