About Me

I’m an IT professional working in the industry for nearly 20 years and have held many positions from System Administrator, Network Engineer, Sr. Network Operation Manager, Security and Network Architect and a few other positions as required for a small number of multi-national firms.

My goal is to provide some information back to the IT community that will hopefully be deemed useful, as well as to provide some like-minded individuals the opportunity to do the same.

 

Advertisements

6 thoughts on “About Me

  1. I have gone through your articles on ASP on xen/SEP/sharepoint. But still trying to get my head arond on how you are creating your own XML parser. How did you approached this. I am trying to do something similar for SQL devices. So would really like to understand how I can create those XML files and put my custom SQL queries within it.

    Like

    • Unfortunately I’ve never been able to find any material documentation from McAfee on the XML format and options of their SQL import queries. My attempts to modify the SQL xml file with more complicated SQL queries, joining tables etc. has never been successful so I follow a few quick rules:
      1. Create the XML file with Mcafee SQL tool which is part of the collector linux or windows tool install.
      2. Don’t expect to make any significant changes to the XML directly by hand and have them be successful.
      3. As per #2, use SQL views or other mechanisms in your SQL server to present to the McAfee tool a very simple query (that looks like a simple table), do any joins or conditionals as part of this SQL view.
      4. If not using a primary key in your results make sure that whatever field you are ordering data results in the exact same ordering every time the query is executed, otherwise you may lose or duplicate log entries.
      5a. The Mcafee SQL import collection has its limitations, though the limits appear very high. I did run into an issue with my Sharepoint audit log queries ocassionally crashing the Mcafee collector tool when using a sql import. This was likely the result of returning 1 million or more records so unlikely to occur in most environments. its a 32bit app and probably hit the 2GB or less memory space limits.
      5b. In this case you can always write a SQL agent job to export the sql logs to text file and use the standard text/syslog mcafee collector tool or the mcafee receiver to import these text files directly. Once again this is how I got around the limitations in my Sharepoint environment.

      In short, install the Mcafee windows/linux collector tool, use the SQL import query building tool and start with very simple tables to get a feel for how erverything works.
      Hopefully this response is helpful.

      Like

  2. Hi, I’m working on McAfee SIEM demo to a venezuelan Bank, and added a checkpoint manager server, every thing works, but check point guys need the firewall rules number and name, and it seems to me that the manager server don’t send them to SIEM. would you please give me a clue about how to get the checkpoint rule number and name?

    Like

    • I’m unable to speak about checkpoint management server versions prior to version R75.47 as I have no experience going back prior to that. But when configuring the checkpoint management server (or checkpoint logging server) OPSEC connector to the SIEM environment there are a number of configurable options (once again this varies greatly depending on management server version). Make sure you have client “entities” correctly checked off on the OPSEC configuration object in checkpoint, at a minimum you need LEA Client events to be passed. You will also want to review the CPMI and LEA Permmisions TABs and configure appropriately, in some version by default “sensitive” log data will not be passed like user names or URLs visited unless OPSEC object explicitly configured to do so. Checkpoint has made significant improvements on the granularity of configuration and security configuration options on the OPSEC connector starting on versions of management server RR77.10 or 20 I believe, really useful.
      Lastly, the McAfee SIEM Cechkpoint rules DO NOT capture a lot of useful information from the Checkpoint logs! So if using Mcafee’s built in Checkpoint rules, you will NOT get firewall rule number (and if I recall correctly) not even the rule name or comments. So if required you are looking into rewriting all the McAffee Checkpoint rules like I did. Unfortunately a recurring theme I find with all the built in parsing rules – they capture the bare minimum and don’t bother putting a lot of potentially useful logging data into appropriate metadata database fields! Good luck.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s