mcafee enterprise security manager 11.0.0 installation … · els can be thought of as a fast raw...

McAfee Enterprise Security Manager 11.0.0Installation Guide

COPYRIGHT

Copyright © 2018 McAfee, LLC

TRADEMARK ATTRIBUTIONSMcAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THEGENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASECONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVERECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOUDOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IFAPPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

2 McAfee Enterprise Security Manager 11.0.0 Installation Guide

Contents

1 Installation overview 7Which type of installation do you need? . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Hardware installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8VM installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Software update workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Planning your installation 11Available system components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14How FIPS mode works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3 System requirements 19VM system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4 Install software for the first time 21Deploy the VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Deploy a VMware ESXi VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Deploy a Linux KVM ESM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Deploy an AWS VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Install the software on an AWS VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Download the VM image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Mount the software on an AWS VM . . . . . . . . . . . . . . . . . . . . . . . . . 25

Install the software on an AWS HVM . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

5 Update to a new software version 31Prepare to update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Download the update files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Back up the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Check ERC high availability status . . . . . . . . . . . . . . . . . . . . . . . . . 32Identify and address special update scenarios . . . . . . . . . . . . . . . . . . . . . 33

Update ESM software - single ESM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Update ESM software - multiple ESMs . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Update connected devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Update peripheral SIEM devices . . . . . . . . . . . . . . . . . . . . . . . . . . 37Update peripheral SIEM devices (FIPS mode) . . . . . . . . . . . . . . . . . . . . . 38Check ERC high availability status . . . . . . . . . . . . . . . . . . . . . . . . . 40Update high availability receivers . . . . . . . . . . . . . . . . . . . . . . . . . 41

6 Complete your installation 43Log in to ESM for the first time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Add and configure devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Add devices to the device tree . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Add devices in FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Change device names, links, and descriptions . . . . . . . . . . . . . . . . . . . . . 47

McAfee Enterprise Security Manager 11.0.0 Installation Guide 3

Set up device communication . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Configure receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Configure ELS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Configure ELM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Configure ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Configure McAfee Risk Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . 53Configure McAfee Vulnerability Manager . . . . . . . . . . . . . . . . . . . . . . 54Configure a DAS to store data from an all-in-one ESM . . . . . . . . . . . . . . . . . . 54

Key devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Manage SSH keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Set up data sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56How data sources work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Configure receivers to create data sources automatically . . . . . . . . . . . . . . . . . 56

Manage data sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Set date formats for data sources . . . . . . . . . . . . . . . . . . . . . . . . . 60Add child data sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Add ASP data sources with different encoding . . . . . . . . . . . . . . . . . . . . . 61Add client data sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61How client data sources work . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Select Tail File data source collection method . . . . . . . . . . . . . . . . . . . . . 62How correlation data sources work . . . . . . . . . . . . . . . . . . . . . . . . . 63

Set up data storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63How data storage works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Set up data storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Set up VM data storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Increase accumulator indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Set up data retention limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Define data allocation limits . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Manage accumulator indexing . . . . . . . . . . . . . . . . . . . . . . . . . . 67View database memory use . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

McAfee Enterprise Log Manager (ELM) . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Set up McAfee ESM logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Manage storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Move storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Reduce storage allocation size . . . . . . . . . . . . . . . . . . . . . . . . . . 70Mirroring ELM data storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Add mirrored ELM data storage . . . . . . . . . . . . . . . . . . . . . . . . . . 70Rebuild mirrored storage pools . . . . . . . . . . . . . . . . . . . . . . . . . . 71Disable mirroring devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Replace an ELM mirrored management database . . . . . . . . . . . . . . . . . . . 71ELM redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Managing ELM compression . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Restore ELM data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Define an alternate storage location . . . . . . . . . . . . . . . . . . . . . . . . 73View ELM storage usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Migrating ELM database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Configure ELM Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Disable HomeGroup file sharing . . . . . . . . . . . . . . . . . . . . . . . . . . 74Set up external data storage . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Add iSCSI devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Link storage devices to storage pools . . . . . . . . . . . . . . . . . . . . . . . . 76Format SAN storage devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Configure a DAS to store data from an all-in-one ESM . . . . . . . . . . . . . . . . . . 77Set up virtual local drive to store data . . . . . . . . . . . . . . . . . . . . . . . . 77

Work in FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Check FIPS integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Contents


Troubleshoot FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

7 Troubleshooting 81Grant McAfee access to your system . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Contents


Contents


1 Installation overview

Contents Which type of installation do you need? Hardware installation workflow VM installation workflow Software update workflow

Which type of installation do you need?Use this decision tree to determine which instructions apply to your installation.

1


Hardware installation workflowThis flowchart provides an overview of the steps required to install the ESM solution on an ESM appliance.

1 Installation overviewHardware installation workflow


VM installation workflowThis flowchart provides an overview of the steps required to install the ESM solution on a virtual machine.

See also Configuration scenarios on page 14Available system components on page 11

Installation overviewVM installation workflow 1


Software update workflowInstall a new version of ESM software.

1 Installation overviewSoftware update workflow


2 Planning your installation

Contents Available system components Clustering Configuration scenarios How FIPS mode works

Available system componentsMcAfee ESM and its components are installed on your network and configured to identify vulnerabilities andthreats. The ESM, receiver, and McAfee

®

Enterprise Log Manager are required. Other devices are optionalaccording to business needs.

McAfee ESM components include:

• McAfee® Enterprise Security Manager (McAfee ESM) — Available as a hardware component or virtualmachine (VM) software installation, the McAfee ESM provides log analysis, SIEM, and network analysisfunctions.

• McAfee Event Receiver (ERC) — Available as a hardware component or VM software installation, it collects3rd party logs, events and flow data for correlation and analysis by ESM.

• McAfee Enterprise Log Manager (ELM) —Available as a hardware component or VM software installation, itprovides compliant log management functions. Requires an ESM and ERC.

ELM can be thought of as "cool" storage. It hashes for forensic integrity and compresses for storageefficiency (in a small 2U package). It can be searched, but generally only in rare instances. And it should bethe storage of record which allows for full log retention requirements.

• McAfee Enterprise Log Search (ELS) — A hardware component that collects, indexes, and stores all events toprovide a proven audit trail of activity. The ELS searches events faster than the McAfee® Enterprise LogManager because it uses indexes.

ELS can be thought of as a fast raw log search. It allows users to search for events in any part of the log(especially those that are not parsed). It allows the McAfee ESM to filter more "less" important data to itsince we can get at these quickly. This increases McAfee ESM efficiency, performance, and storage time. ELStypically stores less than full retention requirements (3-6 months depending on EPS) since this data isn'tcompressed, so high EPS environments will quickly reach the high Terabyte range.

• McAfee Receiver/ELM (ELMERC) — Available as a hardware component or VM software installation thatincludes both ELM and ERC.

• McAfee® Advanced Correlation Engine (McAfee® ACE) — Available as a hardware component or VM softwareinstallation that provides McAfee RSC and Enterprise correlation - identify and score threat events in realtime or historical mode, using both rule- and risk-based logic.

2


• McAfee Application Data Monitor — A hardware component that monitors more than 500 knownapplications through the entire layer stack and captures full session detail of all violations.

• McAfee Database Event Monitor (DEM) — A hardware component that automates the collection,management, analysis, visualization, and reporting of database access for most database platforms.

• McAfee Direct Attached Storage (DAS) — A hardware component connected to the ESM, ELM, or ELS toexpand storage space.

In redundant solutions, one DAS device is required in each system. For example, two redundant ELMs requiretwo DAS devices.

• ESM Console — A computer with a browser used by security administrators to configure and manage theESM.

You might use just one combination ESM, or many of these components, depending on your environment.

See also Configuration scenarios on page 14VM installation workflow on page 9

2 Planning your installationAvailable system components


ClusteringClusters of McAfee ESM devices can be set up to maximize throughput (sharding), to maximize how manycopies of event data are maintained in the devices (replication), or to take advantage of both of thesecapabilities in a hybrid installation (both sharding and replication).

In a clustered environment one node acts as the active node and others act as standby nodes. The active nodeperforms management functions for the cluster.

Scaling

Clustering allows you to scale your system through data sharding, which is the ability of each McAfee ESMdevice in a cluster to query event data across all McAfee ESM devices in that cluster.

Sharding enhances system through-put rates by using the power of multiple devices to process event data.

Replication

When you use replication, each device acts as an individual node of the database, allowing you to replicate yourdata. In a clustered environment, you specify which one you want as the “active” device. This device is theprimary point of interaction with the McAfee ESM software. The other devices will act as “standby” devices,which help balance queries and collect data but do not perform management tasks. You can manuallyconfigure any McAfee ESM in the cluster to be the “active” device. Each device stores configuration and othersettings.

New event data is load balanced to each device depending on the configured replication factor. The replicationfactor determines how many copies of your data exist in the cluster. Replication mitigates the consequences ofa device failure.

Scaling and replication together

By leveraging both scaling and replication, you can build a robust system that provides fast processing of eventsand ensures data retention.

Planning your installationClustering 2


Configuration scenariosYou can configure McAfee ESM with one combination ESM, or you can add components to identify threats in alarge enterprise network.Adding components to your network environment allows you to increase performance, add functionality, andincrease event storage capability. For example, adding the following components or more advanced models ofan existing component can scale your network protection.

VM installed ESM combination devices have limits to the number of components that you can add.

Small-scale ESM solutionThis figure shows that one ESM device gives you visibility to network events.

Large-scale ESM solutionThis figure shows how multiple ESMs give you visibility into events on a large enterprise network. Add ESMs asthe network grows and the number of events increases.

2 Planning your installationConfiguration scenarios


See also VM installation workflow on page 9Available system components on page 11

How FIPS mode worksThe United States Federal Information Processing Standards (FIPS) define procedures, architecture, algorithms,and other techniques used for encryption and cryptographic modules, where each individual encryptioncomponent in the overall solution requires an independent certification.

FIPS basics

Federal Information Processing Standard 140-2 (FIPS 140-2) specifies requirements for hardware and softwareproducts that implement cryptographic functionality. FIPS 140-2 is applicable to all Federal agencies that usecryptographic-based security systems to protect sensitive [but unclassified] information in computer andtelecommunication systems (including voice systems) as defined in Section 5131 of the Information TechnologyManagement Reform Act of 1996, Public Law 104–106. The -2 in FIPS 140-2 denotes the revision of the standard.

See the National Institute of Standards and Technology (NIST) for current information. McAfee uses these RSAcryptographic modules to meet the requirements for FIPS compliance.

Planning your installationHow FIPS mode works 2


FIPS mode

A McAfee ESM running in FIPS mode is FIPS-compliant. The decision to run McAfee ESM in FIPS mode is made atinstallation and can't be changed.

In FIPS mode, McAfee ESM:

• Places extra constraints on the types of security methods allowed

• Performs extra tests on startup

• Allows connections only from FIPS-compliant devices.

Reasons to use McAfee ePO in FIPS mode

Your organization might need to use McAfee ePO in FIPS mode if you fall into one of these categories:

• You are a US Government organization required to operate FIPS 140-2 compliant cryptographic models perFISMA or other Federal, State, or local regulations.

• Your organization requires the use of standardized and independently evaluated cryptographic modules.

The cryptographic boundary

FIPS compliance requires a physical or logical separation between the interfaces by which critical securityparameters enter and leave the cryptographic module and all other interfaces. McAfee ESM creates thisseparation by creating a boundary around the cryptographic module. An approved set of interfaces is used toaccess the modules inside the boundary. No other mechanism to access these modules is allowed or providedwhen in FIPS mode.

Modules in the boundary perform these processes:

• FIPS-validated security methods performing cryptography, hashing, and related services running in McAfeeESM

• Startup and verification testing required by FIPS

• Extension and executable signature verification

• TLS connection management

• Cryptographic API wrapping utilities

2 Planning your installationHow FIPS mode works


Feature status Description

Features notavailable in FIPSmode

• High availability Receivers.

• Ability to communicate with the device using SSH protocol.

• On the device console, a device management menu replaces the root shell.

Features availableonly in FIPS mode

• Four user roles do not overlap: User, Power User, Audit Admin, and Key & Certificate Admin.

• All Properties pages have a Self-Test option that allows you to verify that the system isoperating successfully in FIPS mode.

• If FIPS failure occurs, a status flag is added to the system navigation tree to reflect thisfailure.

• All Properties pages have a View option that, when clicked, opens the FIPS Identity Token page.It displays a value that must be compared to the value shown in those sections of thedocument to ensure that FIPS hasn't been compromised.

• On System Properties | Users and Groups | Privileges | Edit Group, the page includes the FIPSEncryption Self Test privilege, which gives the group members the authorization to run FIPSself-tests.

• On the Add Device Wizard, TCP protocol is always set to Port 22. The SSH port can bechanged.

Planning your installationHow FIPS mode works 2


2 Planning your installationHow FIPS mode works


3 System requirements

VM system requirementsThe virtual machine (VM) you use for the McAfee ESM VM must meet these minimum requirements.

