Sending McAfee ePO Threat based SNMP traps to ELK SIEM

ELK Stack processes events from a device via SNMP traps sent by the device.

Configuring SNMP Server to send Threat based SNMP traps from McAfee ePO.

1. Log in to the McAfee ePO web console.
2. Go to Main Menu > Configuration > Registered Servers, and click New Server.
The Registered Server Builder opens.

3. For Server type, select SNMP Server.
4. For Name, enter the IP address of your SNMP server.
5. Enter any Notes, and click Next to go to the Details page.
6. For Address, select IP4 from the drop-down and enter the IP/DNS Name for the FortiSIEM virtual appliance and SNMP that will receive the SNMP trap.
7. For SNMP Version, select SNMPv1 or SNMPv2.
8. For Community, enter any community string.

Note: The community string entered here would not be used in ELK as ELK accepts traps from McAfee ePO without any configuration.
Click Send Test Trap, and then click Save.

Within McAfee EPO, you won’t be able to change the default snmp port (UDP 162)
You must enable port forwarding to the required port on the receiving end to change the destination port configured with snmptrap input filter.

Input : input.conf

Filter : filter.conf

Output : output.conf