All Apps and Add-ons

Integration of splunk with Mcafee ESM

ramkidurai
Explorer

Hi,

I would need to integrate splunk(version 6.0) with Mcafee ESM(Version 9.2.1).

What is the requirements to be met in order to forward the splunk logs into ESM. I have enabled the forwarded with the IP and port number to forward logs.

Also at the ESM end, the properties are set to receive logs.

Iam new to splunk as well as new to ESM, and I believe I have missed out some configuration/settings to be made. Please let me know if any one has tried this and succeeded. Awaiting for suggestions/help.

Thanks,
Ramesh

Tags (1)
0 Karma

araitz
Splunk Employee
Splunk Employee

Check out this documentation on forwarding to a third-party system:

http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Forwarddatatothird-partysystemsd

0 Karma

ramkidurai
Explorer

Hi,

I have this document already and configured/made changes to output.conf, props.conf and transforms.conf files as per this. Still I could not forward logs from Splunk to McAfee ESM. I would need all syslog data to forward from Splunk.

Irrespective of data/port, when I enable forwarding or receiving in splunk, I get an error msg:
"Tcp output pipeline blocked. Attempt '100' to insert data failed." Any idea on this error would be helpful.

Also let me know what would be the target group in output.conf under :Forward Syslog data([syslog:]). ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...