McAfee Network Security Platform DSM Specifications
Configuring Alert Events for McAfee Network Security Platform 2.x - 5.x
Configuring Alert Events for McAfee Network Security Platform 6.x - 7.x
Configuring alert events for McAfee Network Security Platform 8.x - 10.x
Configuring Fault Notification Events for McAfee Network Security Platform 6.x - 7.x
Configuring Fault Notification Events for McAfee Network Security Platform 8.x - 10.x
McAfee Network Security Platform Sample Event Messages

McAfee Network Security Platform (formerly known as McAfee Intrushield)

A JSA McAfee Network Security Platform DSM collects syslog events from a McAfee Network Security Platform device. JSA records all relevant events.

To integrate McAfee Network Security Platform with JSA, complete the following steps:

If automatic updates are not enabled, RPMs are available for download from the Juniper Downloads. Download and install the most recent version of the following RPMs on your JSA Console:
- DSM Common RPM
- McAfee Network Security Platform, DSM RPM
To configure your McAfee Network Security Platform device to send events to JSA, select your McAfee Network Security Platform device version.
If JSA does not automatically detect the log source, add a McAfee Network Security Platform log source on the JSA Console.

McAfee Network Security Platform DSM Specifications

When you configure the McAfee Network Security Platform, understanding the specifications for the McAfee Network Security Platform DSM can help ensure a successful integration. For example, knowing what the supported version of McAfee Network Security Platform is before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the McAfee Network Security Platform DSM.

Table 1: McAfee Network Security Platform DSM Specifications
Specification	Value
Manufacturer	McAfee
DSM name	McAfee Network Security Platform
RPM file name	DSM-`McAfeeNetworkSecurityPlatform - QRadar_version-build_number.noarch.rpm`
Supported version	2.x - 10.x
Protocol	Syslog
Recorded event types	Alert notification events (McAfee Network Security Platform 2.x - 5.x) Alert and fault notification events (McAfee Network Security Platform 6.x - 10.x)
Automatically discovered?	Yes
Includes identity?	No
Includes custom properties?	No
More information	McAfee Network Security Platform documentation

Configuring Alert Events for McAfee Network Security Platform 2.x - 5.x

To collect alert notification events from McAfee Network Security Platform, administrators must configure a syslog forwarder to send events to JSA.

To collect alert notification events from McAfee Network Security Platform, you need McAfee Network Security Platform Manager.

Log in to the McAfee Network Security Platform Manager user interface.
On the Network Security Manager dashboard click Configure.
From the Resource Tree, click root node (Admin-Domain-Name).
Click Alert Notification >Syslog Forwarder.
Configure the Syslog Server details parameters.

Parameter

Value

Enable Syslog Forwarder

Yes

Port

514
Click Edit.

Parameter	Value
Enable Syslog Forwarder	Yes
Port	514

Select one of the following versions:

Table 2: McAfee Network Security Platform 2.x - 5.x Custom Message Formats
Version	Description
Unpatched McAfee Network Security Platform 2.x systems	\|$ALERT_ID$\|$ALERT_TYPE$\|$ATTACK_TIME$\|"$ATTACK_NAME$" \|$ATTACK_ID$\|$ATTACK_SEVERITY$\|$ATTACK_SIGNATURE$ \|$ATTACK_CONFIDENCE$\|$ADMIN_DOMAIN$\|$SENSOR_NAME$ \|$INTERFACE$\|$SOURCE_IP$\|$SOURCE_PORT$\|$DESTINATION_IP$ \|$DESTINATION_PORT$\|
McAfee Network Security Platform that has patches applied to update to 3.x - 5.x	\|$IV_ALERT_ID$\|$IV_ALERT_TYPE$\|$IV_ATTACK_TIME$ \|"$IV_ATTACK_NAME$" \|$IV_ATTACK_ID$\|$IV_ATTACK_SEVERITY$\|$IV_ATTACK_SIGNATURE$ \|$IV_ATTACK_CONFIDENCE$ \|$IV_ADMIN_DOMAIN$\|$IV_SENSOR_NAME$\|$IV_INTERFACE$ \|$IV_SOURCE_IP$\|$IV_SOURCE_PORT$ \|$IV_DESTINATION_IP$\|$IV_DESTINATION_PORT$\|

