Update from the future.... DB Connect is now free, and there's an add-on that uses it to get McAFee EPO data. http://apps.splunk.com/app/1819/
Hi,
Thanks for your interests and contacting me.
Our DBX App is a commertial App we typically sell to our customers.
What we do not have implemented into the App yet is a mechanism for licence management.
So we are not able to give you or to you customer a full version from our App at this time for testing.
But what I would like to offer to you is a web-session were we can talk about the requirements from your customer and were we can show all functions from our DBX App direktly to your customer.
In addition to that I would like to give you a Data Sheet that gives you a first impression.
I hope that this meets your expectation and if you don´t mind I would like to ask you to bring us in direct touch with your customer.
Best Regards and greetings from Vienna / Mike
We can help you with that. We have developed an extension for Splunk, called DBX, that serves as a universal SQL database connector. So it allows to simply configure database inputs.
Please let me know which Splunk environment you're using at the moment (Splunk Version, Operating System, approx. Data volume, Physical/Virtual server).
/Mike
Mike,
Can you share that DBX extension please?
Splunk Enterprise Security 2.0 (formally called ESS - Enterprise Security Suite) is a pay to play add-on to Splunk. It includes McAfee EPO Anti-virus as an out of the box datasource. For a list of supported datasources see http://docs.splunk.com/Documentation/ES/latest/CreateTA/Out-of-the-boxsourcetypes
There are many advantages to ESS, including really cool correlation technology, which would allow for better APT (Advanced Persistent Threat) detection, for example, by building rules that look at infections, AV service halts with firewall and IDS/IPS activity.
The other anti-virus add-in's provided with ES 2.0 are TA-sep which supports Symantec AntiVirus version 10 and earlier, and Symantec AntiVirus 11 and later; and TA-trendmicro for Trend Micro.
I would hope that Splunk would see good sense in making the TA-McAfee more generally available, since their licensing is built on data volumes and not on features. But for the moment this is a niche requirement, with some really innovative technology that goes beyond "normal Splunk". I understand why early adopters have to pay for this.
You can also create custom add-ons to EA for other anti-virus datasources. For information about creating technology add-ons for ES 2.0 see http://docs.splunk.com/Documentation/ES/latest/CreateTA/CreatingaTechnologyAdd-on
ride76,
The easiest solution would be to (as kristian says) configure EPO to create a text file.
However, there is some documentation (I have not followed it myself as I have not got the need for DB input) here. The example used polls a DB and reproduces it's results in a format easily recognisable by Splunk.
Hope this helps answer your question.
If it does answer you question. Please mark the answer as accepted to help the community.
Regards,
MHibbin
I think it's easier if you configure EPO to create text files and have a Splunk Forwarder installed to monitor the log, if possible.
/kristian