• Processor — 8-core 64-bit, Dual Core2/Nehalem or higher, or AMD Dual Athlon64/Dual Opteron64 or higher

• RAM — Depends on the model (4 GB or more)

• Disk space — Depends on the model (250 GB or more)

• VMware ESXi 5.0 or later

• Thick versus thin provisioning — You must decide the hard disk requirements for your server. The minimumrequirement is 250 GB. See the specifications for your VM product.

See also Download the VM image on page 25

3


3 System requirementsVM system requirements


4 Install software for the first time

Contents Deploy the VM Install the software on an AWS VM Install the software on an AWS HVM

Deploy the VM

Contents Deploy a VMware ESXi VM Deploy a Linux KVM ESM Deploy an AWS VM

Deploy a VMware ESXi VMOnce you mount and key a VMware ESXi VM, it mimics a physical ESM device.

Task1 Access the root of the CD drive (for CD installation) or download the ESXi .ova files from the McAfee

download site.

2 In vSphere Client, click the server IP address in the device tree.

3 Click File and select Deploy OVF Template.

4 Designate the name, the folder to mount the VM, the disk provisioning setting, and the VM Networking option.

5 Deploy the files to the ESXi server, select the VM, and set the Edit Virtual Machine setting.

6 Select the correct networking settings for your VMware ESXi network switches/adapters, then click Play tostart the VM.

7 Using the VM menu, set MGT1 IP address, netmask, gateway, and DNS addresses, then press Esc to activatethe menu.

8 Configure the network interface on the VM, save the changes before exiting the Menu window, then key thedevice.

4


Deploy a Linux KVM ESMTo run McAfee ESM in a Linux KVM environment, you must import the hard drive image from the tarball (.tgz)file. The tarball file contains sample config files.

Task1 Obtain the current tarball (.tgz) file from the McAfee download page.

2 Move the tarball file to the directory where you want the virtual hard drive to reside.

3 Extract the tarball by running this command: tar –xf McAfee_ETM_VM4_250.tgz

To deploy multiple VMs of the same type in the same location, change the name of the virtual hard drive.

ERC-VM4-disk-1.raw, ERC-VM4-disk-2.raw to, for example, my_first_erc.raw,my_second_erc.raw.

4 Create a VM on your KVM hypervisor using:

(libvirt, qemu-kvm, proxmox, virt-manager, ovirt)

5 Point the VM image to the existing virtual hard drive (Virtio disk .raw file) where you extracted the tarball.

Deploy an AWS VMCreate the AWS server with the proper settings and create a connection to your enterprise network.

Before you beginYou must have an Amazon Web Services account.

This example, and the selected values, describe creating a simple ESM server. The values you select might bedifferent.

Task1 Log on to the AWS console to display the AWS Console page.

2 Set the AWS data center region to the location closest to most of your networks.

3 Under Compute, double-click EC2 (Amazon Elastic Compute Cloud) to open Step 1: Choose an AmazonMachine Image (AMI), and select the server instance Amazon Linux AMI.

This type has the AWS/EC2 tools pre-installed. If you choose other Linux types, you have to install theAWS/EC2 tools.

4 Open Step 2: Choose an Instance Type, select m3.2xlarge or larger, then click Next: Configure Instance Details.

When choosing the Instance Type, select the correct CPU count and the correct instance type. If you'reunsure, contact Support.

5 Click Next: Configure Instance Details to select the network to use while running your instance.

Make sure you are able to connect to your instance using:

• Public address

• Private address

You can create your own Virtual Private Cloud in AWS. For more information, see VPC in Services from thedrop-down list.

4 Install software for the first timeDeploy the VM


6 Click Next: Add Storage to open Step 4: Add Storage page. Leave the defaults selected for the Amazon "build"instance.

The default for McAfee devices is 250 GB. You can add more volumes if you need them.

7 Click Next: Tag Instance to open Step 5: Tag Instance page. Type a name so you can find the instance under the"Value" column.

8 Click Next: Configure Security Group to open Step 6: Configure Security Group page, then select one:

• Create a new security group — A new security group limits who can log on to the instance.

Add your external-facing IP address range.

• Select existing security group.

9 Click Review and Launch to open Step 7: Review Launch Instance, then click Launch.

Disregard this warning that appears: Your instance configuration is not eligible for the free usage tier.

10 Select an existing key pair or create a new key pair, which you need to log on to your new instance.

11 Click Launch Instance and View Instances to confirm the status of the AWS server.

It might take 20–30 minutes before your instance is ready to access. When the Status Checks column next toyour new instance displays 2/2 checks, you are ready to start the installation process.

12 Make a note of the public IP address. Shown in this example as: cc.dd.ee.ff.

This IP address is needed to transfer the installer to the instance and to log on.

You have created your AWS server. Continue with the AWS image creation and installation process.

Tasks

• Configure the VM network interface on page 23

• Key the VM device on page 24You must key the device to establish a link between the device and the ESM.

See also Using the software with AWS on page 25Configure AWS connections on page 28Create an AWS image on page 26

Configure the VM network interface

Task

1 Connect a monitor and keyboard to the device and power it on.

The boot process completes in about two minutes, and a virtual LCD display appears.

Install software for the first timeDeploy the VM 4


2 Press Esc twice, then scroll down to MGT IP Conf and press Enter.

3 Set the ESM VM IP address.

a Scroll to Mgt1 and press Enter.

b Scroll to IP Address and press Enter.

c Use the arrows to change the value of the current digit and to switch between digits, then when done,press Enter.

4 Set the IP netmask address.

a Scroll to Netmask and press Enter.

b Use the arrows to change the value of the current digit and to switch between digits, then when done,press Enter.

5 Set the network gateway IP address.

a Scroll to Gateway IP and press Enter.


6 Set the DNS IP address.

a Scroll to DNS1 IP and press Enter.


7 Configure DHCP.

a Scroll to DHCP and press Enter.

b Toggle the setting between Y(es) and N(o) , then press Enter to select the correct setting.

8 Quit and save your changes.

a Scroll to Done and press Enter to return to MGT IP Conf.

b Scroll to Save Changes and press Enter.

9 (Optional) If you are using FIPS mode, change the communication port.

a Press the down arrow twice, then press Enter.

b Scroll to Comm Port and press Enter.

c Change the port number, then press Enter.

Make note of the new port number; you'll need it when you key the device.

Key the VM deviceYou must key the device to establish a link between the device and the ESM.

Before you beginPhysically connect the device to your network.

4 Install software for the first timeDeploy the VM


Task1 On the system navigation tree, click the system or a group, then click the Add Device icon in the actions

pane.

2 Enter the information requested on each page of the Add Device Wizard.

Install the software on an AWS VM

Contents Download the VM image Mount the software on an AWS VM

Download the VM image

Before you beginYou must have your McAfee Grant Number to download the ESM software.

Task1 Use your browser to access the McAfee download site.

2 Click Downloads, type your McAfee Grant Number and the CAPTCHA code, then click Submit.

3 On the My Products page, scroll down the list and select a McAfee Enterprise Security Manager VM**download file.

The number in the download file name indicates the number of cores the ESM image allocates to the VM. Forexample, file "VM32" allocates 32 cores to the VM.

4 Select the Current Version tab and select the McAfee Enterprise Security Manager VM image.

5 Select an image file and save it to your local system. Make note of the file name and location; you will needthat information to mount the image.

See also VM system requirements on page 19

Mount the software on an AWS VM

Contents Using the software with AWS Create an AWS image Configure AWS connections

Using the software with AWSAn Amazon Web Services (AWS) virtual server provides the same features and performance as a locallyconfigured McAfee ESM VM.

The basic steps to create an AWS server in your network with McAfee ESM include:

Install software for the first timeInstall the software on an AWS VM 4


1 Get an AWS account from http://aws.amazon.com/.

2 Log on to the AWS Management Console and configure your AWS instance.

3 Install the ESM, ERC, ELM, ELS, or ACE software.

4 Configure the ESM device.

See also Configure AWS connections on page 28Create an AWS image on page 26Deploy an AWS VM on page 22

Create an AWS imageInstalling ESM on an AWS server is different from installing the software on a physical server. These stepsdescribe the process.

Before you beginYou must have created the AWS server and connected to the server.

You must know the configured IP address of the AWS server.

Task

1 Use scp or pscp (PuTTY Secure Copy Client) to convert the .pem file to .ppk.

For example, using Secure Copy Client, use this command to convert the key file and transfer it to the newAWS instance:

scp -i mykeypair.pem siem_install.sh [email protected]:

Using PuTTY Secure Copy Client, use this command to convert the file:

pscp -i mykeypair.pem siem_install.sh [email protected]>:

These are the variables in the previous examples:

• siem_install.sh — Conversion file name

• ec2-user — User name

• cc.dd.ee.ff — IP address

For Windows, use WinSCP to copy the file to your instance by converting the .pem file to .ppk for PuTTY orWinSCP.

2 Log on to the new AWS instance using SSH or PuTTY with this command:

ssh -i mykeypair.pem [email protected] are the variables in the example:

• mykeypair.pem — Convert SSH file name

• ec2-user — User name

• cc.dd.ee.ff — IP address

3 Type this command to change to root, then press Enter:

sudo su

4 Install software for the first timeInstall the software on an AWS VM


http://aws.amazon.com/

4 Run aws configure as root and provide the Access Key ID and Secret Access Key that you were given,using these commands:

[root@<IP address> <ec2-user name>]# aws configure

AWS Access Key ID [None]: <Access Key ID>

AWS Secret Access Key [None]: <Secret Access Key>

Default region name [None]: (Leave blank, and press Enter)

Default output format [None] (Leave blank, and press Enter)

5 Confirm that the installation script is executable. If needed, use chmod. For example:

chmod u+x siem_install.sh

6 Create an AMI image and an instance with this command:

./siem_install.sh

If you see an error that says the keys were not defined, you can add the keys on the command line. Forexample:

[root@ip-172-31-41-167 ec2-user]# ./install_McAfee_ETM_VM8.sh

The AWS access key or the AWS Secret key were not defined

[root@ip-172-31-41-167 ec2-user]# ./install_McAfee_ERU_VM8.sh -O <Access Key ID> -W

<Secret Access Key>

To access Help for the output options:

[root@ip-172-31-6-172 ec2-user]# ./install_McAfee_ETM_VM8.sh -h

install_McAfee_ETM_VM8.sh - install SIEM to Amazon EC2

install_McAfee_ETM_VM8.sh [options]

options:

-h, --help show brief help

-O AWS key

-W AWS Secret Key

Creating the AMI image takes about 20 minutes and is non-interactive. This is an example of the output:

[root@ip-172-31-6-172 ec2-user]# ./install_McAfee_ETM_VM8.sh Decompressing files Running installer Creating volume Attaching volume formatting volume 1+0 records in 1+0 records out 4194304 bytes (4.2 MB) copied, 0.0467013 s, 89.8 MB/s mke2fs 1.42.9 (28-Dec-2013) mke2fs 1.42.9 (28-Dec-2013) mounting main partition copying main files mounting boot partition copying boot files Updating fstab Updating grub unmounting boot partition unmounting main partition detaching volume Creating snapshot (this will take a while) Creating AMI Created AMI "ami-bb8afc81". To run, launch an instance of this AMI Deleting (temporary) volume Client.InvalidVolume.NotFound: The volume 'vol-9eb2ae81' does not exist. Done

7 Once the image is created, exit from the root shell, exit the instance, go to the EC2 Dashboard, andterminate the running instance.

Terminating the instance destroys the instance.

Now you can log on to the AWS ESM successfully and configure, key, and start using your AWS device.

Install software for the first timeInstall the software on an AWS VM 4


See also Using the software with AWS on page 25Deploy an AWS VM on page 22Configure AWS connections on page 28

Configure AWS connectionsAfter you configured the hash for the AWS ESM, you must connect and add the devices.

Before you beginYou must have created the AWS and installed ESM on the AWS.

Task

1 After you have completed the hash verification with McAfee, you can use your configured IP address toinitially log on to the ESM. See Log on to the McAfee ESM console for details.

2 Connect both physical and virtual devices to the ESM.

3 Confirm that all various ESM devices appear in ESM before configuring the devices.

4 Key the devices to complete the device configuration.

See also Using the software with AWS on page 25Deploy an AWS VM on page 22Create an AWS image on page 26

Install the software on an AWS HVMMcAfee ESM is installed on AWS HVM using scripts. The SIEM Amazon EC2 installer scripts create AmazonMachine Images (AMIs) from which you can launch VM instances of devices. There is a separate installer foreach device (ETM, ERC, McAfee ACE, etc.) and each installer produces an AMI for that specific device.

Before you beginMake sure you have the installer scripts.

Task

1 On the Amazon EC2 dashboard, select Instances in the left menu bar and then click Launch Instance.

2 Select Amazon Linux AMI.

3 On the Choose Instance Type screen, choose m3.medium or m4.large and click Next.

4 On the Configure Instance Details screen, click Next.

5 On the Add Storage screen, click Next.

6 On the Add Tags screen, click Next.

7 On the Configure Security Group screen, select Create or select a security group that allows you to have SSHaccess to the instance.

