McAfee Enterprise Security Manager:
Security information and event management (SIEM) solution brings event, threat, and risk data together to provide strong security intelligence, rapid incident response, seamless log management, and compliance reporting—delivering the context required for adaptive security risk management.At the core of our SIEM offering, McAfee Enterprise Security Manager delivers the performance, actionable intelligence, and real-time situational awareness required to identify, understand, and respond to stealthy threats, while the embedded compliance framework simplifies compliance.
Some useful commands of McAfee SIEM: CLI Reference
Change IP address |
# /etc/NitroGuard/network.conf # /etc/NitroGuard/globals.conf |
Restart ESM |
# service cpservice stop |
# service cpservice start |
Restart APM |
# /etc/init.d/apm stop |
# /etc/init.d/apm start |
# NitroStop –nod (no daemon) |
# NitroStart –nod (no daemon) |
View ESM DB Errors |
tailf /usr/local/ess/data/NitroError.Log |
less /usr/local/ess/data/NitroError.Log (Use ‘q’ to exit the text editor) |
View Rebuild Status of DB Partitions (in addition to ESM System Properties page) |
# /data_hd/usr/local/ess/data/watch –d ‘ls –lia *X*’ |
Viewing Sort Files created by ESM (too large can create slow downs) |
# /data_hd/usr/local/ess/data/du –ch *SRT* |
Retrieve APM Crash Logs Location |
# /var/log/ice/crash.log |
Retrieve Health Status on SIEM device |
# cat /var/lib/HealthStatus.data (tac for newest first, cat for oldest first) |
Gather appliance resource information |
# grep Resource /var/log/messages |
Check Event Receiver for Restart Events |
cat /var/log/messages* | grep -i “starting ERC” (tac for newest first, cat for oldest first) |
less /var/log/messages (type ‘q’ to exit the editor, “Shift + g” to get to the end of the file) |
Check upgrade history |
# cat /etc/upgrade.history (tac for newest first, cat for oldest first) |
Zip Messages Log |
# cd /var/log |
# tar –czvf messages.tgz messages* |
Checking RAID drives (from /opt/MegaRAID/MegaCli/) |
#./MegaCli64 -ldinfo -l0 -a0 |
#./MegaCli64 -ldinfo –l1 -a0 |
#./MegaCli64 -pdlist -a0 |
Most helping CPU processes view |
# ps -ejH (shows processes and threads) |
# ps -C commandname (search like “ps | grep”)# ps -auxf (most details) |
# ps -ax (all processes) |
View the Build Version of the McAfee Software on the appliance |
# cat /etc/buildstamp |
View the build version of the Linux OS |
# cat /proc/version |
Check Disk Space – General |
# df –h (to show space by drive) or du –h (to show space by folder) |
Check if logs are being sent to a receiver |
# tcpdump –nni eth1 host 10.x.x.x |
Check multiple hosts |
# tcpdump –nni eth1 ‘(host 10.x.x.x or host 10.y.y.y)’ |
Finding the largest file on a system |
Use the du command to find out how much data is in each directory. |
# du -hc –max-depth=1 |
This will return the base level directories with the size. |
NOTE: is best to start in the “/” directory. |
The following command will limit the results to only the Gigabyte size directories: |
# du -hc –max-depth=1 | grep G |
You can continue to use these commands as you drill down in the directories to find the directory that contains the largest amount of data. |
Check the disk utilization |
Sar –d 1 10 |
Checks disk utilization every second over 10 seconds |
TCP dump commands when you do not see the expected DBM data |
# ifconfig -a (determines which eth port DB traffic is being sent to) |
# tcpdump -s0 -ieth3 -wfile1.pcap host 1.2.3.4 and port 1433 (dump file will be called file1.pcap in the current directory) |
Run the dump for 30, and then press CTRL+C to escape out. Check the file size and repeat. Generally a few hundred MBs worth of files should be good if you see the expected DB traffic in the tcpdump. |
To check for vlan tagging |
# tcpdump -s0 -ieth3 -wfile1.pcap vlan # host 10.x.x.x and port 1433 (optional to leave the tag number, for example 130, |
# tcpdump -s0 -nnvXi eth1 vlan # and host 172.x.x.x and port 1433 (with vlan tag and shows packet contents in list form) |
# tcpdump -s0 -nnvXi eth1 -wfile3.pcap vlan # and host 172.x.x.x and port 1433 (with vlan tag and saves tcpdump to pcap file) |
Find all Receiver database index files |
# ls /var/log/data/inline/ |
Track Receiver database index progress |
# tailf /var/log/data/inline/NitroError.Log |
Restarting collectors / parsers on a Receiver |
# killall collectorsctl filterctl parsersctl |
# /etc/init.d/nitrodbserver restart |
# collectorsctl — +laux |
# filterctl — +laux |
# parsersctl — +laux |
Restarting WMI collector / parser only |
# killall -9 wmin |
# killall -9 wmip |
Run checksum on install file |
# sha1sum |
Check DAS Virtual Drive Information from ESM or ELM |
Watch –d megacli –ldinfo –l0 –a0 |
“Ctrl + C” to exit |
Check DAS Drive Status |
megacli -pdlist -a0 | grep Firmware |
Check the Controller, RAID, and Drive Status on ESM |
Show the Controller: |
# tw_cli show |
Show the Status of the RAID/Drives |
