To configure the Trellix Linux Operating System (formerly MLOS) Manager to integrate with SIEM:
- Log on to the Manager.
- Switch to the restricted shell:
- Type 5n3ak1n and press Enter.
- Enter the root shell password.
IMPORTANT: If you don't have the password to log on to the root shell, contact Technical Support for assistance.
- Enable listening on port 3306.
- For Manager 9.1.x:
- Type iptables -A INPUT -p tcp --dport 3306 -j ACCEPT and press Enter.
- Type iptables-save > /etc/sysconfig/iptables.rules and press Enter.
- For Manager 10.1.x and later and 11.x:
- Type sudo firewall-cmd --zone=public --permanent --add-port=3306/tcp and press Enter.
- Type sudo firewall-cmd –reload and press Enter.
- Open /etc/my.cnf in a text editor of your choice.
- Locate the bind-address and the skip-networking entries.
- Comment out these entries, using the #.
For example:
#bind-address=127.0.0.1
#skip-networking
- Restart the MySQL* service. Type systemctl restart mysqld and press Enter.
- Log on to MariaDB as a root user:
- Type <Manager installation path>/MariaDB/bin/mysql -uroot -p and press Enter.
- Enter the root password of the database.
- After you log on, you see the MariaDB prompt. Type use mysql; and press Enter.
- Create the needed database user. Type create user <new user name of the database>@<IP address of the system from which the user will connect to the database> identified by '<password>'; and press Enter.
For example: create user nsmtst@192.168.1.20 identified by 'nsmtp';
- Provide read-only access to the newly created database user. Type grant select on lf.* to nsmtst@<SIEM IP ADDRESS>; and press Enter.
For example: grant select on lf.* to nsmtst@192.168.1.20;
- Verify that the database user creation is successful:
- On a Windows client, open a command-line session.
- Type C:\MariaDB\bin\mysql -u nsmtst -h <IP address of the Manager instance> -P 3306 -p and press Enter.
For example: C:\MariaDB\bin\mysql -u nsmtst -h 192.168.1.30 -P 3306 -p
- You're prompted for the password. On successful authentication, you can access the database server running on the Manager instance.
- Integrate your SIEM servers with Trellix IPS. See the SIEM administration guide for steps.