Hi
We have to integrate McAfee epo(full fledged) instance with splunk i.e we want logs of EPO in splunk. What is the best way to do it. Should i install Universal forwarder on the epo machine or should i use EPO extended configuration and register my splunk as a syslog server there(donot know how to do this).Also we donot want to use ESS for this. Please help !!
FYI, there's now a DB Connect based way to do EPO logs too: http://apps.splunk.com/app/1819/
Hi lohit,
both will work fine, if you can configure and/or setup it up in EPO.
Syslog
has some down sides, like data can get lost if the indexer is down for example. Personally I would configure EPO to create text Log file and install a Splunk Universalforwarder to monitor the log.
Hope this helps a bit to get you started.
Cheers, MuS
Hi Aaron, according to http://kc.mcafee.com/corporate/index?page=answerlink&url=spD2Ro8-7xeSDi5pMVrcP4NU4ttaDgfvDk2wLTCzMyu... you can configure the logs in a matter so it will write a txt log file. This can be monitored by Splunk, read more here http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor
Can anyone provide any further info on how to get EPO to export to a .txt file and then monitor with Splunk ?
Interested in a procedure to have epo write logs to text file. Also any props/transforms for the epo data.
Which part are you having trouble with?
Were you able to do this? If so please share a little how to.
Thanks a lot MuS.
Totally agree with syslog downside. Only positive points from EPO setup is that we can actually log only a specific type of events to a syslog server from EPO console like for example based on severity instead of collecting all logs and then extracting it in splunk.