All Apps and Add-ons

Sending McAfee Epo 5.3.2 Logs via Syslog to Splunk...is there an AddOn?

jbrocks
Communicator

As I understood, there are 2 McAfee AddOns for Splunk. One for Epo etc. and one for the Webgateway. The first one needs to be connected via databases and SplunkDB AddOn, the second one (Mac Afee Webgateway) sends data via syslog. As for Epo 5.3.2 it is also possible to send data via syslog and not directly with databases. Is there a Splunk app for this case or is it possible to use one of these two apps?

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

The Splunk Add-on for McAfee collects some data via syslog:

https://splunkbase.splunk.com/app/1819/#/overview

Docs for the source types this add-on collects: http://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/DataTypes

Docs for configuring the syslog input: http://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/ConfigureSyslogInput

0 Karma

dfronck
Communicator

Your answer is just for Intrushield.

What jbrocks is talking about sending ALL logs from ePO using syslog.
KB87927 - How to set up an example syslog server for use with ePolicy Orchestrator

That post has guidance using ELK.
We are just getting started with this but we used RHEL w/TLS rsyslog and it works fine.
We, like jbrocks, just need to read and parse the text file now.
I think this is what we need Splunk to add support for. I know, I know, open an enhancement ticket. See you in a couple of years.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...