Table 2: McAfee Network Security Platform 2.x - 5.x Custom Message Formats

Version

Description

Unpatched McAfee Network Security Platform 2.x systems

|$ALERT_ID$|$ALERT_TYPE$|$ATTACK_TIME$|"$ATTACK_NAME$"
|$ATTACK_ID$|$ATTACK_SEVERITY$|$ATTACK_SIGNATURE$
|$ATTACK_CONFIDENCE$|$ADMIN_DOMAIN$|$SENSOR_NAME$
|$INTERFACE$|$SOURCE_IP$|$SOURCE_PORT$|$DESTINATION_IP$
|$DESTINATION_PORT$|

McAfee Network Security Platform that has patches applied to update to 3.x - 5.x

|$IV_ALERT_ID$|$IV_ALERT_TYPE$|$IV_ATTACK_TIME$
|"$IV_ATTACK_NAME$"
|$IV_ATTACK_ID$|$IV_ATTACK_SEVERITY$|$IV_ATTACK_SIGNATURE$
|$IV_ATTACK_CONFIDENCE$
|$IV_ADMIN_DOMAIN$|$IV_SENSOR_NAME$|$IV_INTERFACE$
|$IV_SOURCE_IP$|$IV_SOURCE_PORT$
|$IV_DESTINATION_IP$|$IV_DESTINATION_PORT$|

Note:

The custom message string must be entered as a single line without carriage returns or spaces. McAfee Network Security Platform appliances that do not have software patches applied use different message strings from patched systems. The format of the custom message must contain a dollar sign ($) as a delimiter before and after each alert element. If you are missing a dollar sign for an element, the alert event might not be formatted properly.

If you are not sure which event message format to use, contact McAfee customer support.

Click Save.

When alert events are generated by McAfee Network Security Platform, they are forwarded to the syslog destination that you specified. The log source is automatically discovered after enough events are forwarded by the McAfee Network Security Platform appliance. It typically takes a minimum of 25 events to automatically discover a log source.

Administrators can log in to the JSA console and verify that the log source is created on the JSA console and that the Log Activity tab displays events from the McAfee Network Security Platform appliance.

Configuring Alert Events for McAfee Network Security Platform 6.x - 7.x

To collect alert notification events from McAfee Network Security Platform, administrators must configure a syslog forwarder to send events to JSA.

To collect alert notification events from McAfee Network Security Platform, you need McAfee Network Security Platform Manager.

Log in to the McAfee Intrushield Manager user interface.
On the Network Security Manager dashboard, click Configure.
Expand the Resource Tree and then click IPS Settings node.
Click the Alert Notification tab.
On the Alert Notification menu, click the Syslog tab.

Configure the following parameters to forward alert notification events:

Table 3: McAfee Network Security Platform 6.x - 7.x Alert Notification Parameters
Parameter	Description
Enable Syslog Notification	Select Yes to enable syslog notifications for McAfee Network Security Platform. You must enable this option to forward events to JSA.
Admin Domain	Select any of the following options: Current Select this check box to send syslog notifications for alerts in the current domain. This option is selected by default. Children Select this check box to send syslog notifications for alerts in any child domains within the current domain.
Server Name or IP Address	The IP address of your JSA console or Event Collector. This field supports both IPv4 and IPv6 addresses.
UDP Port	Type `514` as the UDP port for syslog events.
Facility	Select a syslog facility value.
Severity Mappings	Select a value to map the informational, low, medium, and high alert notification levels to a syslog severity. The options include the following levels: Emergency The system is down or unusable. Alert The system requires immediate user input or intervention. Critical The system should be corrected for a critical condition. Error The system has non-urgent failures. Warning The system has a warning message that indicates an imminent error. Notice The system has notifications, no immediate action required. Informational Normal operating messages.
Send Notification If	Select the following check boxes: The attack definition has this notification option explicitly enabled The following notification filter is matched, and From the list, select Severity Informational and later.
Notify on IPS Quarantine Alert	Select No as the notify on IPS quarantine option.
Message Preference	Select the Customized option.

From the Message Preference field, click Edit to add a custom message filter.
To ensure that alert notifications are formatted correctly, type the following message string:
Note:
The custom message string must be entered as a single line without carriage returns or spaces. McAfee Network Security Platform expects the format of the custom message to contain a dollar sign ($) as a delimiter before and after each alert element. If you are missing a dollar sign for an element, then the alert event might not be formatted properly.

You might require a text editor to properly format the custom message string as a single line.
Click Save.

As alert events are generated by McAfee Network Security Platform, they are forwarded to the syslog destination you specified. The log source is automatically discovered after enough events are forwarded by the McAfee Network Security Platform appliance. It typically takes a minimum of 25 events to automatically discover a log source.

Configuring alert events for McAfee Network Security Platform 8.x - 10.x

To collect alert notification events from McAfee Network Security Platform, administrators must configure a syslog forwarder to send events to JSA.

