Trellix ePO (formerly McAfee ePO) Logs

Updated Sep 19, 2023

Configure the Trellix ePO platform to send logs to Arctic Wolf

Note: Before starting this procedure, discuss this log forwarding option with your Concierge Security® Team.

You can configure the Trellix® ePolicy Orchestrator platform to send the necessary logs to Arctic Wolf for monitoring security information.

Requirements

Steps

  1. Log into the Trellix ePO platform as an administrator.

  2. Click Menu, and then select Configuration > Registered Servers.

  3. Click New Server.

  4. On the Description page, complete these actions:

    • Server type — Select Syslog Server from the list.
    • Name — Enter a unique name for your Arctic Wolf physical or virtual sensor.
  5. Click Next.

  6. On the next Registered Server Builder page, complete these actions:

    • Server name — Enter the IP address of your Arctic Wolf physical or virtual sensor.
    • TCP port number — Enter 6541.
    • Enable event forwarding — Select the checkbox.
  7. Click Test connection.

  8. Click Save.

  9. Click Menu, and then select Configuration > Server Settings.

  10. In the Setting Categories list, click Event Filtering.

  11. Click Edit.

  12. On the Server Settings screen, complete these actions:

    1. The agent forwards — Select the Only selected events to the server option, and then select any events you want to send.
    2. Where to store events — Select the Store selected in both option.
    3. Event source — Select the Events from any source option.
  13. Click Save.

  14. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:

See also