Configuring a McAfee ePO Server

Firmware: Microsoft ePO 3.5, 3.6, 4.0, and 4.6.7

CollectorA TLC module that gathers or receives log messages from Log Sources.: Network CollectorA type of Collector that listens for Syslog and SNMP-based log messages from network devices. (SNMP)

Configuring a McAfee ePO 3.5 or 3.6 Server

To configure a McAfee ePolicy Orchestrator (ePO) 3.5 or 3.6 server to send log messages to TLC:

1.

Select Start > Program Files > Network Associates > ePolicy Orchestrator 3.x Console.

2.

In the left pane, select McAfee Security > ePolicy Orchestrator.

3.

Under Global TaskCreated and configured in the Task Manager, a Task queries Events, Hosts, or Scanner Events in an Event-Management Database to perform an operation. Types of Tasks include Layout-Panel, Administrative, and Search Tasks. List, select Log on to server.

4.

In the Log On to Server dialog, enter the username and password for a valid ePolicy Orchestrator user account and click OK.

5.

In the left pane, select:

McAfee Security > ePolicy Orchestrator > [epo_server] > Notifications

where [epo_server] is the name of the ePO server.

6.

In the Configuration tab of the Notifications dialog, select SNMP Servers.

7.

In the SNMP Servers dialog, click Add.

8.

In the Add or Edit SNMP Server dialog:

a.

Enter the host name of your SNMP server in the Name field.

b.

In the Server Address field, enter the IP address of your TLC Primary ManagerEach TLC environmentConsists of all TLC software, Managers, Log Sources, Monitored Assets, Collectors, and data in your TLC installation. has a single Primary Manager that controls: 1. The storing of log messages in the Audit LoggerThe TLC Console1. Tripwire Log Center Console is the software for the TLC graphic user interface (GUI), or 2. The Tripwire Log Center GUI. Through the TLC Console, you can configure TLC, oversee your TLC environment, and manage log and event data. component in which you can work with the log messages collected by TLC. File Store and Events in Event1. Either a log message that a Manager has standardized (i.e. normalized) for use by TLC (a.k.a. Normalized Messages), or an event or vulnerability imported from a scanner. 2. An 'event message' collected from a Log Source.-Management Databases, 2. The configuration settings for your TLC environment, and 3. User access and license management for TLC. and click OK.

9.

In the Rules tab of the Notifications dialog, edit each rule so that all notifications are sent to the SNMP server.

a.

Select the rule.

b.

In the Describe Rule wizard, click Next.

c.

In the Set Filters page, select Edit Notification Rule > 3. Set Thresholds.

d.

Verify the Aggregation and Throttling values are set, and then click Next.

e.

In the Create Notifications page, click Add SNMP Trap.

f.

From the SNMP server drop-down in the Rules tab of the Add or Edit SNMP Trap dialog, select the SNMP server of the TLC ManagerTripwire Log Center Manager is the core software in your TLC environment. TLC Manager collects and processes log messages from a wide variety of systems and devices. that will collect log messages from the McAfee ePO server.

g.

In the Variables to include region, select the check boxes for all variables and click Save.The SNMP trap is added to the list of notifications for the selected rule.

h.

Click Finish.

i.

Repeat the steps above for each rule.

Configuring a McAfee ePO 4.0 Server

To configure a McAfee ePolicy Orchestrator (ePO) 4.0 server to send log messages to TLC:

1.

Select Start > Program Files > Network Associates > ePolicy Orchestrator 4.x Console.

2.

In the left pane, select McAfee Security > ePolicy Orchestrator.

3.

Under Global Task List, select Log on to server.

4.

In the Log On to Server dialog, enter the username and password for a valid ePolicy Orchestrator user account and click OK.

5.

Click Automation.

6.

In the SNMP Servers tab of the Automation dialog, click New SNMP Server.

7.

In the New SNMP Server dialog:

a.

Enter the host name of your SNMP server in the Name field.

b.

In the Server Address field, enter the IP address of your TLC Primary Manager and click OK.

8.

In the Notification Rules tab of the Automation dialog, edit each rule so that all notifications are sent to the SNMP server.

a.

Select the rule. (page appears.)

b.

In the Describe Rule wizard, click Next.

c.

In the Set Filters page, select Edit Notification Rule > 3. Set Thresholds.

d.

Verify the Aggregation and Throttling values are set, and then click Next.

e.

From the SNMP server drop-down, select the SNMP server of the TLC Manager that will collect log messages from the McAfee ePO server.

f.

In the Variables to include region, select the check boxes for all variables and click Next.

g.

Click Save to add the SNMP trap to the list of notifications for the selected rule.

h.

Click Finish.

i.

Repeat the steps above for each rule.

Next	If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment. Otherwise, see Adding a Monitored Asset for a new Log Source.

Configuring a McAfee ePO 4.6.7 Server

To configure a McAfee ePolicy Orchestrator (ePO) 4.6.7 server to send log messages to TLC:

1.

Select Start > Program Files > McAfee > ePolicy Orchestrator 4.6.7 Console.

2.

In the Log On to ePolicy Orchestrator dialog, enter the User name and Password for a valid ePolicy Orchestrator user account and click OK.

3.

In the Menu panel, select Configuration > Registered Servers.

4.

In the lower-left corner of the Registered Servers dialog, click New Server.

5.

In the Description page of the Registered Server Builder wizard (see Figure 66):

a.

Select SNMP Server from the 'Server type' drop-down.

b.

In the Name field, enter the host name of your SNMP server.

c.

(Optional) In the Notes field, enter a description of the server.

Figure 66.  Description page in the Registered Server Builder wizard

6.

In the Details page of the Registered Server Builder wizard (see Figure 67):

a.

In the Address fields, select IPv4 from the drop-down and enter the IP address of your TLC Primary Manager or McAfee ePO Log Source.

b.

Select an SNMP Version, complete the related fields. (For further details, see the ePolicy Orchestrator online help.)

c.

Click Send SNMP Trap.

ePolicy Orchestrator sends an SNMP trap to the TLC Manager. In the Real-Time Event ViewerA TLC Console component that displays log messages as they are collected by TLC. in your TLC Console, confirm receipt of the trap.

d.

Click Save to close the Registered Server Builder.

Figure 67.  Details page in the Registered Server Builder wizard

7.

In the Menu panel, select Automation > Automatic Responses.

8.

Complete the following steps for each of your Automatic Responses.

a.

In the Actions column of the Automatic Responses dialog, select the response's Edit link.

b.

In the Aggregation tab of the Response Builder dialog (see Figure 68):

Select Trigger this response for every event.

Select the Throttling check box and set the throttling interval.

Figure 68.   Aggregation tab in the Response Builder dialog

c.

In the Actions tab of the Response Builder dialog (see Figure 69):

Select Send SNMP Trap from the drop-down.

In the SNMP Servers field, select the new SNMP server.

Move all values from the Available Types field to the Selected Types field.

Click Save.

Figure 69.   Actions tab in the Response Builder dialog

Next	If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment. Otherwise, see Adding a Monitored Asset for a new Log Source.