McAfee Network Security Platform (Formerly known as McAfee Intrushield)

A JSA McAfee Network Security Platform DSM accepts events that use syslog. JSA records all relevant events.

Before you configure JSA to integrate with a McAfee Network Security Platform device, you must select your McAfee Network Security Platform version.

• To collect alert events from McAfee Network Security Platform V2.x - V5.x, see Configuring alert events for McAfee Intrushield V2.x - V5.xTo collect alert notification events from McAfee Intrushield, administrators must configure a syslog forwarder to send events to JSA.

• To collect alert events from McAfee Network Security Platform V6.x - V7.x, see Configuring alert events for McAfee Intrushield V6.x and V7.xTo collect alert notification events from McAfee Intrushield, administrators must configure a syslog forwarder to send events to JSA.

• To collect fault notification events from McAfee Network Security Platform V6.x - V7.x, see Configuring fault notification events for McAfee Intrushield V6.x and V7.xTo integrate fault notifications with McAfee Intrushield, you must configure your McAfee Intrushield to forward fault notification events..

Configuring Alert Events for McAfee Intrushield V2.x - V5.x

To collect alert notification events from McAfee Intrushield, administrators must configure a syslog forwarder to send events to JSA

1. Log in to the McAfee Intrushield Manager user interface.
2. In the dashboard click Configure.
3. From the Resource Tree, click the root node (Admin-Domain-Name).
4. Select Alert Notification >Syslog Forwarder.
5. Type the Syslog Server details.

   The Enable Syslog Forwarder must be configured as Yes.

   The Port must be configured to 514.

6. Click Edit.
7. Choose one of the following versions:

   Table 1: McAfee Intrushield V2.x - V5.x Custom Message Formats

   Parameter	Description
   Unpatched McAfee Intrushield V2.x systems	|$ALERT_ID$|$ALERT_TYPE$|$ATTACK_TIME$|"$ATTACK_NAME$" |$ATTACK_ID$|$ATTACK_SEVERITY$|$ATTACK_SIGNATURE$ |$ATTACK_CONFIDENCE$|$ADMIN_DOMAIN$|$SENSOR_NAME$ |$INTERFACE$|$SOURCE_IP$|$SOURCE_PORT$|$DESTINATION_IP$ |$DESTINATION_PORT$|
   McAfee Intrushield that has patches applied to update to V3.x - V5.x	|$IV_ALERT_ID$|$IV_ALERT_TYPE$|$IV_ATTACK_TIME$ |"$IV_ATTACK_NAME$" |$IV_ATTACK_ID$|$IV_ATTACK_SEVERITY$|$IV_ATTACK_SIGNATURE$ |$IV_ATTACK_CONFIDENCE$ |$IV_ADMIN_DOMAIN$|$IV_SENSOR_NAME$|$IV_INTERFACE$ |$IV_SOURCE_IP$|$IV_SOURCE_PORT$ |$IV_DESTINATION_IP$|$IV_DESTINATION_PORT$|

   Note

   The custom message string must be entered as a single line without carriage returns or spaces. McAfee Intrushield appliances that do not have software patches that are applied use different message strings than patched systems. McAfee Intrushield expects the format of the custom message to contain a dollar sign ($) as a delimiter before and after each alert element. If you are missing a dollar sign for an element, then the alert event might not be formatted properly.

   If you are unsure what event message format to use, contact McAfee Customer Support.

8. Click Save.

   As events are generated by McAfee Intrushield, they are forwarded to the syslog destination that you specified. The log source is automatically discovered after enough events are forwarded by the McAfee Intrushield appliance. It typically takes a minimum of 25 events to automatically discover a log source.

Administrators can log in to the JSA console and verify that the log source is created on the JSA console and that the Log Activity tab displays events from the McAfee Intrushield appliance.

Configuring Alert Events for McAfee Network Security Platform V6.x and V7.x

To collect alert notification events from McAfee Network Security Platform, administrators must configure a syslog forwarder to send events to JSA.

To collect alert notification events from McAfee Network Security Platform, you need McAfee Network Security Platform Manager.