8 Click Review And Launch.

9 Click Launch.

4 Install software for the first timeInstall the software on an AWS HVM


10 Select a key pair that you have access to and click Launch Instances.

11 At the command prompt, type scp -i ~/my_key.pem install_hvm_etm_16.shec2-user@instance_ip_address:

The installer script is copied to the VM.

12 Log in by typing ssh -i ~/my_key.pem ec2-user@instance_ip_address.

13 Become root by typing sudo su.

14 Type aws configure.

a Enter the AWS Access Key.

b Enter the AWS Secret Key.

c Leave the other fields blank.

15 At the command prompt, type # ./install_hvm_ace_16.sh.

When the installer script has completed (15–20 minutes) a new AMI is registered in your AWS account. You canuse this AMI to launch a VM.

The Amazon Linux instance that was used to run the installer is no longer needed and can be terminated.

Install software for the first timeInstall the software on an AWS HVM 4


4 Install software for the first timeInstall the software on an AWS HVM


5 Update to a new software version

Contents Prepare to update Update ESM software - single ESM Update ESM software - multiple ESMs Update connected devices

Prepare to update

Contents Download the update files Back up the database Check ERC high availability status Identify and address special update scenarios

Download the update filesWhen the system is ready to update, download the update files to your local system.

Before you beginYou must have a grant number.

Task1 Go to the McAfee product download site.

2 Click Download, enter your grant number, type the letters as displayed, then submit.

3 Select McAfee Enterprise Security Manager and click the All Versions tab.

4 Download the release file to your local system.

Device type File

Standalone McAfee Enterprise Security Manager (ESM) ESS_Update_11.0.signed.tgz

McAfee Enterprise Security Manager with a built-in Receiver (ESMREC) ESSREC_Update_11.0.signed.tgz

McAfee Enterprise Security Manager with a built-in Receiver and McAfeeEnterprise Log Manager (ENMELM), also known as a Combination Box

ESSREC_Update_11.0.signed.tgz

5


Back up the databaseBack up system data so you can recover if the update process does not complete correctly.

Before you beginMake sure that the ESM database rebuild from a previous build (9.6.x or later) is complete, and thatyou can schedule the outage window for this update.

Task1 In System Properties, click Alarms, highlight each alarm, then click Export and save the file.

2 In System Properties, click Watchlists, highlight each watchlist, then click Export and save the file.

3 In Default Policy on the Policy Editor, follow this process for each rule type except Data Source, Windows Events,ESM, Normalization, Variable, and Preprocessor.

a In the Rule Types pane, click a rule type.

b In the Filters/Tagging pane, click the Advanced tab, select user defined in the Origin field, then click Refresh .

c Highlight the rules, click File | Export | Rules, then save them in XML format.

4 In Default Policy on the Policy Editor, click File | Export | Policy, then select All custom rules and custom variables.

Check ERC high availability statusIf your system includes high-availability receivers, check to ensure IP addresses will not be duplicated.

Before you beginYou must have Administrator privileges to complete this task.

Task1 On the system navigation tree, select the primary ERC-HA device, then click the Properties icon .

2 In the Status and Secondary Status fields, verify that the status is OK; HA Status: online.

3 Secure shell, or SSH, to each of the HA ERCs and run the ha_status command from the command lineinterface on both ERCs. The resulting information shows the status of this ERC and what this ERC thinks thestatus of the other ERC is. It looks similar to this:

OK

hostname=McAfee1 mode=primary McAfee1=online McAfee2=online sharedIP=McAfee1 stonith=McAfee2 corosync=running hi_bit=no

4 Verify the following in the status:

• The first line of the response is OK.

• Host name is the same as the host name on the command line minus the ERC model number.

• Mode is primary if the value of sharedIP is this ERC's host name; otherwise the mode is secondary.

5 Update to a new software versionPrepare to update


• The next two lines show the host names of the ERCs in the HA pair and list the running status of eachERC. The status for both is online.

• corosync= shows the running status of corosync, which should be running.

• hi_bit is no on one ERC and yes on the other ERC.

Make sure that only one of the HA ERCs is set with the hi_bit value. If both HA ERCs are set to the samevalue, call McAfee Support before updating to correct this mis-configured setting.

5 Secure shell, or SSH, to each of the HA ERCs and run the ifconfig command from both ERCs.

6 Verify the following in the data that is generated:

• The MAC addresses on eth0 and eth1 are unique on both ERCs.

• The primary ERC has the shared IP address on eth1 and the secondary ERC has no IP address on eth1.

If both HA ERCs are set to the same value, call Technical support before updating to correct thismis-configured setting.

This spot check ensures the system is functional and that no duplication of IP addresses exists, which meansthat the devices can be updated.

Identify and address special update scenariosIn special situations, you must take additional steps before or after updating.

Task1 If you are installing a new McAfee ESM:

a Register your hardware within 30 days to ensure that you receive policy, parser, and rule updates as partof your maintenance contract. If you don't register, you can't receive updates.

b To get your permanent user name and password, email [email protected] with the followinginformation:

• McAfee grant number • Contact name

• Account name • Contact email address

• Address

2 If you need offline rule updates:

a Open a web browser and go to http://www.mcafee.com/us/downloads/downloads.aspx.

b Click Download, enter your grant number, type the letters as displayed, then submit.

c Select McAfee Enterprise Security Manager and click the All Versions tab.

d Download the rules for your version of McAfee ESM.

3 If you experience device communication issues during the update process:

Update to a new software versionPrepare to update 5


If you updated a McAfee device before updating McAfee ESM or the ESM is in the middle of updating, thismessage might appear: The device must be upgraded before the operation can be performed. Verify thatMcAfee ESM has the correct version.

a On the McAfee ESM console, select the device in the system navigation tree, then click the Properties icon

.

b Click Connection, then click Status.

c Retry the operation that resulted in the message.

4 If your system includes a McAfee ePO with Policy Auditor, refresh it.

a If you are not on an all-in-one device, update the McAfee Event Receiver where the McAfee ePO device isconnected.

b On the McAfee ESM console, click ePO Properties | Device Management, then click Refresh.

You can set up auto-retrieval on the Device Management tab.

c Click Receiver Properties, and then select the Vulnerability Assessment tab.

d Click Write.

e Repeat step b to get VA data on the McAfee ESM.

f Log off the McAfee ESM console, then log on.

5 Check the status of the ELM database rebuild process.

Indexing your ELM management database can require additional time, depending on your ELM model. Forexample, the number of storage pools you have, the amount of data sent from logging devices, and yournetwork bandwidth can increase the time it takes to complete indexing. But, this background task minimallyimpacts your performance and, when complete, provides improved querying on your historical data.

a Go to ELM Properties | ELM Information.

b If the message Database is rebuilding appears in the Active Status field, do not stop or start the ELMdatabase. The system indexes all new ELM data on the sending device before sending that data to theELM.

c If you have event receiver logging to the ELM and they are near maximum capacity, contact Support.

6 If you are updating a redundant ELM:

Data loss may result if you turn off a device during an update.

a Update the standby ELM.

b Update the active ELM.

c On the system navigation tree, select the standby ELM and go to ELM Properties | ELM Redundancy | Return toService.

d Go to ELM Properties | ELM Information and click Refresh. Both the active and standby ELMs display an OKstatus.

e If the standby ELM displays a Not OK status, click Refresh again. After a few minutes, the standby ELMstatus changes to OK, redundant ELM resync is 100% complete. You might need to click Refresh several times.

5 Update to a new software versionPrepare to update


Update ESM software - single ESMUpdate your McAfee ESM software to a newer version.

Before you beginMake sure your system settings and data are backed up.

If your system cannot access the internet, download the update file from the McAfee download site.

When updating, all active collectors stop collecting data until you rewrite the device settings and roll out thepolicy.

Task1 From the dashboard, click the drill-down menu ( ) and select Configuration.

2 Select the ESM then click the Properties icon .

3 Click ESM Management.

4 Select the Maintenance tab, then click Update ESM.

5 Do one of the following:

• Select the update file from the list, then click OK.

• Browse to a software update file obtained from the ESM rules and updates server. Click Upload, then clickYes on the warning page.

The ESM restarts and all current sessions are disconnected while the update is installed. If you encounterissues during an update, you can:

• Revert to the previous software version.

• Restore the backup files.

• Retry the update.

6 Log in and configure clustering settings.

a From ESM Properties, select Clustering.

b Select the primary ESM and click Write.

Update ESM software - multiple ESMsUpdate your system to a newer software version.

Before you beginMake sure your system settings and data are backed up.

If your system cannot access the internet, download the update file from the McAfee download site.

If you are adding ESMs for performance (not replication), make sure they are not configured as redundantduring the update process. They will be added after the update is complete and the replication factor will not bechanged. For example, you might have 4 ESMs in your 10.x deployment. One is primary and three areredundant. In 10.x, each one is a copy of the primary so there are 4 copies of data. In 11.0, you could have all 4in the cluster with a replication factor of 2. This would give you two copies of your data on 2 nodes for

Update to a new software versionUpdate ESM software - single ESM 5


performance and high availability. To update to this configuration, you would remove two redundant ESMs fromthe existing installation, update to the new version (which creates a cluster of 2 ESMs), and then manually addtwo ESMs.

The replication factor must be a multiple of the number of nodes (ESMs). To add nodes for performance, theymust be added in even numbers.

When updating to 11.0 from version 9.6.1 (skipping the 10.x release), you must visit the properties page foreach device from the ESM after the update is complete to re-establish communication.

If you are re-purposing an existing ESM, get a model-specific ISO for version 11.0 from Support and deploy thatfirst to "clean" the device. You must complete the first-time log in process after deploying the ISO and beforeadding the ESM to a cluster.

When updating, all active collectors stop collecting data until you rewrite the device settings and roll out thepolicy.

Task

1 From the dashboard, click the drill-down menu ( ) and select Configuration.

2 Select the primary ESM then click the Properties icon .

3 Click ESM Management.

4 Select the Maintenance tab, then click Update ESM.


• Select the update file from the list, then click OK.

• Browse to a software update file obtained from the ESM rules and updates server. Click Upload, then clickYes on the warning page.

ESM restarts and all current sessions are disconnected while the update is installed. If you encounter issuesduring an update, you can:

• Revert to the previous software version.

• Restore the backup files.

• Retry the update.

6 Log in and configure clustering settings.

a From ESM Properties, select Clustering.

b Select the primary ESM and click Write.

7 Update the redundant ESM(s).

The redundant ESM configures itself as part of a cluster.

8 When all ESMs are updated, log in to the primary ESM and configure the clustering settings again SystemProperties | Clustering | Write.

Update connected devices

Contents Update peripheral SIEM devices

5 Update to a new software versionUpdate connected devices


Update peripheral SIEM devices (FIPS mode) Check ERC high availability status Update high availability receivers

Update peripheral SIEM devicesUpdate peripheral devices, rewrite the device settings, and roll out policy.

Before you begin• Read the release notes.

• If you recently updated your ESM software, make sure the database rebuild is complete.

• Make sure that you have communication with each device in the system.

Task1 Update the ELM.

a From the dashboard, select the device on the system navigation tree, then click the Properties icon.

b Click <device> Management, then select the Maintenance tab.

c Click Update ELM.

d Select an update from the table or click Browse to locate the update software on your local system.

e Click OK.

2 Update Receiver, ACE, DEM, and ADM devices.

If your system includes high availability receivers, use the Update high availability receivers process.



c Click Update <device>.


e Click OK.

The update process starts and can take several hours.

3 Apply updated rules.

a On the system navigation tree, select the ESM, then click the Properties icon .

b On the System Information page, click Rules Update, then click Manual Update.

c Browse to the update file, click Upload, then click OK.

4 Rewrite McAfee Event Receiver or ESM/Event Receiver combo settings.

a On the dashboard, select the device in the system navigation tree, then click the Properties icon.

b Click Data Sources | Write.

c Click Vulnerability Assessment | Write.

Update to a new software versionUpdate connected devices 5


5 Rewrite ACE settings.


b Click Risk Correlation Management | Write.

c Click Historical | Enable Historical Correlation | Apply. If it's already selected, deselect it, select it again, thenclick Apply.

d Click Rule Correlation, select Enable Rule Correlation, and click Apply. If it's already selected, deselect it, select itagain, then click Apply.

6 Rewrite DEM or ADM settings.


b Click Virtual Devices | Write.

c For database servers: Click Database Servers | Write.

7 Roll out the policy to all updated devices.

8 To take the selected device out of bypass mode, click Device Configuration | Interfaces.

9 If you have an ELM or ELMERC collecting logs from a device, sync the ELM (Device Properties | DeviceConfiguration | Sync ELM).

Update peripheral SIEM devices (FIPS mode)

Before you begin• Read the release notes.

• Make sure that your system is running version 9.6 or later.

• If you recently updated your ESM software, make sure the database rebuild is complete.

• Get the manual rules update file from the McAfee download site.

When updating, all active collectors (such as Windows, eStreamer, and Checkpoint) stop collecting data until yourewrite the device settings and roll out the policy.

Failure to update the devices before updating the ESM when in FIPS mode can affect ELM log collection.

