Device Integration: McAfee (Now Trellix) EPO

TABLE OF CONTENTS

• Overview
• Prerequisites
• Configuration on ADR CCE (Enable TCP over TLS)
• Log in to the CCE server as user seceon.
• Configuration on McAfee ePO Console
• Verification (MSSP Only)
  • On CCE (CLI)
  • On ADR UI
• Reference

Overview

This guide explains how to integrate McAfee ePolicy Orchestrator (ePO / Trellix ePO) with ADR (aiSIEM/aiXDR) for centralized monitoring and threat visibility. Logs from ePO are forwarded via Syslog to the CCE (Collection and Control Engine). If required, you can enable TCP over TLS on CCE for secure log forwarding.

Prerequisites

• Administrative access to the McAfee ePO Console.

• Administrative access to the ADR CCE Server.

• Firewall rules allowing outbound traffic from ePO to CCE on port 514 TCP

• If using TLS, SSL/TLS must be enabled on the CCE.

Configuration on ADR CCE (Enable TCP over TLS)

If LTS Disable

1. Log in to the CCE server as user seceon.

2. Enter the log processor container:

   otmdoc -s cce-log-processor

3. Navigate to the config directory:

   cd /docker/config

4. Open the file logstash-bas-var.yml:

   vi logstash_bas_var.yml

5. Press i to insert and change:

   tcp_over_tls: True

6. Save and exit:

   • Press Esc → type :wq! → press Enter.

7. Restart the log processor container:

   otmdoc -r log-processor

If LTS Enable

• 
  

  Log in to the CCE server as user seceon.

• Enter the log processor container:

  otmdoc -s cce-logs-manager

• Navigate to the config directory:

  cd /docker/config

• Open the file logstash-bas-var.yml:

  vi syslog_bas_var.yml

• Press i to insert and change:

  tcp_over_tls: True

• Save and exit:

  • Press Esc → type :wq! → press Enter.

• Restart the log processor container:

  otmdoc -r log-manager

Configuration on McAfee ePO Console

1. Log in to the McAfee ePO Console.

2. Navigate: Menu → Configuration → Registered Servers.

3. Click New Server to open the Registered Server Builder.

4. From Server Type, select Solidcore Syslog Server.

5. Specify:

   • Server Name (descriptive, e.g., ADR-Syslog).

   • Notes (optional).

6. Set Syslog Port → 514 (or TCP if configured on CCE).

7. Enter the CCE IP address in Server Address.

8. Select the type of logs to forward (choose from Syslog Facility list).

9. Click Test Syslog Send → ensure it succeeds.

10. Click Save.

You can either:

• Send specific responses to the Syslog server, or

• Use the seeded response option to forward all Solidcore events to ADR.

Verification (MSSP Only)

On CCE (CLI)

Run:

sudo tcpdump -i any port 514 and tcp

• Checks if syslog traffic is arriving from McAfee ePO.

On ADR UI

1. Log in with administrative rights.

2. Navigate: System → Logs and Flows Collection Status.

3. Verify that the McAfee ePO device IP appears under Source Device IP.

4. Confirm log count and parsing.

Reference

• Trellix (McAfee) Docs – Configuring Syslog Server in ePO