Configure McAfee DXL Event Forwarding

The communication between BeyondInsight and the McAfee Data Exchange Layer (DXL) is managed by the BeyondTrust DXL Broker Service. This service is installed as an additional component to the main BeyondInsight installation and facilitates the brokering of events from BeyondInsight to the DXL fabric. Along with this service, the BeyondInsight instance must have a McAfee Agent and DXL Client installed to communicate with your McAfee DXL Broker instance. Within your McAfee ePO instance, you will need to ensure that the McAfee Agent and DXL Client installed on the BeyondInsight instance are configured for proper communication between BeyondInsight and ePO via the DXL fabric.

Installation and Configuration Overview

  1. Install the McAfee Agent 5.5. on the BeyondInsight instance.
  2. On the McAfee ePO instance:
    • Deploy the DXL Client to the BeyondInsight instance.
    • Configure the BeyondInsight event topics.
  3. On the BeyondInsight instance:
    • Verify the McAfee Agent and DXL Client connectivity.
    • Install the BeyondInsight DXL Broker service.
    • Configure a McAfee Event Forwarder connector within the BeyondInsight management console.
    • Verify the installation and configuration.

Install the McAfee Agent

On the BeyondInsight instance, follow the steps below to install the McAfee Agent.

If you cannot push the McAfee Agent from the ePO admin console due to firewall or other restrictions, you can install the agent manually by copying the installer to the BeyondInsight instance and then manually running the installer.

  1. Locate and run the McAfee Agent installer on the BeyondInsight instance. You must use the installer specific to your McAfee ePO instance. For example, it may be located at:
    C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software\Current\EPOAGENT3000\Install\0409\FramePkg.exe
  2. Copy the FramePkg.exe file to the BeyondInsight instance and run the installer.
  3. Verify the installation by looking at the system tray for the McAfee icon.

Deploy the DXL Client to the BeyondInsight Instance

  1. On the McAfee ePO instance, deploy the a DXL Client to the BeyondInsight instance using a Client Task from within the ePO administration console.
  2. Create a DXL Client Task.
  3. Select Menu > Client Task Catalog.
  4. Under McAfee Agent > Product Deployment, click New Task and then select the following:
    • Task Name: Deploy DXL Client
    • Target Platforms: Check Windows
    • Products and components: Data Exchange Layer Client 4.0+, action=Install, ...
  5. Click Save.
  6. Deploy the DXL Client to the BeyondInsight instance.
  7. Select Menu > Systems > Locate.
  8. Find the BeyondInsight instance to view the server's detail page.
  9. From the Actions list, select Agent > Run Client Task Now.
  10. Locate the Deploy DXL Client task created above.
  11. Select McAfee Agent > Product Deployment > Deploy DXL Client.
  12. Click Run Task Now.

Configure the BeyondInsight Event Topics

On the McAfee ePO instance, create topic subscriptions for the BeyondInsight categories you wish to receive.

Open the ePO administration console, and then navigate to the SIA DXL Task and to the BeyondInsight topics of interest:

Appliance Health

/beyondtrust/event/beyondinsight/genapphlth

Clarity

/beyondtrust/event/beyondinsight/clarity_mlwr

File Integrity Monitoring

/beyondtrust/event/beyondinsight/fim

PBMac

/beyondtrust/event/beyondinsight/pbmac

PBPS

/beyondtrust/event/beyondinsight/pbps

PBW - Events

/beyondtrust/event/beyondinsight/pbw

PBW - Vulnerabilities

/beyondtrust/event/beyondinsight/pbw_vulnerability

Retina

/beyondtrust/event/beyondinsight/retina

Uncategorized Events

/beyondtrust/event/beyondinsight/uncategorized

Test Events

/beyondtrust/event/beyondinsight/test

Verify the McAfee Agent and DXL Client Connectivity

Screen capture of MacAfee About page to verify agents and client.

After the MacAfee Agent and DXL Clients are successfully installed, verify the connectivity on the BeyondInsight server by opening the system tray McAfee icon About section. It should list the McAfee Agent as running and connected and the DXL Client as running and connected.

The DXL Client might not be in a connected state until BeyondInsight DXL Broker service is installed and running.

 

Run the BeyondInsight DXL Broker Service Installer

  1. Run the BeyondInsightDXLMessageBroker.msi installer from an elevated command prompt and go through the installation steps. Admin privileges are required to enable the MSMQ Windows feature.
  2. An MSMQ Windows feature is enabled with a default DXL events (outbound) queue. This can be managed in the following location: Computer > Manage > Services and Applications > Message Queue.

By default this queue is not accessible by the admin. In order to manage this queue, refer to the steps below.

  1. The installer deploys the BeyondInsight DXL Broker service, along with the service configuration, logs, and utilities to the following location: C:\Program Files\BeyondInsight\DXL Broker Service.


  1. To view and manage the private queues, an admin user might need to do the following:
    • Take ownership of the queue through Properties > Security > Advanced button > Owner.
    • Change the owner to an admin user.
    • Add the admin user to Users and Groups for the queue and assign full control access.
    • Ensure that the McAfee system tray indicates that the DXL Client is connected.

Create the BeyondInsight DXL Event Forwarder Connector

  1. In the BeyondInsight console, go to Configuration > General > Connectors.
  2. In the Connectors pane, click Create New Connector.
  3. Enter a name for the connector.
  1. Select McAfee DXL Event Forwarder from the Connector Type list.
  2. Click Create Connector.
  3. Leave Active (yes) enabled.
  4. Expand Event Filters, and then select event types to forward.
  5. Click Test Connector to send a test event message. Within ePO, verify that the Test topic has received the test event message.
  6. Click Create Connector.

For more information, please see Configure the BeyondInsight Event Topics.

Troubleshoot Issues with McAfee DXL Connector

The McAfee Agent or DXL Client Not Showing as Connected

After installing the McAfee Agent and DXL Client, a machine reboot might be required to register the new software.

The McAfee Agent Icon Not Appearing in the System Tray

  1. Open the Registry Editor.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
  3. Delete the McAfeeUpdaterUI entry.

Screen capture of the Registry Entry showing the MacAfeeUpdaterUI value.

  1. Create a new value named McAfeeUpdaterUI with value of
    C:\Program Files\McAfee\Agent\x86\UpdaterUI.exe /StartedFromRunKey.
  2. Restart the machine. The McAfee icon is displayed in the system tray.
  3.  

The BeyondTrustDXLMessageBroker Installer Fails

To debug installer issues, you can execute the installer with the following command:

<path to your installer>\msiexec /i BeyondInsightDXLMessageBroker.msi /l*v MyLogFile.txt

A 1603 Error Code often indicates that the installer is not being executed with sufficient privileges to enable the MSMQ Windows feature.

The BeyondTrust DXL Message Broker Service Cannot be Restarted or Removed

If necessary, to forcibly remove a stuck service (and subsequently re-install the service), use the following command:

sc delete BeyondInsightDXLMessageBroker

Location of Log Files

  • BeyondInsight Message Broker logs are located here by default:

    C:\Program Files\BeyondTrust\DXL Message Broker\Logs

  • McAfee Agent and DXL Client logs are located here by default:

    C:\ProgramData\McAfee\Agent\logs

    C:\ProgramData\McAfee\Data_Exchange_Layer