As I understood, there are 2 McAfee AddOns for Splunk. One for Epo etc. and one for the Webgateway. The first one needs to be connected via databases and SplunkDB AddOn, the second one (Mac Afee Webgateway) sends data via syslog. As for Epo 5.3.2 it is also possible to send data via syslog and not directly with databases. Is there a Splunk app for this case or is it possible to use one of these two apps?
The Splunk Add-on for McAfee collects some data via syslog:
https://splunkbase.splunk.com/app/1819/#/overview
Docs for the source types this add-on collects: http://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/DataTypes
Docs for configuring the syslog input: http://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/ConfigureSyslogInput
Your answer is just for Intrushield.
What jbrocks is talking about sending ALL logs from ePO using syslog.
KB87927 - How to set up an example syslog server for use with ePolicy Orchestrator
That post has guidance using ELK.
We are just getting started with this but we used RHEL w/TLS rsyslog and it works fine.
We, like jbrocks, just need to read and parse the text file now.
I think this is what we need Splunk to add support for. I know, I know, open an enhancement ticket. See you in a couple of years.