Task1 Update standalone ELM devices.


b Click ELM Management, then select the Maintenance tab.

c Click Update ELM.

d Select an update from the table or click to locate the update software on your local system.

e Click OK.



2 Update the McAfee Event Receiver, ACE, DEM, and ADM.

If your system includes high availability receivers, use the Update high availability receivers process.



c Click Update <device>.


e Click OK.

3 Update ESMs and combo devices. If you are updating a system with redundant ESM devices, update theprimary ESM first.


b Click ESM Management, then select the Maintenance tab.

c Click Update ESM.


e Click OK.

The update process starts and can take several hours.

4 Verify that you have communication with the devices.

5 Apply the updated rules.

a On the system navigation tree, select the system, then click the Properties icon .

b On the System Information page, click Rules Update, then click Manual Update.

c Browse to the update file, click Upload, then click OK.

6 Rewrite McAfee Event Receiver or ESM/Event Receiver combo settings.


b Click Data Sources | Write.

c Click Vulnerability Assessment | Write.

7 Rewrite ACE settings.


b Click Risk Correlation Management | Write.

c Click Historical | Enable Historical Correlation | Apply. If it's already selected, deselect it, select it again, thenclick Apply.

d Click Rule Correlation, select Enable Rule Correlation, and click Apply. If it's already selected, deselect it, select itagain, then click Apply.



8 Rewrite DEM or ADM settings.


b Click Virtual Devices | Write.

c For database servers: Click Database Servers | Write.

9 Roll out the policy to all updated devices.

10 To take the selected device out of bypass mode, click Device Configuration | Interfaces.

11 If you have an ELM or ELMERC collecting logs from a device, sync the ELM (Device Properties | DeviceConfiguration | Sync ELM).

Check ERC high availability statusIf your system includes high-availability receivers, check to ensure IP addresses will not be duplicated.

Before you beginYou must have Administrator privileges to complete this task.

Task1 On the system navigation tree, select the primary ERC-HA device, then click the Properties icon .

2 In the Status and Secondary Status fields, verify that the status is OK; HA Status: online.

3 Secure shell, or SSH, to each of the HA ERCs and run the ha_status command from the command lineinterface on both ERCs. The resulting information shows the status of this ERC and what this ERC thinks thestatus of the other ERC is. It looks similar to this:

OK

hostname=McAfee1 mode=primary McAfee1=online McAfee2=online sharedIP=McAfee1 stonith=McAfee2 corosync=running hi_bit=no

4 Verify the following in the status:

• The first line of the response is OK.

• Host name is the same as the host name on the command line minus the ERC model number.

• Mode is primary if the value of sharedIP is this ERC's host name; otherwise the mode is secondary.

• The next two lines show the host names of the ERCs in the HA pair and list the running status of eachERC. The status for both is online.

• corosync= shows the running status of corosync, which should be running.

• hi_bit is no on one ERC and yes on the other ERC.

Make sure that only one of the HA ERCs is set with the hi_bit value. If both HA ERCs are set to the samevalue, call McAfee Support before updating to correct this mis-configured setting.

5 Secure shell, or SSH, to each of the HA ERCs and run the ifconfig command from both ERCs.



6 Verify the following in the data that is generated:

• The MAC addresses on eth0 and eth1 are unique on both ERCs.

• The primary ERC has the shared IP address on eth1 and the secondary ERC has no IP address on eth1.

If both HA ERCs are set to the same value, call Technical support before updating to correct thismis-configured setting.

This spot check ensures the system is functional and that no duplication of IP addresses exists, which meansthat the devices can be updated.

Update high availability receiversUpdate primary and secondary receivers, starting with the secondary receiver.

Task1 On the system navigation tree, select the receiver, then click the Properties icon .

2 Set the primary receiver to No Preference, which allows you to use the Fail-Over option.

3 Update the secondary receiver.

a Click Receiver Management, then select Secondary.

b Click Update Device, then select or browse to the file you want to use and click OK.

The receiver restarts and the version of software is updated.

c On Receiver Properties, click High Availability | Return to Service.

d Select the secondary receiver, then click OK.

4 Change the secondary receiver to primary by clicking High Availability | Fail-Over.

5 Update the other receiver.

a Click Receiver Management, then select Secondary.

b Click Update Device, then select or browse to the file you want to use and click OK.

The receiver restarts and the version of software is updated.

c On Receiver Properties, click High Availability | Return to Service.

d Select the secondary receiver, then click OK.



6 Complete your installation

Contents Log in to ESM for the first time Add and configure devices Key devices Set up data sources Manage data sources Set up data storage McAfee Enterprise Log Manager (ELM) Configure ELM Storage Work in FIPS mode

Log in to ESM for the first timeLog on the console to begin configuring the ESM and device settings.

Before you beginVerify whether you are required to operate the system in FIPS mode. FIPS consists of publiclyannounced standards developed by the United States Federal government. If you are required tomeet these standards, you must operate this system in FIPS mode.

Task1 Open a web browser and go to the IP address you set when you configured the ESM network interface. For

example, if the ESM IP address is 172.016.001.140, type the following in your browser:

https:\\172.016.001.140\

2 Click Continue to site, if a self-signed certificate error appears for your browser.

3 Click Login, select the language for the console, then type the default user name and password.

• Default user name: NGCP

• Default password: security.4u

4 Click Login, read the End User License Agreement, then click Accept.

5 When prompted, change your user name and password, then click OK.

6 Select whether to enable FIPS mode and if you click Yes, click the additional confirmation.

If you must work in FIPS mode, enable it the first time you log on so that all future communication withMcAfee devices is in FIPS mode. Do not enable FIPS mode if you are not required to.

6


7 For Rules Update Access, click OK and follow the instructions that appear to obtain your user name andpassword, which are needed for access to rule updates.

8 Perform initial ESM configuration:

a Select the language to be used for system logs.

b Select the time zone where this ESM is and the date format used with this account, then click Next.

9 Enter the server information for the ESM.

a Type the primary IPv4 and netmask addresses, or IPv6 address. If needed, click Advanced.

b (Optional) Type the secondary IPv4 and netmask addresses, or IPv6 address. If needed, click Advanced.

c Under General Settings, type the gateway, DNS servers, and any additional information needed toconnect your ESM to your network.

d Click Next.

10 (Optional) If needed to connect through a proxy server, type its IP address, port number, credentials, and setthe local network setting, then click Next.

11 (Optional) If needed, enter any static routes that the ESM needs to communicate with the network. Whencompleted, click Next.

12 Add your network time protocol (NTP) servers to synchronize the ESM system time. Type these settings asneeded:

• NTP Server IP address

• Authentication Key

• Key ID

To achieve best results in the ESM, it’s important to have a common time reference across the enterprise. Asdefault, the ESM uses a set of Internet-based NTP servers. Enter your own enterprise NTP server, then clickNext.

13 To automatically check the ESM server for rule updates:

• Type your customer ID and password to verify your identity.

• Configure your Auto check interval in hours and minutes.

• Click Check Now or Manual Update.

14 Click Finish.

15 In the Network settings change dialog box, click Yes to restart the ESM service.

The restart takes about 90 seconds to complete. Then you might be required to log back on to the ESM.

See also Add devices to the device tree on page 45

Add and configure devices

Contents Add devices to the device tree Add devices in FIPS mode

6 Complete your installationAdd and configure devices


Change device names, links, and descriptions Set up device communication Configure receivers Configure ELS Configure ELM Configure ACE Configure McAfee Risk Advisor Configure McAfee Vulnerability Manager Configure a DAS to store data from an all-in-one ESM

Add devices to the device treeAfter you set up and install the physical and virtual devices, add them to the McAfee ESM console.

Before you beginMake sure the devices are installed according the hardware guide (for hardware) or installationguide (for virtual devices).

Complete the following steps only for a complex McAfee ESM installation with multiple devices. Do notcomplete this task for a simple McAfee ESM installation using a combination of devices.

Task1 On the system navigation tree, click Local ESM or a group.

2 Click .

3 Select the type of device you are adding, then click Next.

4 In the Device Name field, enter a unique name in this group. These characters: ! @ # $ % ^ & * ) ( ] [ } { : ; " ' > <> , / ? ` ~ + = \ and | are invalid in device names.

5 Click Next.

6 Provide the information requested:

• For McAfee ePO devices — Select a receiver, type the credentials required to log on to the web interface,then click Next. To use for communicating with the database, type the settings.

Select Require user authentication to limit access to those users who have the user name and password forthe device.

• For all other devices — Type the target IP address or URL for the device.

7 Select whether to use Network Time Protocol (NTP) settings on the device, then click Next.

8 Enter a password for this device, then click Next.

McAfee ESM tests device communication and reports on the status of the connection.

See also Log in to ESM for the first time on page 43

Complete your installationAdd and configure devices 6


Add devices in FIPS modeTwo methods in FIPS mode enable you to add a device that has already been keyed to an ESM. The terms andfile extensions listed here may be useful as you follow these processes.

Terminology

• Device key — Contains the management rights that an ESM has for a device, and is not used for crypto.

• Public key — The ESM public SSH communication key, which is stored in the authorized keys table of a device.

• Private key — The ESM private SSH communication key, which is used by the SSH executable on an ESM toestablish the SSH connection with a device.

• Primary ESM — The ESM that was originally used to register the device.

• Secondary ESM — The additional ESM that communicates with the device.

File extensions for the different export files

• .exk — Contains the device key.

• .puk — Contains the public key.

• .prk — Contains the private key and the device key.

Enable communication with multiple devices in FIPS modeYou can allow multiple ESMs to communicate with the same device by exporting and importing .puk files.

The primary ESM is used to import the secondary ESM device exported .puk file and send the containedsecondary ESM public key to the device, thus allowing both ESM devices to communicate with the device.

Task1 Export the .puk file from the secondary ESM.

a On the System Properties page of the secondary ESM, select ESM Management.

b Click Export SSH, then select the location to save the .puk file.

c Click Save, then log off.

2 Import the .puk file to the primary ESM.

a In the system navigation tree of the primary ESM, select the device you want to configure.

b Click the Properties icon, then select Key Management.

c Click Manage SSH Keys.

d Click Import, select the .puk file, then click Upload.

e Click OK, then log off of the primary ESM.



Change device names, links, and descriptionsWhen you add a device to the System Tree, give it a name that displays on the tree. You can change the devicename, system name, URL, and description.

Task1 From the McAfee ESM dashboard, click and select Configuration.

2 On the system navigation tree, select the device, then click the Properties icon .

3 Click Name and Description to change the name, system name, URL, and description, or view the Device IDnumber.

Set up device communicationWhen you add devices to McAfee ESM, you must then establish communication between the device and theMcAfee ESM.

Before you beginIf you are keying a distributed McAfee ESM after changing the IP address of the secondary device,ensure that port 443 is open to reconnect with the McAfee ESM.

Changing connection settings only affects the way McAfee ESM communicates with the devices.



3 Click Connection.

Option Definition

Target IP Address/Name IP address or host name McAfee ESM uses to communicate with the device.

Target Port Port used to try communication (default port is 22).

Mark this device as disabled Stops SSH communication to McAfee ESM. The icon for this device on the systemnavigation tree indicates it is disabled.

Status Checks the connection to McAfee ESM.

Configure receiversThe McAfee Event Receiver enables the collection of security events and network flow data from multi-vendorsources including firewalls, virtual private networks (VPNs), routers, NetFlow, sFlow, and others.

Receivers collect and normalize event and flow data into a single manageable solution, providing a single viewacross multiple vendors.

High availability receivers (Receiver-HA) can be used in primary and secondary mode, acting as backups foreach other. The secondary receiver (B) monitors the primary receiver (A) continuously and new configuration orpolicy information is sent to both devices. When receiver B determines that receiver A has failed, it disconnectsreceiver A's data source NIC from the network and takes over as the primary. It remains as the primary until youintervene manually to restore receiver A as primary.



Set up receiver data archivingConfigure the receiver to forward a backup of the raw data to your storage device for long-term storage.

Before you beginPort 445 must be opened on the system with the CIFS share to enable a CIFS share connection.

Port 135 must be opened on the system with the SMB share to enable an SMB connection.

McAfee ESM supports the following types of storage: Server Message Block/Common Internet File System (SMB/CIFS), Network File System (NFS), and Syslog Forwarding.

SMB/CIFS and NFS store, in the form of data files, a backup of all raw data sent to the receiver by data sourcesthat use the email, estream, http, SNMP, SQL, syslog, and remote agent protocols. The system sends these datafiles to the archive every 5 minutes. Syslog Forwarding sends raw data for syslog protocols as a continuousstream of combined syslogs to the device. The receiver can forward to only one type of storage at a time; youcan configure all three types, but only one type can be enabled to archive data.

This feature doesn't support NetFlow, sflow, and IPFIX data source types.



3 Click Receiver Configuration | Data Archival.

4 Select a share type and enter the connection configuration information.

Share type Option Definition

SMB/CIFS Share type Sets the share type to SMB or CIFS.

IP address The IP address of the share.

Share Name The label applied to the share.

Path The subdirectory on the share where the archived data must bestored (for example, TMP/Storage). If storage is in the root directoryof the share, no path is required.

