Documentation Center
AlienVault® USM Anywhere™

McAfee Database Security

When you configure McAfee Database Security integration to send log data to USM Anywhere, you can use the McAfee Database Security plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor McAfee
Device type Database
Connection type syslog
Vendor link For details, see the vendor documentation in PDF format McAfee Database Security ArcSight Integration via Syslog.

McAfee Database Security Integration

To configure McAfee Database Security to send log data to USM Anywhere

  1. Log into the Database Security console.

  2. Go to System > Interfaces > Syslog.

  3. Activate the Use syslog checkbox.

  4. Configure the syslog Host and Port

    • Host — USM Anywhere Sensor IP address
    • Port — 514 for UDP, or 601 for TCP
  5. Select either UDP or TCP transport protocol.

  6. Set the syslog format to CEF.

  7. Click Save.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_0
  • customfield_1
  • customfield_2
  • customheader_0
  • customheader_1
  • customheader_2
  • destination_address
  • destination_process
  • destination_username
  • event_action
  • event_name
  • event_receipt_time
  • event_severity
  • external_id
  • highlight_fields
  • plugin_device
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_address
  • source_hostname

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://kc.mcafee.com/corporate/index?page=content&id=KB81849