1. Log in to the McAfee Intrushield Manager user interface.
2. On the Network Security Manager dashboard, click Configure.
3. Expand the Resource Tree, click IPS Settings node.
4. Click the Alert Notification tab.
5. On the Alert Notification menu, click the Syslog tab.
6. Configure the following parameters to forward alert notification events:

   Table 2: McAfee Network Security Platform V6.x & 7.x Alert Notification Parameters

   Parameter	Description
   Enable Syslog Notification	Select Yes to enable syslog notifications for McAfee Network Security Platform. You must enable this option to forward events to JSA.
   Admin Domain	Select any of the following options: Current Select this check box to send syslog notifications for alerts in the current domain. This option is selected by default. Children Select this check box to send syslog notifications for alerts in any child domains within the current domain.
   Server Name or IP Address	Type the IP address of your JSA console or Event Collector. This field supports both IPv4 and IPv6 addresses.
   UDP Port	Type 514 as the UDP port for syslog events.
   Facility	Select a syslog facility value.
   Severity Mappings	Select a value to map the informational, low, medium, and high alert notification level to a syslog severity. The options include the following levels: Emergency The system is down or unusable. Alert The system requires immediate user input or intervention. Critical The system should be corrected for a critical condition. Error The system has non-urgent failures. Warning The system has a warning message that indicates an imminent error. Notice The system has notifications, no immediate action required. Informational Normal operating messages.
   Send Notification If	Select the following check boxes: The attack definition has this notification option explicitly enabled The following notification filter is matched, and From the list, select Severity Informational and later.
   Notify on IPS Quarantine Alert	Select No as the notify on IPS quarantine option.
   Message Preference	Select the Customized option.

7. From the Message Preference field, click Edit to add a custom message filter.
8. To ensure that alert notifications are formatted correctly, type the following message string:
   Note

   The custom message string must be entered as a single line without carriage returns or spaces. McAfee Network Security Platform expects the format of the custom message to contain a dollar sign ($) as a delimiter before and after each alert element. If you are missing a dollar sign for an element, then the alert event might not be formatted properly.

   You might require a text editor to properly format the custom message string as a single line.

9. Click Save.

   As alert events are generated by McAfee Network Security Platform, they are forwarded to the syslog destination you specified. The log source is automatically discovered after enough events are forwarded by the McAfee Network Security Platform appliance. It typically takes a minimum of 25 events to automatically discover a log source.

Administrators can log in to the JSA console and verify that the log source is created on the JSA console and that the Log Activity tab displays events from the McAfee Network Security Platform appliance.

Configuring Fault Notification Events for McAfee Network Security Platform V6.x and V7.x

To integrate fault notifications with McAfee Network Security Platform, you must configure your McAfee Network Security Platform to forward fault notification events.

1. Log in to the McAfee Intrushield Manager user interface.
2. On the Network Security Manager dashboard, click Configure.
3. Expand the Resource Tree, click IPS Settings node.
4. Click the Fault Notification tab.
5. In the Alert Notification menu, click the Syslog tab.
6. Configure the following parameters to forward fault notification events:

   Table 3: McAfee Intrushield V6.x - V7.x Fault Notification Parameters

   Parameter	Description
   Enable Syslog Notification	Select Yes to enable syslog notifications for McAfee Network Security Platform. You must enable this option to forward events to JSA.
   Admin Domain	Select any of the following options: Current Select this check box to send syslog notifications for alerts in the current domain. This option is selected by default. Children Select this check box to send syslog notifications for alerts in any child domains within the current domain.
   Server Name or IP Address	Type the IP address of your JSA console or Event Collector. This field supports both IPv4 and IPv6 addresses.
   Port	Type 514 as the port for syslog events.
   Facilities	Select a syslog facility value.
   Severity Mappings	Select a value to map the informational, low, medium, and high alert notification level to a syslog severity. The options include the following levels: Emergency The system is down or unusable. Alert The system requires immediate user input or intervention. Critical The system should be corrected for a critical condition. Error The system has non-urgent failures. Warning The system has a warning message that indicates an imminent error. Notice The system has notifications, no immediate action required. Informational Normal operating messages.
   Forward Faults with severity level	Select Informational and later.
   Message Preference	Select the Customized option.

7. From the Message Preference field, click Edit to add a custom message filter.
8. To ensure that fault notifications are formatted correctly, type the following message string:

   |%INTRUSHIELD-FAULT|$IV_FAULT_NAME$|$IV_FAULT_TIME$|

   Note

   The custom message string must be entered as a single line with no carriage returns. McAfee Network Security Platform expects the format of the custom message syslog information to contain a dollar sign ($) delimiter before and after each element. If you are missing a dollar sign for an element, the event might not parse properly.

9. Click Save.

   As fault events are generated by McAfee Network Security Platform, they are forwarded to the syslog destination that you specified.

You can log in to the JSA console and verify that the Log Activity tab contains fault events from the McAfee Network Security Platform appliance.