To collect alert notification events from McAfee Network Security Platform, you need McAfee Network Security Platform Manager.

Log in to the McAfee Network Security Platform Manager user interface.
Click the Manager tab.
From the navigation menu, select Setup > Notification > IPS Events > Syslog.
In the Enable Syslog Notification pane, select Yes.
Click Save.
On the Syslog page, Click New. If you are using version 10.x, click the + sign.

On the Add a Syslog Notification Profile page, configure the following parameters:

Table 4: McAfee Network Security Platform 8.x - 10.x Syslog Notification Profile Parameters
Parameter	Description
Admin Domain	Select any of the following options: Current - Send syslog notifications for alerts in the current domain. This option is selected by default. Children - Include alerts for all child domains within the current domain. (Not applicable to NTBA)
Notification Profile Name	The name of the profile where notifications are sent from.
Target Server	Add a server profile: Click Add. Type the target server profile name. Type the IP address of your JSA Console or Event Collector. From the Protocol list, select UDP. Type 514 in the Port field. Click Save.
Facility	Select a syslog facility value from the list.
Severity Mapping	Select a value to map the informational, low, medium, and high alert notification levels to a syslog severity. Emergency - The system is down or unusable. Alert - The system requires immediate user input or intervention. Critical - The system should be corrected for a critical condition. Error - The system has non-urgent failures. Warning - The system has a warning message that indicates an imminent error. Notice - The system has notifications, no immediate action required. Informational - Normal operating messages. Debug - Debug level messages.
Notify for All Alerts	Enable this option.
Notify on Quarantine Events	Disable this option.
Message	To ensure that alert notifications are formatted correctly, type the following message string: \|$IV_ALERT_ID$\|$IV_ALERT_TYPE$\|$IV_ATTACK_TIME$ \|"$IV_ATTACK_NAME$"\|$IV_ATTACK_ID$\|$IV_ATTACK_SEVERITY$ \|$IV_ATTACK_SIGNATURE$\|$IV_ATTACK_CONFIDENCE$\|$IV_ADMIN_DOMAIN$ \|$IV_SENSOR_NAME$\|$IV_INTERFACE$\|$IV_SOURCE_IP$\|$IV_SOURCE_PORT$ \|$IV_DESTINATION_IP$\|$IV_DESTINATION_PORT$\|$IV_DIRECTION$ \|$IV_SUB_CATEGORY$ Note: The custom message string must be entered as a single line without carriage returns or spaces. McAfee Network Security Platform expects the format of the custom message to contain a dollar sign ($) as a delimiter before and after each alert element. If you are missing a dollar sign for an element, then the alert event might not be formatted properly. You might require a text editor to properly format the custom message string as a single line.

Click Save.

The new notification profile displays on the Syslog page. As alert events are generated by McAfee Network Security Platform, they are forwarded to the syslog destination that you specified. The log source is automatically discovered in JSA after enough events are forwarded by the McAfee Network Security Platform appliance. It typically takes a minimum of 25 events to automatically discover a log source.

Administrators can log in to the JSA Console and verify that the log source is created on the JSA Console and that the Log Activity tab displays events from the McAfee Network Security Platform appliance.

Configuring Fault Notification Events for McAfee Network Security Platform 6.x - 7.x

To integrate fault notifications with McAfee Network Security Platform, you must configure your McAfee Network Security Platform to forward fault notification events.

Log in to the McAfee Intrushield Manager user interface.
On the Network Security Manager dashboard, click Configure.
Expand the Resource Tree, and then click IPS Settings node.
Click the Fault Notification tab.
From the Alert Notification menu, click the Syslog tab.

Configure the following parameters to forward fault notification events:

Table 5: McAfee Intrushield 6.x - 7.x Fault Notification Parameters
Parameter	Description
Enable Syslog Notification	Select Yes to enable syslog notifications for McAfee Network Security Platform. You must enable this option to forward events to JSA.
Admin Domain	Select any of the following options: Current Select this check box to send syslog notifications for alerts in the current domain. This option is selected by default. Children Select this check box to send syslog notifications for alerts in any child domains within the current domain.
Server Name or IP Address	Type the IP address of your JSA console or Event Collector. This field supports both IPv4 and IPv6 addresses.
Port	Type 514 as the port for syslog events.
Facilities	Select a syslog facility value.
Severity Mapping	Select a value to map the informational, low, medium, and high alert notification level to a syslog severity. The options include the following levels: Emergency The system is down or unusable. Alert The system requires immediate user input or intervention. Critical The system should be corrected for a critical condition. Error The system has non-urgent failures. Warning The system has a warning message that indicates an imminent error. Notice The system has notifications, no immediate action required. Informational Normal operating messages.
Forward Faults with severity level	Select Informational and later.