User Name andPassword

The credentials required to connect to the share.

Do not use commas in the password when connecting to an SMB/CIFS share.

NFS IP Address The IP address of the share.

Mount Point Name of the mount point on the share.

Path The location on the share to store archived data (for example, TMP/Storage). If storage is in the root directory of the share, no path isrequired.

Syslog Forwarding Address The IP address of the share.

Port The port used to archive data.



Set up high availability receiversDefine the settings for high availability receivers. Add the receiver that serves as the primary device. It musthave three or more NICS.

If you are required to comply with FIPS regulations, do not use this feature. High availability Receivers are notFIPS-compliant.

Task1 On the system navigation tree, select the receiver that is the primary high availability device, then click the

Properties icon .

2 Click Receiver Configuration, then click Interface.

3 Click the HA Receiver tab, then select Setup High Availability.

4 Fill in the information requested, then click OK.

This initiates the process that keys the second receiver, updates the database, applies globals.conf, andsyncs the two receivers.

Set up high availability receivers with IPv6Set up high availability with IPV6 because you can't set the IPv6 address manually using the LCD.

Before you begin• Ensure that McAfee ESM uses IPv6, either manual or auto (System Properties | Network settings).

• Know the shared IP address, which the network administrator creates.

Task1 On the two receivers in the high availability pair:

a Turn on the receiver, then enable IPv6 using the LCD.

b Navigate to Mgt IP Configr | Mgt1 | IPv6, and write down the management IP address. This might take sometime due to network latency.

2 Add one of these receivers to McAfee ESM.

• Name — Name of the high availability pair.

• Target IP Address or URL — Management IPv6 address for this high availability receiver, which you wrotedown.

3 Select the newly added device on the system navigation tree, then click Receiver Properties | ReceiverConfiguration | Interface.

4 In the IPv6 Mode field, select Manual (the only supported mode for high availability).

5 Click Setup next to the number 1 interface, type the shared IP address in the IPv6 field, then click OK.

This address is assigned to the shared interface during high availability setup. If this isn't done, highavailability doesn't fail over properly.

6 On Receiver Properties, click Connection, enter the shared IPv6 address in Target IP Address/Name, then click OK.

7 Continue with the HA setup process.



Add receiver assetsAssets are any device on the network with an IP address. The Asset Manager allows you to create assets, changetheir tags, create asset groups, add asset sources, and assign assets to groups. An ESM can have only one assetsource.

Receivers can have multiple asset sources. If two asset discovery sources find the same asset, the discoverymethod with the highest priority adds the asset it discovered to the table. If two discovery sources have thesame priority, the last one that discovers the asset takes priority over the first.

Task1 On the system navigation tree, select Receiver Properties, then click Asset Sources.

2 Click Add, then fill in the information requested.

Option Definition

Enabled Select to enable the automatic retrieval functionality. If the checkbox is not selected, youcan still retrieve data from the asset source manually by clicking Retrieve. If it is selected,the system retrieves the data at the interval specified in the Retrieve Data field.

Type Select the type of asset source this is. The remaining fields vary based on the type youselect.

Name Type a name for this asset source.

Zone Select a zone if you want to assign this asset source to one.

Priority Select the priority that you want this asset source to have if it discovers an asset at thesame time as vulnerability assessment or network discovery. The options are 1–5, 1being the highest.

IP Address, Port Type the IP address and port for your asset source.

Use TLS, Use SSL Select if you want to use the TLS encryption protocol (for Active Directory) or SSL (forAltiris).

User Name,Password

Type the user name and password required to access the asset.

Search Base Type the proper name for the domain controller (for example, dc=McAfee,dc=com).

Enable Proxy For Altiris, select whether to enable the proxy server. If you enable it, enter the proxyinformation:• Proxy server IP address

• Port the proxy is listening on

• The name of the proxy user

• The password for the proxy server

Retrieve Data If you want to retrieve data automatically, select how often to retrieve.

Connect Test the connection.

3 Click OK, then click Write on Asset Sources.

Configure ELSTo search McAfee Enterprise Log Search (ELS) data, add ELS devices to the console, set up ELS storage andretention policies, and associate data sources with specific retention policies.

Before you beginSet up and install virtual or physical devices.



Task1 From the dashboard, click , then click Configuration.

2 Add ELS devices to the console.

a On the actions toolbar, click , then select McAfee Enterprise Log Search. Click Next.

b Enter a unique Device Name, then click Next.

c Enter the target IP address or URL, target SSH port number, and Network Time Protocol (NTP) settingsfor the device. Click Next.

d Enter a password for this device, then click Next.

3 Set up storage.

Retaining uncompressed data speeds the ELS search capabilities. But, it requires additional storage space,such as hard drives or network storage.

a Select ELS, click , then click Data Storage.

b If using iSCSI, DAS, SAN, or virtual local drives, fill in the information in the top grid.

c If using SAN, virtual local, NFS, iSCSI, or CIFS, click Add in the lower grid.

d Enter the correct parameters and click OK.

4 Add retention policies (limited to no more than six).

To search ELS log data, you must have at least one retention policy. The system sets the first retention policycreated as the default. If only one policy exists, you can change it but you cannot delete it. The ELS cannotaccept data older than six months before when you create the first retention policy.

a Select ELS, click , then click Retention Policies.

b Click Add.

c Specify the name and duration of the retention policy and click OK.

The system stores duration in days. You can set up a duration in years (365 days), quarters (90 days), ormonths (30 days).

5 Associate data sources with retention policies.

You can associate a data source with either an ELS or ELM but not with both.

a Select the data source device (such as a Receiver) and click .

b Click Data Sources.

c In the Logging column, choose the relevant checkbox to display the Log Data Options screen.

d Select the retention policy you want to associate with this data source and click OK.

Configure ELM

Contents Set up ELM redundancy



Set ELM compression

Set up ELM redundancyIf you have a standalone ELM device on your system, you can provide redundancy for logging by adding astandby ELM.

Before you begin• Install a standalone ELM and add it to McAfee ESM.

• You must have a standby ELM installed but not added to the console.

• Ensure that there is no data on the standby ELM. Contact Support if you need to perform afactory reset.

Task1 On the system navigation tree, click the ELM, then click the Properties icon .

2 On the ELM Properties page, click ELM Redundancy, then click Enable.

3 Type the IP address and password for the standby ELM, then click OK.

4 On the ELM Properties page, click Storage Pools, and verify that the Active tab is selected.

5 Add storage devices to the active ELM.

6 Click the Standby tab, then add storage devices that have enough combined space to match the storage onthe active ELM.

7 Add one or more storage pools to each ELM.

The configuration on both ELMs is now synchronized and the standby ELM maintains the synchronization ofdata between both devices.

Option Definition

Available only when ELM redundancy is not enabled.

Enable Click, then add standby ELM data to activate ELM redundancy.

Available only when ELM redundancy is enabled.

Remove Click to disable redundancy on the ELM.

Switch ELMs Click to switch the ELMs so the standby ELM becomes the primary ELM. The system associatesall logging devices to it. Logging and configuration actions are locked during the switch-overprocess.

Suspend Click to suspend communication with the standby ELM if it is experiencing problems. Allcommunication stops and error notifications for redundancy are masked. When you bring thestandby ELM back up, click Return to Service.

Status Click to view details about the state of data synchronization between the active and standbyELM.

Return to service Click to return a repaired or replaced standby ELM to service. If the system brings the ELMback up and detects no changes to the configuration files, redundancy continues as before. Ifthe system does detect differences, the redundancy process continues for the storage poolswithout problems, and you are informed that one or more pools are out of configuration. Fixthese pools manually.If you replace or reconfigure the standby ELM, the system detects it and prompts you to rekeyit. The active ELM then syncs all configuration files to the standby ELM and the redundancyprocess continues as before.



Set ELM compressionSelect the compression level for the data coming into the ELM to save disk space or process more logs.

Task1 On the system navigation tree, select ELM Properties, then click ELM Configuration | Compression.

2 Select the ELM compression level, then click OK.

Configure ACE

Select the data type for correlationMcAfee ESM collects both event and flow data. Select which data to send to the McAfee Advanced CorrelationEngine (ACE). Default is event data only.

Task1 On the system navigation tree, select ACE Properties, then click ACE Configuration.

2 Click Data, then select Event Data, Flow Data, or both.

3 Click OK.

Configure McAfee Risk AdvisorWhen you enable McAfee Risk Advisor data acquisition on McAfee ePO, the system generates a score list andsends it to any McAfee Advanced Correlation Engine (ACE) used for scoring SrcIP and DstIP fields.

Task1 On the system navigation tree, select ePO Properties | Device Management, then click Enable.

2 Complete the configuration fields.

Option Definition

Manage ELMLogging

Configure the default logging pool for the selected device. This option is only availableif you have anMcAfee Enterprise Log Manager (ELM) on McAfee ESM.

Zone Assign the McAfee ePO to a zone or change the current setting.

Manual refreshdevice

Refresh the list of applications from your McAfee ePO device and build a client datasource for each application.

Last Refresh Time View the last time the applications were refreshed.

Enable MRA Enable McAfee Risk Advisor data acquisition.

Priority You might have multiple McAfee ePO, asset source, or vulnerability assessment devicesset up to receive the same assets or threats. If you do, select the priority for the datafrom this McAfee ePO device in case other devices receive the same information.For example, both ePO-1 and VA-1 monitor your system. ePO-1 collects software andhardware information from your system and VA-1 collects the fact that you haveWindows installed. Set ePO-1 to a higher priority than VA-1, so the information itcollects can't be overwritten by the information VA-1 collects.

Schedule applicationrefresh

To automatically refresh the list of applications from your McAfee ePO device, select thefrequency from the drop-down list.

3 Click OK.



Configure McAfee Vulnerability Manager To pull vulnerability assessment data from McAfee Vulnerability Manager, you must connect it to McAfee ESMas a device. Then associate it with a Receiver so that McAfee ESM can pull McAfee Vulnerability Manager eventsfrom the Receiver.

Before you beginObtain McAfee Vulnerability Manager logon credentials.

Changing these settings doesn't affect the device itself. It only affects the way the device communicates withMcAfee ESM.

Task1 On the system navigation tree, select MVM Properties, then click Connection.

2 Fill in the information requested, then click OK.

Option Definition

Associated Receiver Select the Receiver associated with this McAfee Vulnerability Manager. Toview the details about this Receiver, click the link.

Enter the database login parametersbelow

Type the parameters as requested. Domain is optional.

Connect Click to test the connection to the database.

Enter the website UI credentialsbelow

Type the web credentials. The firewall on the database and webapplication must allow ports for McAfee ESM to connect.

Upload MVM server certificate andenter passphrase

Enter the McAfee Vulnerability Manager credentials, then click Upload tonavigate to the .zip file.

Connect Test the connection to the website.

Configure a DAS to store data from an all-in-one ESM

Before you beginSet up DAS devices.

Task1 On the system navigation tree, select McAfee ESM and then click the Properties icon .

2 Click Database and then click Data Storage.

3 On the table, click one of the devices that has not been assigned to store McAfee ESM data.

4 Click Assign and then click Yes.

Once you assign a device, you can't change it.



Key devicesAfter you add a device to the ESM, key the device to enable communication. Keying the device enhancessecurity by ensuring that the device communicates only with the ESM.

Before you beginIf you are keying a distributed ESM after changing the IP address of the child, ensure that port 443is open to reconnect with the ESM.

For ESM to communicate with a device, it encrypts communications using the key created when the device iskeyed.

All settings are stored on the ESM, which means that the ESM console is aware of the keys maintained on theESM.

Device administrators can overwrite settings on the device from another ESM. Use a single ESM to managedevices attached to it. A Distributed ESM (DESM) can handle the data collection from devices attached toanother ESM.


2 In the Physical Display panel, verify that each device you added appears in the device tree.

3 Select a device and click the Properties icon.

4 Click ESM Management and then select the Key Management tab.

If the device has an established connection and can communicate with the ESM, the Key Device Wizard opens.

5 Type a new password for the device, then click Next.

6 Click Finish.

Tasks• Manage SSH keys on page 55

Devices can have SSH communication keys for systems they need to communicate with securely.You can stop communication with these systems by deleting the key.

Manage SSH keysDevices can have SSH communication keys for systems they need to communicate with securely. You can stopcommunication with these systems by deleting the key.

Task1 On the system navigation tree, select a device, then click the Properties icon .

2 Click Key Management, then click Manage SSH Keys.

The Manage SSH Keys page lists the IDs for the ESM that the device communicates with.

Complete your installationKey devices 6


3 Highlight the ID and click Delete to stop communication with one of the systems listed.

4 Confirm the deletion, then click OK.

Option Definition

Authorized Keys table View the machines this device has SSH communication keys for. If SSH is enabled, themachines on this list communicate.

Known Hosts For devices, manage the keys of any SSH-capable devices that this device has talked to(for example, receiver to SCP data source). For the ESM, view the keys of all the devicesin the system tree that the ESM talks to.

Known Hosts table View IP address, device name, and fingerprint populated by host data available in theknown_hosts file (root/.ssh/known_hosts).

