How to configure the Trellix Linux Operating System (formerly MLOS) Manager system for SIEM integration

Technical Articles ID: KB92684
Last Modified: 2023-04-17 05:25:08 Etc/GMT

Environment

Trellix Intrusion Prevention System (Trellix IPS)

Summary

To configure the Trellix Linux Operating System (formerly MLOS) Manager to integrate with SIEM:

Log on to the Manager.
Switch to the restricted shell:
1. Type 5n3ak1n and press Enter.
2. Enter the root shell password.
  
  IMPORTANT: If you don't have the password to log on to the root shell, contact Technical Support for assistance.
Enable listening on port 3306.
- For Manager 9.1.x:
  1. Type iptables -A INPUT -p tcp --dport 3306 -j ACCEPT and press Enter.
  2. Type iptables-save > /etc/sysconfig/iptables.rules and press Enter.
- For Manager 10.1.x and later and 11.x:
  1. Type sudo firewall-cmd --zone=public --permanent --add-port=3306/tcp and press Enter.
  2. Type sudo firewall-cmd –reload and press Enter.
Open /etc/my.cnf in a text editor of your choice.
Locate the bind-address and the skip-networking entries.
Comment out these entries, using the #.

For example:
#bind-address=127.0.0.1
#skip-networking
Restart the MySQL* service. Type systemctl restart mysqld and press Enter.
Log on to MariaDB as a root user:
1. Type <Manager installation path>/MariaDB/bin/mysql -uroot -p and press Enter.
2. Enter the root password of the database.
After you log on, you see the MariaDB prompt. Type use mysql; and press Enter.
Create the needed database user. Type create user <new user name of the database>@<IP address of the system from which the user will connect to the database> identified by '<password>'; and press Enter.

For example: create user nsmtst@192.168.1.20 identified by 'nsmtp';
Provide read-only access to the newly created database user. Type grant select on lf.* to nsmtst@<SIEM IP ADDRESS>; and press Enter.

For example: grant select on lf.* to nsmtst@192.168.1.20;
Verify that the database user creation is successful:
1. On a Windows client, open a command-line session.
2. Type C:\MariaDB\bin\mysql -u nsmtst -h <IP address of the Manager instance> -P 3306 -p and press Enter.
  
  For example: C:\MariaDB\bin\mysql -u nsmtst -h 192.168.1.30 -P 3306 -p
3. You're prompted for the password. On successful authentication, you can access the database server running on the Manager instance.
Integrate your SIEM servers with Trellix IPS. See the SIEM administration guide for steps.

For product documents, go to the Product Documentation portal.

Related Information

To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.

If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

How to configure the Trellix Linux Operating System (formerly MLOS) Manager system for SIEM integration

Environment

Summary

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

How to configure the Trellix Linux Operating System (formerly MLOS) Manager system for SIEM integration

Environment

Summary

Related Information

Affected Products

Languages:

Choose your region

Title

Title