From the Message Preference field, click Edit to add a custom message filter.
To ensure that fault notifications are formatted correctly, type the following message string:

|%INTRUSHIELD-FAULT|$IV_FAULT_NAME$|$IV_FAULT_TIME$|

Note:
The custom message string must be entered as a single line with no carriage returns. McAfee Network Security Platform expects the format of the custom message syslog information to contain a dollar sign ($) delimiter before and after each element. If you are missing a dollar sign for an element, the event might not parse properly.
Click Save.

As fault events are generated by McAfee Network Security Platform, they are forwarded to the syslog destination that you specified.

You can log in to the JSA console and verify that the Log Activity tab contains fault events from the McAfee Network Security Platform appliance.

Configuring Fault Notification Events for McAfee Network Security Platform 8.x - 10.x

To integrate fault notifications with McAfee Network Security Platform, you must configure your McAfee Network Security Platform to forward fault notification events.

Log in to the McAfee Network Security Platform Manager user interface.
Click the Manager tab.
From the navigation menu, select Setup > Notification > Faults > Syslog.

On the Syslog page, configure the following parameters to forward fault notification events:

Table 6: McAfee Network Security Platform 8.x - 10.x Fault Notification Parameters
Parameter	Description
Enable Syslog Notification	Select Yes to enable syslog notifications for McAfee Network Security Platform. You must enable this option to forward events to JSA.
Admin Domain	Select any of the following options: Current - Select this check box to send syslog notifications for alerts in the current domain. This option is selected by default. Children - Select this check box to send syslog notifications for alerts in any child domains within the current domain.
Server Name or IP Address	Type the IP address of your JSA Console or Event Collector. This field supports both IPv4 and IPv6 addresses.
Port	Type 514 as the port for syslog events.
Facilities	Select a syslog facility value.
Severity Mapping	Select a value to map the informational, low, medium, and high alert notification level to a syslog severity. The options include the following levels: Emergency - The system is unusable. Alert - The system requires immediate user input or intervention. Critical - The system should be corrected for a critical condition. Error - The system has non-urgent failures. Warning - The system displays a warning message that indicates an imminent error. Notice - The system has notifications, no immediate action required. Informational - Normal operating messages. Debug - Debug level messages.
Forward Faults	Select Informational and later.

From the Message Preference field, click Edit to add a custom message filter.
To ensure that fault notifications are formatted correctly, type the following message string:

|%INTRUSHIELD-FAULT|$IV_FAULT_NAME$|$IV_FAULT_TIME$|

Note:
The custom message string must be entered as a single line with no carriage returns. McAfee Network Security Platform expects the format of the custom message syslog information to contain a dollar sign ($) delimiter before and after each element. If you are missing a dollar sign for an element, the event might not parse properly.
Click Save.

As fault events are generated by McAfee Network Security Platform, they are forwarded to the syslog destination that you specified.

You can log in to the JSA Console and verify that the Log Activity tab contains fault events from the McAfee Network Security Platform appliance.

McAfee Network Security Platform Sample Event Messages

Use these sample event messages to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

McAfee Network Security Platform sample messages when you use the Syslog protocol

Sample 1: The following sample event message shows that an HTTP login brute force is detected.

Table 7: Highlighted JSA Fields and Highlighted Payload Data
JSA field name	Highlighted payload data
Date	2014-02-07 11:06:49 EST
Event ID	0x0040256b
Source IP	192.168.0.5
Destination IP	10.0.1.2
Destination Port	80

Sample 2: The following sample event message shows that a user account is created.

Table 8: Highlighted JSA Fields and Highlighted Payload Data
JSA field name	Highlighted payload data
Date	2020-03-26 07:48:49 CET
Event ID	User Account Creation succeeded

ON THIS PAGE

McAfee Network Security Platform (formerly known as McAfee Intrushield)

McAfee Network Security Platform DSM Specifications

Configuring Alert Events for McAfee Network Security Platform 2.x - 5.x

Configuring Alert Events for McAfee Network Security Platform 6.x - 7.x

Configuring alert events for McAfee Network Security Platform 8.x - 10.x

Configuring Fault Notification Events for McAfee Network Security Platform 6.x - 7.x

Configuring Fault Notification Events for McAfee Network Security Platform 8.x - 10.x

McAfee Network Security Platform Sample Event Messages

McAfee Network Security Platform sample messages when you use the Syslog protocol