Device's Fingerprint View the fingerprint for this device, which is generated from the device's public SSHkey.

Set up data sources

Contents How data sources work Configure receivers to create data sources automatically

How data sources workThe McAfee Event Receiver enables the collection of security events and network flow data from multi-vendorsources including firewalls, virtual private networks (VPNs), routers, NetFlow, sFlow, and others. Data sourcesare used to control how log and event data is gathered by the Receiver. You must add data sources and definetheir settings so they collect the data you need.

The Data Sources page is the starting point to manage the data sources for your Receiver device. It provides a wayfor you add, edit, and delete data sources, as well as import, export, and migrate them. You can also add childand client data sources.

Configure receivers to create data sources automaticallySet up receivers to create data sources automatically, using the standard rules that come with the receiver orrules that you create.

Task1 Click the Get Events and Flows icon on the actions toolbar to pull events or flows.

2 From the McAfee ESM dashboard, click and select Configuration.

3 On the system navigation tree, select the receiver, then click the Properties icon .

4 On the Receiver Properties page, click Data Sources | Auto Learn.

5 On the Auto Learn page, click Configure.

6 On the Auto Add Rule Editor page, ensure that Enable auto creation of data sources.

6 Complete your installationSet up data sources


7 Click Add, then select the auto add rules you want the receiver to use to create data sources automatically.

8 To apply selected rules to the existing auto learned data, click Run Now.

Tasks• Manage auto create rules on page 57

Create, edit, and arrange custom rules that the Receiver uses to automatically create data sources.

• Set up data source auto-learning on page 58Set up McAfee ESM Receivers to learn data source IP addresses automatically.

Manage auto create rulesCreate, edit, and arrange custom rules that the Receiver uses to automatically create data sources.


2 On the system navigation tree, select the Receiver, then click the Properties icon .

3 On the Receiver Properties page, click Data SourcesAuto Learn | Configure .

4 Select Enable to turn on auto creation of data sources.

5 If you want to create or change a rule, click Add or select a rule and click Edit.

a On the Configure auto add rule page, configure the settings.

Category Option Definition

Top pane Description A text label that helps users identify what the ruleaccomplishes.

Type The type of rule you want to create.

Enabled Toggles the rule on or off.

Auto Learn MatchingCriteria

IP/CIDR and HostName

The network location and host name from which traffic mustoriginate to trigger the rule.

Port The port that traffic must come through to trigger the rule.

Vendor and Model The rule triggers only when traffic originates from thisvendor and model of device.

Data Source/ClientCreation Parameters

Name The name for the data source. This field supports variables torepresent IP address, model, and host name. For example,you can type Data source - {MODEL}_{HOST}_{IP}.

Data source type Sets the new data source as a Data Source or a Client.

Parent Assigns a device to act as the parent of the new data source.

Client Type Assigns a client type to the new data source.

Vendor and Model The new data source appears in the system with this vendorand model.

Time Zone The time zone to assign to the data source.

Zone (Optional) The zone where the new data source appears.

Storage Pool If you want the data generated by the data source (notclients) to be stored on the ELM, click Storage Pool and selectthe storage pool.

b Click OK.

Complete your installationSet up data sources 6


6 On the Auto Add Rule Editor page, use the arrows to arrange the rules in the order you want.

7 Click Run Now to apply the rules to the current auto learn results.

Auto creation happens when alerts are pulled from the Receiver, either manually or automatically by McAfeeESM.

Set up data source auto-learningSet up McAfee ESM Receivers to learn data source IP addresses automatically.

Before you beginDefine ports for Syslog, MEF, and flows.

Receiver ports must match the sources that are sending data or auto learning does not happen.

The firewall on the Receiver opens for the time you designate, so the system can learn a set of unknown IPaddresses. You can then add to the system as data sources.

Updating McAfee ESM deletes auto-learning results. Run auto-learning after updating to collect auto-learningresults again.



3 On the Receiver Properties page, click Data Sources | Auto Learn.

4 Configure the auto-learning settings.

a Select the length of time you want auto-learning to occur in the appropriate hours field, then click Enable.

When using auto-learning for MEF, you can't add data sources that are auto-learned using a host ID.

When the time expires, the system disables auto-learning and populates the table with found IPaddresses.

b Click Disable to stop auto learning.

5 Add auto-learned IP addresses as data sources.

a Select IP addresses of the same type as those you want to add, then click Add.

b On the Auto-Learned Sources page, select one of the options.

• If the selected IP addresses do not have an associated name, the system asks whether to add a prefixto the selected addresses.

• If you click No, the IP addresses are used as the names for these data sources.

• If you click Yes, enter a prefix name and click OK. The names of these data sources include boththe name you added and the IP address.

• If the selected IP addresses have names, the system adds data sources to the list.

6 Complete your installationSet up data sources


Option Definition

Client match ontype

If an existing data source matches the selected IP address, the system adds items tothe data source as match-by-type client data sources. If a data source matching theselected IP address doesn't exist, one is created. The remaining items are added to it asmatch-by-type client data sources.

Client match onIP

This option allows you to select the data source to which you want to add this IPaddress as a client. Matching data sources are listed. If there aren't any, the only optionavailable is None - create new data source. Select the data source you want to add this IPaddress to as a client, then click OK.

6 To change the name of a data source, click Edit Name. Use a maximum of 50 characters and make sure thename has not already been assigned to a data source on the list.

7 To change the type of the selected IP address, click Change Type. Change the type if the type suggested by thesystem is wrong. Viewing the packet can help you determine the correct type.

Manage data sourcesData sources control how the Receiver gathers log and event data from multiple sources including firewalls,virtual private networks (VPNs), routers, NetFlow, sFlow, and others. Add data sources and define their settingsso they collect the data you need.

Before you begin• Make sure that the receiver for this data source is listed on the system navigation tree.

• Make sure that the data source was configured as described in the Data Source ConfigurationReference.



3 On the Receiver Properties page, click Data Sources.

A table lists existing data sources (including child and client data sources) and identifies how the data sourceprocesses data.

If SNMP Trap is selected, the data source accepts standard SNMP traps from any manageable network devicewith the capability of sending SNMP traps. Standard traps include: Authentication Failure, Cold Start, EGPNeighbor Loss, Link Down, Link Up and Warm Start. When ESM receives these traps, it generates an event forthe data source. To send or receive SNMP traps via IPv6, formulate the IPv6 address as an IPv4 conversionaddress.


• To add a new data source, click Add.

• To add a child data source to an existing data source, click Add Child.

• To edit an existing data source, select the data source then click Edit.

5 Configure the data source.

Complete your installationManage data sources 6


https://docs.mcafee.com

https://docs.mcafee.com

Option Definition

Use System Profiles Profiles pre-populate SNMP and syslog protocol-based devices only

Data Source Vendor, DataSource Model

The vendor and model selected determine what information you enter for thedata source.Advanced syslog parser (ASP) data sources that generate data without UTF-8encoding, select Generic as the vendor and Advanced Syslog Parser as the model.

Data Format Parsing method

Data Retrieval Data collection method• For SCP, set the LANG environment variable to lang=C.

• SCP File Source does not support relative paths. Define the full location.

• For CIFS File Source or NFS File Source, select a collection method.

Enabled How the Receiver processes data

Remaining fields Vary based on vendor, device model, data retrieval method, or protocol of theselected device model

The data sources appear under the receiver on the navigation tree.

Tasks• Set date formats for data sources on page 60

Select the format for dates included in data sources.

• Add child data sources on page 61Add child data sources to organize your data sources.

• Add ASP data sources with different encoding on page 61McAfee ESM reads UTF-8 encoded data. Format ASP data sources that generate data with differentencoding to ensure the Receiver can read that data.

• Add client data sources on page 61To increase the number of data sources allowed on the Receiver, add a client to an existing datasource.

• Select Tail File data source collection method on page 62When adding data sources, you must choose a collection method if you select NFS File Source or CIFSFile Source for data retrieval.

Set date formats for data sourcesSelect the format for dates included in data sources.

Task1 On the system navigation tree, select a Receiver, then click the Add data source icon .

2 Click Advanced, then make a selection in the Date Order field:

• Default - Uses the default date order (month before day). When using client data sources, clients using thissetting will inherit the date order of the parent data source.

• Month before day - The month goes before the day (04/23/2014).

• Day before month - The day goes before the month (23/04/2014).

3 Click OK.

6 Complete your installationManage data sources


Add child data sourcesAdd child data sources to organize your data sources.

Task1 On the system navigation tree, select Receiver Properties, then click Data Sources.

2 On the data sources table, select the primary data source to which you want to add a data source.

3 Click Add Child, then fill out the fields as you would for a parent data source.

4 Click OK.

Add ASP data sources with different encodingMcAfee ESM reads UTF-8 encoded data. Format ASP data sources that generate data with different encoding toensure the Receiver can read that data.

Task1 On the system navigation tree, click a Receiver, then click the Add Data Source icon .

2 Select Generic in the Data Source Vendor field, then Advanced Syslog Parser in the Data Source Model field.

3 Enter the information requested, and select the correct encoding in the Encoding field.

Add client data sourcesTo increase the number of data sources allowed on the Receiver, add a client to an existing data source.

Before you beginAdd data sources to the Receiver.



3 Click Data Sources.

4 Select the data source that you want to add the client to, then click Clients.

5 Click Add, fill in the information requested, then click OK.

Option Definition

Name Client name

Time Zone Client time zone

Date Order Date format: month before day or day before month

IP Address, Host Name Client IP address or host name - you can have more than one client data source withthe same IP address. The port differentiates them.

Require syslog TLS Select Transport Layer Security (TLS) encryption protocol for syslog.

Port Select whether to use the same port as its parent or another listed port for the client.

Match by type Select to match clients by type, then select the vendor and model of this client.

Complete your installationManage data sources 6


Events go to the data source (parent or client) that is more specific. For example, you have two client datasources, one with an IP address of 1.1.1.1 and the second with an IP address of 1.1.1.0/24, which covers a range.Both are the same type. If an event matches 1.1.1.1, it goes to the first client because it is more specific.

How client data sources workClient data sources enable you to extend the number of data sources allowed on your Receivers. For datasources with a syslog, ASP, CEF, MEF, NPP, and WMI collector, you can add up to 32,766 data source clients.

If the data source is already a parent or child, or if it is a WMI data source and Use RPC is selected, this option isunavailable.

You can add more than one client data source with the same IP address and use the port number todifferentiate them. This allows you to segregate your data using a different port for each data type,then forward the data using the same port it came into.

When you add a client data source, select whether to use the parent data source port or anotherport.

Client data sources have these characteristics:

• They don't have VIPS, Policy, or Agent rights.

• They appear on the system navigation tree but not on the Data Sources table.

• They share policy and rights as the parent data source.

• They must be in the same time zone because they use the parent's configuration.

Client WMI data sources can have independent time zones because the query sent to the WMI server determinesthe time zone.

Select Tail File data source collection methodWhen adding data sources, you must choose a collection method if you select NFS File Source or CIFS File Sourcefor data retrieval.

Collection methods are:

• Copy files — The system copies whole logs from the remote share to the Receiver to be processed. If log filesare large and updated with new information infrequently, copying the whole log file can be inefficient andtime consuming.

• Tail files — Logs are read remotely and only new events are read. Each time the log is read, it reads from theposition where it stopped previously. If the file changes significantly, this is detected and the whole file isreread from the beginning.



3 Click the Add data source icon on the actions toolbar.

4 Provide the information requested, selecting CIFS File Source or NFS File Source in the Data Retrieval field.

6 Complete your installationManage data sources


5 In the Collection Method field, select Tail File(s), then fill in these fields:

• Delimited Multiline Events — Select to specify if the events have dynamic length.

• Event Delimiter — Enter a string of characters that signal the end of an event and the beginning of another.These delimiters vary greatly and depend on the type of log file.

• Delimiter is regex — Select if the value in the Event Delimiter field is to be parsed as a regular expressionrather than a static value.

• Tail Mode — Select Beginning to parse files completely that are encountered on the first run, or End to notethe file size and collect only new events.

• Recurse subdirectories — Select to read collection from child directories (subdirectories), looking formatches with the wildcard expression field. If not selected, it searches only the parent directory files.

6 Fill in remaining fields, then click OK.

How correlation data sources workA correlation data source analyzes McAfee ESM data, detects suspicious patterns, and generates correlationalerts, which are inserted into the receiver alert database. Only one correlation data source can be configuredper receiver, similar to configuring syslog or OPSEC.

Data interpreted by correlation policy rules, which you can create and change, represents a suspicious pattern.

After configuring a correlation data source, you can:

• Roll out the correlation’s default policy

• Edit the base rules in this correlation's default policy

• Add custom rules and components

• Roll out the policy

• Enable or disable each rule

• Set the value of each rule's user-definable parameters

When adding a correlation data source, select McAfee as the vendor and Correlation Engine as the model.

Enabling the correlation data source allows McAfee ESM to send alerts to the receiver correlation engine.

