Configuring the McAfee Windows Event Collector Management Utility *Also can

provide client transmission of other non-windows log files*

Utility Install
1. Download the MFE Nitro Windows Agent (choose latest version)
https://secure.mcafee.com/apps/downloads/my-products/component-product-
list.aspx?region=us (must have active Grant # with access to SIEM software)
2. Run the Setup_x86_[version #].exe file on your windows client, or use the
WindowsEventCollectorInstaller_x86_[version #].msi to deploy via 3 rd party tools.

3. Click “I Agree” for licensing Terms

4. Define any custom install path or choose default, and click Next
5. Enter in the McAfee ERC (receiver) IP address of the collector you want to receive the logs,
adjust the MEF port if necessary (default 8081 *note you need to know this as you must define
as a listening interface on your collector), choose the SSL option if you require event logs to be
encrypted in transmission, and click Next.

6. Choose whether or not you want the utility to open after install or not, and click Finish.

Configure Generic Log File Transmission

1. Click on Start>Programs>McAfee>Event Collector Management Utility
2. Click to Highlight EventCollector and then click the “+” in the top bar to add a new Event
Collection Group (Groups are used to group together multiple log types).

3. Provide the following for your group:

o Name of Group - (Use a semi descriptive name of the purpose of this event collection
group)
o Account Used to Access Host Logs – This can be a general account that you define at the
default event collector level, or can be specific to this log file location, when complete
you can click Validate Against Agent to test the credentials access
o Debug Log Level – Depending on what you are doing here, if this is just a flat file, this
option doesn’t matter as it will transfer the entire file (*this is relevant if you are pulling
actual logs from a windows event viewer)
 o Click Apply

4. If you get a dialog box to “Correct Errors” you will either need to modify the configuration to
ensure you can connect, or click no until you resolve the issue and then later re-enable the
group.

5. Once you have your new group created, you can then highlight the group and then click the “+”
option to add a host to your group.

6. Configure the Host Information

 o Enter in the Hostname/IP address of the host you are configuring
o Check the Host Enabled box (if the host is not live, you will need to come back in and
enable once it is)
o Choose the account with Access to Host (if different than the group settings above)
o Choose the Log configuration (for a flat logfile, you will choose “Generic Log Tail” as
seen below)
o Give the configuration a name (This is just a descriptive name that you choose)
o Enter in the Data Source IP of where the logs are located
o Enter in the full directory path to the logs (can be either local directory or full UNC path
if remote directory)
o Enter the log file name (Wildcard can be used IE: *.log for all files ending in .log)
o Choose if you want the agent to tail from the beginning of the file or end (can go back in
time if the file is only appended to **be careful if log files are not overwritten often as
going back in time puts larger indexing load on McAfee ESM DB**)
o If the log contains Multi-Line Events select the check box
o If the log contains multi-line events you must choose the delimiter for the file read
o If the log delimiter you have defined is a regex value, then you must check the Regex
box
o If the events are multi-line, then you need to specify if known how many lines are
included in a single event

7. Once everything is defined, then click the Service option from the top menu bar, and choose to
Start the agent service
8. Ensure that all Groups and Hosts within the groups that you are looking to have collection on
are selected as “Enabled” and then you should see “Service Started” in the bottom left corner of
the screen.
9. You have now completed the configuration of a Generic Log.