Trellix ePO (formerly McAfee ePO) Logs

Updated Jan 31, 2024

Configure the Trellix ePO platform to send logs to Arctic Wolf

You can configure the Trellix ePolicy Orchestrator (Trellix ePO)® platform to send the necessary logs to Arctic Wolf®.

Requirements

Before you begin

Steps

  1. Configure a new server.
  2. Provide your Trellix ePO information to Arctic Wolf.

Step 1: Configure a new server

  1. Sign in to the Trellix ePO platform with administrator permissions.

  2. Click Menu, and then click Configuration > Registered Servers.

  3. Click New Server.

  4. On the Description page, configure these settings:

    • Server type — Select Syslog Server.
    • Name — Enter a unique name for your Arctic Wolf physical or virtual sensor.
  5. Click Next.

  6. On the next Registered Server Builder page, configure these settings:

    • Server name — Enter the IP address of your Arctic Wolf physical or virtual sensor.
    • TCP port number — Enter 6514.
    • Enable event forwarding — Select the checkbox.
  7. Click Test connection.

  8. Click Save.

  9. Click Menu, and then click Configuration > Server Settings.

  10. In the Setting Categories list, select Event Filtering.

  11. Click Edit.

  12. On the Server Settings page, configure these settings:

    • The agent forwards — Select Only selected events to the server, and then select any events you want to send.
    • Where to store events — Select Store selected in both.
    • Event source — Select Events from any source.
  13. Click Save.

Step 2: Provide your Trellix ePO information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click > Open a New Ticket.

  3. On the Open a New Ticket page, configure these settings:

    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname you used during the configuration.
      • Questions or comments that you have.
  4. Click Send Message.

    Your CST will review the details and make sure that Arctic Wolf is successfully processing the logs.

See also