# tw_cli show c# (# shown using show command – c2 for ESM’s, c0 on 2250 Receivers and APM) |
Show individual drive status |
# tw_cli info c2 p# (# drive number) |
Show individual drive serial number |
# tw_cli info c2 p# serial (# drive number) |
Check HA or Cluster Status on Receiver or ESM |
# ha_status |
# crm status |
Check agent logs status on Receiver |
# tailf /var/log/NPP_c.log |
# tailf /var/log/NPP_p.log |
Finding and viewing raw logs in stored text file on Receiver (example) |
# tail –n 1000 /var/log/NPP_c.log | grep 10.198.12.73 |
Results: NPP_c[18094]: Got a connection from client IP addr: 10.198.12.73, id = 105 |
Find the ID of the host and use on the next command to find files to search |
# ls /var/log/data/inline/thirdparty.logs/105/in/ |
# cat /var/log/data/inline/thirdparty.logs/105/in/data.20121115161524000 |
View ESM DB partitions |
# !nsq (shortcut command which will launch the nsql command below – if in the correct directory) |
# nsql /usr/local/ess/data/connect_esm.sql (To exit the nsql editor type ‘x’ or ‘exit’ and ) |
(Attached = Good, Detached = Call Support, Bad = Awaiting Rebuild) |
To view Event data |
show partitions from alert |
To view Flow data |
show partitions from connection |
To view Appliance Packet data |
Show partitions from packet |
View record counts in DB |
# nsql /usr/local/ess/data/connect_esm.sql (To exit the nsql editor type ‘x’ or ‘exit’ and ) |
To view event data |
select count(*) from alert |
To view flow data |
select count(*) from connection |
To view Appliance Packet data |
select count(*) from packet |
View Event data on a receiver |
# nsql /var/log/data/inline/connect.sql (Launch this command when ssh in to a receiver) |
To view Event data |
show partitions from event |
To get the clutter off of the SSH session and your prompt back to the top of the screen (does not remove scroll back data on screen) |
clear |
Article for rekeying a SIEM Appliance |
# cd /root/.ssh |
# cat /etc/NitroGuard/factory-id_rsa.pub >authorized_keys2 |
Wiping Receiver Data Sources and log files |
# rm /etc/NitroGuard/thirdparty.*.* |
# rm /var/log/data/inline/thirdparty.logs/(1* thru 9*) |
# rm /var/log/data/inline/thirdparty.logs/elm.logs/(1* thru 9*) |
# rm /var/log/data/inline/thirdparty.logs/elm.logs/tmp/(1* thru 9*) |
ESM Related |
Quickest running filters – Very Important!!!! |
There are combinations of filters that are specifically tuned to run more quickly. These combinations have been defined by users who frequently use the filters for quickly drilling down to specific events. |
Signature ID + Event Subtype + Protocol |
Signature ID + Source IP |
Signature ID + Destination IP |
Source IP + Destination IP |
Additional Enhancements since 8.x: |
Normalization ID + Source IP |
Normalization ID + Destination IP |
Normalization ID + Event Subtype |
Normalization ID + Protocol |
Normalization ID + Signature ID |
Source Zone + Destination Zone |
Directory Related |
ESM & Receiver Software File Location (for upgrades) |
/usr/local/ess/SoftwareUpdates/ |
/usr/local/NitroGuard |
ESM Software File Locations Archives |
/usr/local/ess/update/archive/ |
ESM Default Backup Location |
/db1/usr/local/ess/dbbackup/ |
ESM DB Blob & Index Location |
/data_hd/usr/local/ess/data/ |
ESM Index HD Location (Most recent data) |
/index_hd/usr/local/ess/data/ |
|
ESM Redundant File Copy Location (For Alert, Connection, and Log files) |
|
|
/usr/local/ess/dbredund |
Commands: McAfee-ETM-6000 ~ # less /usr/local/ess/data/NitroError.Log McAfee-ETM-6000 ~ # service cpservice stop tailf /var/log/messages – Watch what’s happening Tcpdump -nni eth0 host -vvv -w NitroTID – get database troubleshooting information Indications that database needs to be rebuilt: 2016/05/24 11:43:01.429 Error 132 opening table with field Alert.ALERTTIM(partition 2406)(data count = 77427336, index count =77427320) Index count does not match record count Rebuild Database index: McAfee-ETM-6000 ~ # cd /usr/local/ess/data McAfee-ETM-6000 /usr/local/ess/data # mkdir copy_ngcp McAfee-ETM-6000 /usr/local/ess/data # McAfee-ETM-6000 /usr/local/ess/data # McAfee-ETM-6000 /usr/local/ess/data # cd copy_ngcp/ McAfee-ETM-6000 /usr/local/ess/data/copy_ngcp # ls ngcp.cfd ngcp.cfg McAfee-ETM-6000 /usr/local/ess/data/copy_ngcp # cd ../ McAfee-ETM-6000 /usr/local/ess/data # rm ngcp.cfg McAfee-ETM-6000 /usr/local/ess/data # rm ngcp.cfd McAfee-ETM-6000 /usr/local/ess/data # ls Check Database: McAfee-ETM-6000 ~ # service cpservice stop Stopping ESS McAfee-ETM-6000 ~ # DBCheck -d ‘/usr/local/ess/data/ngcp.dfl’ McAfee-ETM-6000 ~ # DBCheck -d Option at position 5 needs an argument : t McAfee-ETM-6000 ~ # DBCheck -d DBCheck -d ‘/usr/local/ess/data/ngcp.dfl’ -p |
Check database health: 1. # cd /usr/local/ess/data 2. # DBCheck |
Check Syslog for Raid errors: 1. # cd /usr/local/ess/data 2. # Dmesg | grep RAID |
Display Raid Status 1. # cd /usr/local/ess/data 2. # MegaCli64 -CfgDsply -aAll | grep fail or grep down |
Use grep for “downgraded, or fail”which will indicate raid issues |