Trellix ePO (formerly McAfee ePO) Logs
Updated Sep 19, 2023Configure the Trellix ePO platform to send logs to Arctic Wolf
Note: Before starting this procedure, discuss this log forwarding option with your Concierge Security® Team.
You can configure the Trellix® ePolicy Orchestrator platform to send the necessary logs to Arctic Wolf for monitoring security information.
Requirements
- Activated Arctic Wolf Sensor
Steps
-
Log into the Trellix ePO platform as an administrator.
-
Click Menu, and then select Configuration > Registered Servers.
-
Click New Server.
-
On the Description page, complete these actions:
- Server type — Select Syslog Server from the list.
- Name — Enter a unique name for your Arctic Wolf physical or virtual sensor.
-
Click Next.
-
On the next Registered Server Builder page, complete these actions:
- Server name — Enter the IP address of your Arctic Wolf physical or virtual sensor.
- TCP port number — Enter 6541.
- Enable event forwarding — Select the checkbox.
-
Click Test connection.
-
Click Save.
-
Click Menu, and then select Configuration > Server Settings.
-
In the Setting Categories list, click Event Filtering.
-
Click Edit.
-
On the Server Settings screen, complete these actions:
- The agent forwards — Select the Only selected events to the server option, and then select any events you want to send.
- Where to store events — Select the Store selected in both option.
- Event source — Select the Events from any source option.
-
Click Save.
-
Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:
- Confirmation that you have completed the steps in this configuration guide.
- The IP address you used during the configuration.
- Any other questions or comments that you have.