Instructions for forwarding McAfee ePolicy Orchestrator (ePO) logs to your Log Management device


McAfee ePolicy Orchestrator (ePO) 5.9.x, 5.3.x to Clone LOGM/SIEM
  • Make sure your ePO installation is version 5.9 or 5.3.2 (with Hotfix 1185471 applied).
Note: Without Hotfix 1185471 applied to ePO 5.3.2, you can complete the installation of the syslog server, but ePO will not be able to communicate with the syslog server.

Note: If you use ePO 5.3.2 with Hotfix 1185471 applied and you have additional agent handlers, an extra step is required to replace two files on the agent handler with the Hotfix versions taken from the ePO server. See KB87469 for details.

Clone Systems Log Management Device
  • The IP Address for the Clone Systems Log Management device

1. Launch McAfee ePolicy Orchestrator (ePO), enter your Username and Password, and then click the Log On button.TTY.

2. Add a new Registered Server and select Syslog for the

3. Enter the FQDN of the syslog server. Note: you will need to create an DNS record on your DNS server to the Clone Systems LOGM/SIEM IP addresses.

4. Enter ‘6514‘ for the port (or whatever port was communicated by Clone Systems’ Support Team).

5. Select Enable event forwarding.

6. Click Test Connection.

Note: You should see a syslog connection success message when done.

7. Click Save to save the syslog Registered Server.

Note: All threat events received by ePO should now be automatically forwarded to the syslog server.