Set up data storage

Contents How data storage works Set up data storage Set up VM data storage Increase accumulator indexes Set up data retention limits Define data allocation limits Manage accumulator indexing View database memory use

Complete your installationSet up data storage 6


How data storage worksStore and retain large amounts of long-term data using McAfee

®

Enterprise Log Manager and search stored logdata quickly using McAfee Enterprise Log Search.

Long-term data retention

McAfee®

Enterprise Log Manager enables you to store, manage, access, and report on large amounts of log dataover long periods of time.

Organize McAfee®

Enterprise Log Manager data into storage pools, each composed of storage devices. Associateretention times with each storage pool to retain the pool's data for a specific time. Government, industry, andcorporate regulations require that logs be stored for different time periods.

You can set up search and integrity-check jobs on the McAfee®

Enterprise Log Manager. Each job accessesstored logs and retrieves or checks data defined in the job. You can then view the results and export theinformation.

To configure McAfee®

Enterprise Log Manager, you must know:

• Data sources to associate with each McAfee® Enterprise Log Manager device.

You can associate one data source with either an Enterprise Log Search or an McAfee®

Enterprise LogManager but not with both.

• Required storage pools and their data retention times

• Storage devices that are required to store the data

Storage pools require 10 percent of the allocated space for mirroring overhead.

Quick data search

McAfee Enterprise Log Search retains uncompressed log data for specific durations, speeding your ability tosearch the stored data quickly from the McAfee ESM dashboard.

To configure McAfee Enterprise Log Search, you must know:

• Additional storage devices - Work with your team to determine the appropriate storage requirements foryour environment, such as additional hard drives or network storage.

• Retention policies to determine how long you want to retain specific uncompressed data. You can add up tosix retention policies with durations in years (365 days), quarters (90 days), or months (30 days).

• Data sources to associate with each Enterprise Log Search device.

You can associate one data source with either an Enterprise Log Search or an McAfee®

Enterprise LogManager but not with both.

Configuring data storage

The diagram below shows the steps for configuring the data storage devices.

6 Complete your installationSet up data storage


1 To allow secure, encrypted communication with McAfee ESM, key the storage devices.

2 To connect both physical and virtual devices to McAfee ESM, configure the storage devices.

3 a Set up data retention policies that identify how long to store log data on the McAfee Enterprise LogSearch device.

b Set up storage pools on the McAfee®

Enterprise Log Manager device.

4 a Assign receivers to specific retention policies.

b Assign receivers to specific storage pools.

5 a Quickly search stored log data using the McAfee Enterprise Log Search device.

b Store large amounts of log data to the McAfee®

Enterprise Log Manager device.

Storage device types

Device type Details

NFS To edit the remote mount point of the storage device with the ELM Management Database, usethe Migrate DB option to move the database to a different storage device. You can then safelychange the remote mount point field and move the database back to the updated storagedevice.

CIFS • Using the CIFS share type with Samba server versions later than 3.2 can result in data loss.

• When connecting to a CIFS share, don't use commas in your password.

iSCSI • When connecting to an iSCSI share, don't use commas in your password.

• Trying to attach multiple devices to one IQN can cause data loss and other configurationproblems.

SAN The SAN option is available only if there is a SAN card installed on McAfee® Enterprise LogManager and there are SAN volumes available.

Virtual Local This option is available only if a virtual local device has been added to the virtual McAfee®

Enterprise Log Manager. You must format the device before using it for storage.



Set up data storageIf you have an Internet Small Computer System Interface (iSCSI), Storage Area Network (SAN), or Direct-attachedstorage (DAS) device connected to McAfee ESM, you can set them up for data storage.

Task1 On the system navigation tree, select System Properties, then click Database | Archival.

2 Click the data storage device tabs, select an action, then fill in the device IP address, name, and port.

The available tabs depend on the storage types connected to McAfee ESM.

3 Click Cancel to close the page.

Set up VM data storageIf your McAfee ESM VM has more than 4 CPUs, you can use additional storage for the VM's system storage, datastorage, and high-performance storage.

Task1 On the system navigation tree, select System Properties, then click Database | VM Data.

2 In each field, select the drive you want the data stored on. You can select each drive only once.

3 Click OK.

Increase accumulator indexesDue to the number of enabled standard indexes on McAfee ESM, you can add only 5 indexes to an accumulatorfield. If you need more than 5, you can disable up to 42 unused standard indexes (such as sessionid, src/dstmac, src/dst port, src/dst zone, src/dst geolocation).

Task

McAfee ESM uses standard indexes to generate queries, reports, alarms, and views. If you disable an index,McAfee ESM notifies you when it can't generate a query, report, alarm, or view due to a disabled index, but itdoes not identify which index is disabled. Due to this limitation, do not disable standard indexes unless needed.

1 From the McAfee ESM dashboard, click and select Configuration.

2 Click Database.

3 Click Settings, then click the Accumulator Indexing tab.

4 From the Available list, click Standard Indexes, then select Show standard indexes.

5 Click the standard indexes to be disabled, then click the arrow to move them to the Available area.

The number in the remaining statement in the top right corner of the page increases with each standardindex that you disable.

You can now enable more than 5 accumulator indexes for the accumulator field that you select.

6 Complete your installationSet up data storage


Set up data retention limitsIf your configuration sends historical data to the system, select how long to retain events and flows andwhether to restrict historical data.

Task1 On the system navigation tree, select System Properties, then click Database | Data Retention.

2 Select the maximum number of events and flows to retain and whether to restrict historical data.

3 Click OK.

Define data allocation limitsThe maximum number of event and flow records the system maintains is a fixed value. Data allocation allowsyou to set how much space to allocate for each, and how many records are searched to optimize querying.

Task1 On the system navigation tree, select System Properties, then click Database | Data Allocation.

2 Click the markers on the number lines and drag them to the wanted numbers, or click the arrows in theEvents and Flows fields.

3 Click OK.

Manage accumulator indexingIf custom fields exist that pull numeric data from a source, you can accumulate several events together andaverage their value or generate a trending value.

Before you beginVerify that custom types exist.


2 On the system navigation tree, select McAfee ESM, then click the Properties icon .

3 Click Database, then click Settings.

4 Select an accumulator field from the Available drop-down list.

5 Select fields and move them to Enabled.

6 Select whether to accumulate from the present time or to rebuild past data from a date you specify.

View database memory useView and print tables that detail how the system uses database memory.

Task1 On the system navigation tree, select System Properties, then click Database | Memory Use.

The Events and Flows tables list the memory use of the database.

2 To print the reports, click the Print icon .



McAfee Enterprise Log Manager (ELM)McAfee Enterprise Log Manager (ELM) supports storing, managing, accessing, and reporting on log data.

Data received by ELM is organized into storage pools, each composed of storage devices. A retention time isassociated with each storage pool and the data is retained in the pool for the period specified. Government,industry, and corporate regulations require that logs be stored for different time periods.

You can set up search and integrity-check jobs on the ELM. Each job accesses stored logs and retrieves orchecks data defined in the job. You can then view the results and export the information.

To configure an ELM, you must know:

• Sources that are storing logs on the ELM

• Required storage pools and their data retention times

• Storage devices that are required to store the data

Generally, you know the sources that store logs on the ELM and the storage pools that are required. What isunknown is the needed storage devices that store the data. The best approach to addressing this uncertainty is:

1 Make a conservative estimate of the storage requirements.

ELM storage pools require 10 percent of the allocated space for mirroring overhead. When calculatingrequired space, take the 10 percent into account.

2 Configure ELM storage devices to meet the estimated requirements.

3 Review logs on the ELM for a short period.

4 Use ELM storage statistics information to change the storage device configurations to accommodate theactual data storage requirements.

Set up McAfee ESM loggingIf you have an Enterprise Log Manager (ELM) device on your system, configure the default logging pool to sendinternal event data McAfee ESM generates to the ELM device.

Before you beginAdd an ELM device to your system.

Task1 On the system navigation tree, select System Properties, then click ESM Management.

2 On the Configuration tab, click Logging.

3 Select the default logging options and storage pool to store internal event data, then click OK.

• If you have more than one ELM device on the system, select the ELM you want to store the data on. ThisMcAfee ESM device always logs on to the ELM you select.

• Select the IP address that you want McAfee ESM to communicate with the ELM. They system notifies youwhen the selected ELM is successfully associated with the device.

• If storage pools have not been configured on the ELM, the system notifies you to add storage pools tothe ELM before you can enable logging.

6 Complete your installationMcAfee Enterprise Log Manager (ELM)


Manage storage poolsStorage pools include one or more storage allocations and a data retention time. To define where theEnterprise Log Manager (ELM) logs are stored and how long they must be retained, add them to the ELM.


2 On the system navigation tree, select the ELM, then click the Properties icon .

3 Click Storage Pools.

4 In the bottom table, Click Add or select a storage pool then click Edit, then configure the storage pool.

5 Click OK.

Mirrored allocations that use network protocols (CIFS, NFS, and iSCSI) require specific configurations to workreliably, such as being on the same switch and having a low latency. Recommended network specificationsare:

• Total latency (server plus network) - 10 ms

• Total throughput (server plus network) - 20 Mb/sec

• Mirroring assumes 100% availability of the share

• Storage pool device allocations are limited to 1 terabyte per allocation. To create a pool withmore than 1 terabyte, you must add multiple 1-terabyte devices.

• You delete a storage pool as long as it, and the devices allocated to it, don't store data.

Move storage poolsYou can move storage pools from one device to another.

Before you beginSet up the storage devices you want to move the storage pool to as a mirror of the device currentlyholding the pool.

Task1 On the system navigation tree, select the ELM device holding the storage pool, then click the Properties icon

.


3 Click the mirrored devices listed under the pool to be moved.

4 Click Edit, and from the Data Storage Devices drop-down list, select the device that mirrors the storage pool tobe moved.

It is now the main data storage device.

5 To mirror the new data storage device, select a device from the Mirrored Data Storage Device drop-down list,then click OK.

Complete your installationMcAfee Enterprise Log Manager (ELM) 6


Reduce storage allocation sizeIf a storage device is full due to space allocated for storage pools, you can reduce the amount of space definedfor each allocation, which allocates space on this device for more storage pools.

If the allocation size reduction affects data, the system moves data to other allocations in the pool (if space isavailable). If space is unavailable, the system deletes the oldest data.




4 On the bottom table, select the pool to reduce, then click Reduce Size.

5 Enter the amount that you want to reduce the storage, then click OK.

Mirroring ELM data storageSet up a second ELM storage device to mirror the data collected on the main device.

If the main device goes down, the backup device continues storing the data as it comes in. When the maindevice comes back on line, it automatically syncs with the backup, then resumes storing the data as it arrives. Ifthe main device goes down permanently, you can reassign the backup to become the main on McAfee ESM,then designate a different device to mirror it.

When either device goes down, a health status flag appears next to the ELM device on the system navigationtree.

A mirrored storage pool might lose connection with its storage device. The loss can be due to:

• The file server or the network between the ELM and the file server has failed.

• The file server or network is shut down for maintenance.

• An allocation file is accidentally deleted.

When there is a problem with the mirror, the storage devices show a warning icon in the Storage Pools table.Use the Rebuild function to repair it.

Add mirrored ELM data storageYou can use any storage device to mirror data saved on an Enterprise Log Manager (ELM) storage device.

Before you beginAdd the two devices you want to use to mirror each other to McAfee ESM.

Task1 On the system navigation tree, select ELM Properties, then click Storage Pools.

2 Click Add.



3 Enter the information requested, then click Add to select the storage device and mirroring device.

You can assign a device to more than one pool at a time.

4 Click OK twice.

Rebuild mirrored storage poolsIf a mirrored storage pool loses connection with its storage devices, use the Rebuild function to repair it.

Task1 On the system navigation tree, select ELM Properties, then click Storage Pool.

2 Hover over the mirrored devices with a warning icon.

A tooltip informs you that the ELM allocation is rebuilding or that the mirrored device needs to be rebuilt.

3 Click the devices, then click Rebuild.

Disable mirroring devicesTo stop using a device as a storage pool mirroring device, select a different device to replace it or select None.

Task1 On the system navigation tree, select the Enterprise Log Manager (ELM) currently holding the mirroring

storage pool in the system navigation tree, then click the Properties icon .

2 Click Storage Pools, then select the mirrored devices in the Storage Pool table and click Edit.


• If the device selected in Mirrored Data Storage Device is the one you want to disable, click the drop-downarrow in that field and select a different device to mirror the data storage device or select None.

• If the device selected in Data Storage Device is the one you want to disable, click the drop-down arrow inthat field and select a different device to act as the data storage device.

4 Click OK.

If the device is no longer a mirroring device, it still appears in the Storage Device table.

Replace an ELM mirrored management databaseIf a mirrored management database storage ELM device is having a problem, you might need to replace it.

Task1 On the system navigation tree, select the ELM device with the management database storage device that's

experiencing the problem, then click the Properties icon .

2 Click ELM Configuration, then select Migrate DB.

3 In Data Storage Devices, select the device listed in the Mirrored Data Storage Device drop-down.

4 Select a new device in Mirrored Data Storage Device or select None to stop mirroring.

If the device doesn't appear in the drop-down list, add the device to the Storage Device table first.



ELM redundancyYou can provide redundancy for your logging by adding a standby ELM to the current standalone ELM on yoursystem.

