- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk add-on for Mcafee (2.1.0) with DB connect 2...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I’m trying to get the Mcafee TA working DB connect 2. I installed the db connect 2.0.1 and created a connection (mcafee_epo). The connection show as valid. I can query the epo database through the ui and if I run the below query I get the results I’m looking for.
db_connections.conf
[mcafee_epo]
connection_type = generic_mssql
database = XXXXMCAFEE01
host = XXXXXXXX
identity = mcafeeAdmin
port = XXXX
disabled = 0
I created a ‘DB Inputs’ through the ui:
inputs.conf
[mi_input://Mcafee_epo_input]
connection = mcafee_epo
index = mcafee
input_timestamp_column_name = timestamp
input_timestamp_column_number = 1
interval = 600
max_rows = 10000
mode = tail
output_timestamp_format = YYYY-MM-dd HH:mm:ss
query = SELECT CONVERT(VARCHAR(19), [EPOEvents].[ReceivedUTC], 120) as [timestamp], [EPOEvents].[AutoID], [EPOEvents].[ThreatName] as [signature], [EPOEvents].[ThreatType] as [threat_type], [EPOEvents].[ThreatEventID] as [signature_id], [EPOEvents].[ThreatCategory] as [category], [EPOEvents].[ThreatSeverity] as [severity_id], [EPOEventFilterDesc].[Name] as [event_description], [EPOEvents].[DetectedUTC] as [detected_timestamp], [EPOEvents].[TargetFileName] as [file_name], [EPOEvents].[AnalyzerDetectionMethod] as [detection_method], [EPOEvents].[ThreatActionTaken] as [vendor_action], [EPOEvents].[ThreatHandled] as [threat_handled], [EPOEvents].[TargetUserName] as [logon_user], [EPOComputerProperties].[UserName] as [user], [EPOComputerProperties].[DomainName] as [dest_nt_domain], [EPOEvents].[TargetHostName] as [dest_dns], [EPOEvents].[TargetHostName] as [dest_nt_host], [EPOComputerProperties].[IPHostName] as [fqdn], [dest_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),4,1))) ), [EPOComputerProperties].[SubnetMask] as [dest_netmask], [EPOComputerProperties].[NetAddress] as [dest_mac], [EPOComputerProperties].[OSType] as [os], [EPOComputerProperties].[OSServicePackVer] as [sp], [EPOComputerProperties].[OSVersion] as [os_version], [EPOComputerProperties].[OSBuildNum] as [os_build], [EPOComputerProperties].[TimeZone] as [timezone], [EPOEvents].[SourceHostName] as [src_dns], [src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[SourceMAC] as [src_mac], [EPOEvents].[SourceProcessName] as [process], [EPOEvents].[SourceURL] as [url], [EPOEvents].[SourceUserName] as [logon_user], [EPOComputerProperties].[IsPortable] as [is_laptop], [EPOEvents].[AnalyzerName] as [product], [EPOEvents].[AnalyzerVersion] as [product_version], [EPOEvents].[AnalyzerEngineVersion] as [engine_version], [EPOEvents].[AnalyzerEngineVersion] as [dat_version], [EPOProdPropsView_VIRUSCAN].[datver] as [vse_dat_version], [EPOProdPropsView_VIRUSCAN].[enginever64] as [vse_engine64_version], [EPOProdPropsView_VIRUSCAN].[enginever] as [vse_engine_version], [EPOProdPropsView_VIRUSCAN].[hotfix] as [vse_hotfix], [EPOProdPropsView_VIRUSCAN].[productversion] as [vse_product_version], [EPOProdPropsView_VIRUSCAN].[servicepack] as [vse_sp] FROM [EPOEvents] left join [EPOLeafNode] on [EPOEvents].[AgentGUID] = [EPOLeafNode].[AgentGUID] left join [EPOProdPropsView_VIRUSCAN] on [EPOLeafNode].[AutoID] = [EPOProdPropsView_VIRUSCAN].[LeafNodeID] left join [EPOComputerProperties] on [EPOLeafNode].[AutoID] = [EPOComputerProperties].[ParentID] left join [EPOEventFilterDesc] on [EPOEvents].[ThreatEventID] = [EPOEventFilterDesc].[EventId] and (EPOEventFilterDesc.Language='0409') WHERE [EPOEvents].[AutoID] > 44372543
source = ta_mcafee_epo_5_input
sourcetype = mcafee:epo
tail_follow_only = 1
tail_rising_column_name = AutoID
tail_rising_column_number = 2
ui_query_catalog = XXXXXXMCAFEE01
ui_query_mode = advanced
ui_query_schema = dbo
ui_query_table = EPOEvents
disabled = 0
index=mcafee has been created.
In the health dashboard of db connect I don’t get any errors and all transaction has a success status, but there are no data in index=mcafee.
[EPOEvents].[AutoID] > 44372543 return events for the last 30 days. Thats where I want to start indexing. If I change the ‘tail_rising_column_name = AutoID’ to ‘tail_rising_column_name = [EPOEvents].[AutoID]’ db I get the following:
4/30/2015 16:41:48 [ERROR] [websocket.py] ERROR: A processing error "Invalid column name '[EPOEvents].[AutoID]'." occurred..
No epo data are being indexed. I don’t see any errors. What am I doing wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, Got Mcafee epo working with DB Connect 2. There was no need for me to convert the timestamp. Changed 'CONVERT(VARCHAR(19), [EPOEvents].[ReceivedUTC], 120) as [timestamp]' to '[EPOEvents].[ReceivedUTC] as [timestamp]'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, Got Mcafee epo working with DB Connect 2. There was no need for me to convert the timestamp. Changed 'CONVERT(VARCHAR(19), [EPOEvents].[ReceivedUTC], 120) as [timestamp]' to '[EPOEvents].[ReceivedUTC] as [timestamp]'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am in Brisbane and don't want this timestamp how do I change the query to show ReceivedUTC +10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Per the docs, the current release of the Splunk Add-on for McAfee does not work with DB Connect 2.X. You must install DB Connect 1.1.6 or 1.1.7 to use this TA. http://docs.splunk.com/Documentation/AddOns/latest/McAfeeEPO/Description
Hope that helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer. The only part I used from the splunk add-on for mcafee app was the sql query. The sql worked in the ui setup wizard. Looks like I won't be switching to be db connect 2 any time soon.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add-on McAfee 2.1.1 now supports db connect 2.
McAfeeEPO Hardwareandsoftwarerequirements
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
