MCAFEE EPOLICY ORCHESTRATOR (ePO)

Instructions for forwarding McAfee ePolicy Orchestrator (ePO) logs to your Log Management device

PREREQUISITES

McAfee ePolicy Orchestrator (ePO) 5.9.x, 5.3.x to Clone LOGM/SIEM
  • Make sure your ePO installation is version 5.9 or 5.3.2 (with Hotfix 1185471 applied).
Note: Without Hotfix 1185471 applied to ePO 5.3.2, you can complete the installation of the syslog server, but ePO will not be able to communicate with the syslog server.

Note: If you use ePO 5.3.2 with Hotfix 1185471 applied and you have additional agent handlers, an extra step is required to replace two files on the agent handler with the Hotfix versions taken from the ePO server. See KB87469 for details.

Clone Systems Log Management Device
  • The IP Address for the Clone Systems Log Management device
Instructions

1. Launch McAfee ePolicy Orchestrator (ePO), enter your Username and Password, and then click the Log On button.TTY.

2. Add a new Registered Server and select Syslog for the type.es.

3. Enter the FQDN of the syslog server. Note: you will need to create an DNS record on your DNS server to the Clone Systems LOGM/SIEM IP addresses.

4. Enter ‘6514‘ for the port (or whatever port was communicated by Clone Systems’ Support Team).

5. Select Enable event forwarding.

6. Click Test Connection.

Note: You should see a syslog connection success message when done.

7. Click Save to save the syslog Registered Server.

Note: All threat events received by ePO should now be automatically forwarded to the syslog server.