To enable redundancy, define the IP addresses and other network information on two ELMs. The standby ELMmust have storage devices with enough combined space to match the storage on the active ELM. Once they areset up, the configuration on both ELMs is synchronized, and the standby ELM maintains the synchronization ofdata between both devices.

There are several actions you perform when working with ELM redundancy: switch over, return to service,suspend, remove, and view status. All actions are available on ELM Properties | ELM Redundancy .

Switch over

If the primary ELM goes down or needs to be replaced, select Switch ELM. The standby ELM becomes active andthe system associates all logging devices to it. Logging and configuration actions are locked during theswitch-over process.

Return to service

If the standby ELM goes down, you must return it to service when it is brought back up. If no changes toconfiguration files are detected, redundancy continues as before. If differences are detected in the files,redundancy continues for the storage pools that do not have problems, but an error status is returned, that oneor more pools are out of configuration. You must fix these pools manually.

If the standby ELM has been replaced or reconfigured, the system detects it and prompts you to rekey thestandby ELM. The active ELM then syncs all configuration files to the standby, and redundancy continues asbefore.

Suspend

You can suspend communication with the standby ELM if it is down or is going to be down for any reason. Allcommunication stops and error notifications for redundancy are masked. When the standby ELM is broughtback up, follow the return to service process.

Disable redundancy on the ELM

You can disable ELM redundancy by selecting Remove. The active ELM saves a copy of the redundancyconfiguration files. If this backup file is found when enabling ELM redundancy, you are asked if you want torestore the saved configuration files.

View status

You can view details about the state of data synchronization between the active and standby ELM by selectingStatus.

Managing ELM compressionTo save disk space or process more logs per second, compress the data coming into the Enterprise LogManager (ELM).

The three options are Low (default), Medium, and High. This table shows details about each level.



Level Compression rate Percentage of maximumcompression

Percentage of maximum logs processedper second

Low 14:1 72% 100%

Medium 17:1 87% 75%

High 20:1 100% 50%

Actual compression rates vary depending on the content of the logs.

• To save disk space, choose high compression.

• To process more logs per second, choose low compression.

Restore ELM dataTo replace an Enterprise Log Manager (ELM), restore the management database and log data to the new ELM.

Before you beginThe ELM database and log data must be mirrored.

To restore the data from an old ELM to a new ELM, don't create an ELM using the Add Device wizard.

Task1 On the system navigation tree, select ELM Properties for the ELM that must be replaced.

A warning page lets you know that the system can't locate the ELM.

2 Close the warning page, then click Connection.

3 Enter the IP address for the new ELM, then click Key Management | Key Device.

4 Enter the password to associate with this device, then click Next.

5 Click ELM Information | Backup & Restore | Restore ELM.

6 Resync each device logging to the ELM by clicking Sync ELM on Properties | Configuration for each device.

Restoring the ELM management database and data storage to a new ELM can take several hours.

Define an alternate storage locationTo store Enterprise Log Manager (ELM) management database records in a location not on the ELM, define thealternate storage location. You can also select a second device to mirror what is stored.

Task1 On the system navigation tree, select ELM Properties, then click ELM Configuration | Migrate DB.

2 Select the location to store the management database and a second storage location to mirror the datastorage device.

The first time you select to mirror any of the existing devices, the process can take an extended amount oftime.

3 Click OK.



View ELM storage usageView the Enterprise Log Manager (ELM) storage usage to help determine space allocation on the device.



3 Click ELM Management.

4 Click View Statistics, then select the ELM Usage tab.

Migrating ELM databaseThe Enterprise Log Manager (ELM) management database stores the records that track logs sent to the ELM.The amount of disk space available on your ELM device to store the management database depends on themodel.

When you first add the device, the system verifies that it has enough disk space to store the records. Thesystem might prompt you to define an alternate location for management database storage. If the device doeshave enough disk space but you prefer to save the database in an alternative location, you can use Migrate DB onthe ELM Properties page to set up that location.

Migrate DB can be used at any time. But, if you migrate the management database once it contains records, theELM session is on hold for several hours until the migration is complete, based on the number of records itcontains. We recommend that you define this alternative location when you first set up the ELM device.

Configure ELM Storage

Contents Disable HomeGroup file sharing Set up external data storage Add iSCSI devices Link storage devices to storage pools Format SAN storage devices Configure a DAS to store data from an all-in-one ESM Set up virtual local drive to store data

Disable HomeGroup file sharingWindows 7 requires you to use HomeGroup file sharing, which works with other Windows 7 computers but notwith Samba. To use a Windows 7 computer as a CIFS share, you must disable HomeGroup file sharing.

Task1 Open the Windows 7 Control Panel, then select Network and Sharing Center.

2 Click Change advanced sharing settings.

3 Click Home or Work profile and make sure it is labeled as your current profile.

4 Turn on network discovery, file and printer sharing, and public folder.

5 Go to the folder you want to share using CIFS (try the public folder first) and right-click it.

6 Complete your installationConfigure ELM Storage


6 Select Properties, then click the Sharing tab.

7 Click Advanced sharing, then select Share this folder.

8 (Optional) Change the share name and click Permissions.

Make sure you have permissions set as you want (a checkmark in Change = writeable). If you enablepassword-protected shares, update settings to ensure that your Ubuntu user is included for permission.

Set up external data storageYou can set up external storage (iSCSI, SAN, DAS, and virtual local) to store ELM data. When you connect theexternal storage types to the Enterprise Log Manager (ELM), set them up to store data from the ELM.

Task1 On the system navigation tree, select ELM Properties, then click Data Storage.

The system returns all available storage devices on the appropriate tabs.

2 Click the iSCSI, SAN, DAS, or Virtual Local tab, then follow the required steps.

3 Click Apply or OK.

Add iSCSI devicesTo add an iSCSI device for ELM storage, you must configure connections to the device.

Task1 On the system navigation tree, select the ELM, then click the Properties icon.

2 Click Data Storage.

3 On the iSCSI tab, click Add.

4 Enter the information requested, then click OK.

If the connection is successful, the system adds the device and its IQNs to the iSCSI Configuration list andDevice Type list on Add Storage Device .

Once an IQN begins storing ELM logs, you cannot delete the iSCSI target. Due to this limitation, set up youriSCSI target with sufficient space for ELM storage.

5 Before using an IQN for ELM storage, select it on the list, then click Format.

6 To check its status as it is formatting, click Check Status.

7 To discover or rediscover the IQNs, click the iSCSI device, then click Discover.

Attempts to assign more than one device to an IQN can result in data loss.

Complete your installationConfigure ELM Storage 6


Link storage devices to storage poolsAdd storage devices, which you can then link to storage pools.

Before you beginSet up storage devices.

When editing storage devices, you can increase the size, but you can't reduce it. You cannot delete a device if it'sstoring data.

Task

1 On the system navigation tree, select ELM Properties, then click Storage Pools.

2 Click Add.

3 On Add Storage Device, fill in the requested information then click OK.

Option Definition

Device Type Select the type of storage device. Migrating the ELM database requires a minimumof 506 GB of free disk space.

Name Type a name for the storage device.

Max size Select the maximum amount of storage space that you want to allocate on thisdevice.• When adding a remote storage device to the ELM, Max size defaults to 4 GB. One

percent of the storage space is reserved for management of the remote storage.

• When adding a virtual local storage device, Max size defaults to the total storagecapacity of the device. Six GB of the storage space is reserved for managementof the virtual storage. You can't adjust this field.

IP Address, Remote MountPoint, Remote Path

Type this information for the NFS device.

IP Address, Remote ShareName, Path, Username,Password

Type this information for the CIFS device.

iSCSI Device Select the device that you added.

iSCSI IQN Select the IQN.

SAN Select the SAN volume that you added.

Virtual Local Volume Select the virtual local storage device. This option is only available when the devicetype is Virtual Local.

4 Define connection parameters of a storage device, which is used in a storage pool for data retention.

Option Definition

Data Storage Devices Select the device you want to add.

YOu can assign a device to more than one pool at a time.

Storage space Select the maximum amount of space on this device for storing data.

The system uses 10 percent of the storage space for overhead. For example, if youselect 4GB in the storage space field, 3.6GB is available to store data.

Mirrored Data StorageDevice

To mirror data on this storage device with another device, select the second storagedevice.

6 Complete your installationConfigure ELM Storage


Format SAN storage devicesIf you have a SAN card in your system, you can use it to store ELM data.

Before you beginVerify that a SAN card exists in your system.

Task

1 On the system navigation tree, select ELM Properties, then click Data Storage.

2 Click the SAN tab, then check the status of the SAN volumes that were detected.

• Format required — volume must be formatted and doesn't appear on the list of available volumes on theAdd Storage Device page.

• Formatting — volume is in the process of being formatted and doesn't appear on the list of availablevolumes.

• Ready — volume is formatted and has a recognizable file system. These volumes can be used to storeELM data.

3 If a volume is not formatted and you want it to store data, click it, then click Format.

Formatting a volume deletes all stored data.

4 To check if formatting is complete, click Refresh.

When formatting completes, the system changes the status to Ready.

5 To view the details of a volume at the bottom of the page, click the volume.

Configure a DAS to store data from an all-in-one ESM

Before you beginSet up DAS devices.

Task

1 On the system navigation tree, select McAfee ESM and then click the Properties icon .

2 Click Database and then click Data Storage.

3 On the table, click one of the devices that has not been assigned to store McAfee ESM data.

4 Click Assign and then click Yes.

Once you assign a device, you can't change it.

Set up virtual local drive to store dataDetect and format virtual storage devices on the virtual Enterprise Log Manager (ELM). It can then be used fordatabase migration and storage pools.

Before you beginAdd virtual local storage devices to the virtual ELM from its virtual environment. To add the storage,see the documentation for the virtual machine environment.

Supported virtual environments

Complete your installationConfigure ELM Storage 6


• VMware

• KVM

• Amazon Web Service

Supported drive formats

• SCSI

• SATA

IDE is not supported.

Task1 On the system navigation tree, select the virtual ELM, click the Properties icon , then click Data Storage.

Root and boot partitions are unavailable as viable storage options.

2 Click the Virtual Local tab, then select a device from the list of available virtual devices.

The Virtual Local tab is only available if the system detects virtual storage.

3 If the Status column says Format required, click Format to format the device with ext4 file format.

The status changes to Ready.

Work in FIPS mode

Contents Check FIPS integrity Troubleshoot FIPS mode

6 Complete your installationWork in FIPS mode


Check FIPS integrityIf operating in FIPS mode, FIPS 140-2 requires software integrity testing regularly. You must test the system andeach device.

Task1 On the system navigation tree, select System Properties, and make sure that System Information is selected.

2 Do any of the following.

In thisfield...

Do this...

FIPSStatus

View the results of the most recent FIPS self-test performed on the McAfee ESM.

Test orFIPSSelf-Test

Run the FIPS self-tests, which test the integrity of the algorithms used in the crypto-executable. Theresults can be viewed on the Message Log.

If the FIPS self-test fails, FIPS is compromised or device failure is occurring. Contact McAfee Support.

View orFIPSIdentity

Open the FIPS Identity Token page to perform power-up software integrity testing. Compare this value tothe public key that appears on this page:

If this value and the public key don't match, FIPS is compromised. Contact McAfee Support.

Complete your installationWork in FIPS mode 6


Troubleshoot FIPS modeIssues might arise when operating McAfee ESM in FIPS mode.

Issue Description and resolution

Can't talk to theMcAfee ESM

• Check the LCD on the front of the device. If it says FIPS Failure, contact McAfee Support.

• Check for an error condition through the HTTP interface by viewing the McAfee ESM FIPSSelf-test webpage in a browser.

- If a single digit 0 is displayed, indicating that the device has failed a FIPS self-test, rebootthe McAfee ESM device and attempt to correct the problem. If the failure conditionpersists, contact Support for further instructions.

- If a single digit 1 is displayed, the communication problem is not due to FIPS failure.Contact Support for further troubleshooting steps.

Can't talk to thedevice

• If there is a status flag next to the device on the system navigation tree, place the cursorover it. If it says FIPS Failure, contact McAfee Support by going to the support portal.

• Follow the description under the Can't talk to the ESM issue.

The file is invaliderror whenadding a device

You cannot export a key from a non-FIPS device and then import it to a device operating inFIPS mode. Also, you cannot export a key from an FIPS device and then import it to anon-FIPS device. This error appears when you attempt either scenario.

6 Complete your installationWork in FIPS mode


7 Troubleshooting

Grant McAfee access to your systemWhen you place a support call to McAfee, you might need to grant access so the technical support engineer cansee your system.


2 On the system navigation tree, select McAfee ESM, then click the Properties icon .

3 Click ESM Management, then select the Maintenance tab.

4 Click Connect.

The button changes to Disconnect and the system displays your IP address.

5 Give your IP address to the technical support engineer.

Support might request additional information, such as the password.

6 Click Disconnect to end the connection.

7


7 TroubleshootingGrant McAfee access to your system


mcafee enterprise security manager 11.0.0 installation … · els can be thought of as a fast raw...

Documents