One answer might be to utilize ePO's Web API that they enabled with 4.6 and script the output into Splunk. It works with python, so you should be able to create a script within Splunk to go out and pull the logs down for you.
https://community.mcafee.com/community/business/epo/epo_web_api
core.executeQuery?target=EPOMasterCatalog&select=(select EPOMasterCatalog.ProductVersion)&where=(where (eq EPOMasterCatalog.ProductName "DAT"))
Output:
EPOMasterCatalog.ProductVersion>6823.0000</EPOMasterCatalog.ProductVersion
Hi,
Thanks for your interests and contacting me.
Our App for McAfee ePO is a commertial App we typically sell to our McAfee customers.
What we do not have implemented into the App yet is a mechanism for licence management.
So we are not able to give you a full version from our App at this time for testing.
But what I would like to offer to you is a web-session were we can talk about the requirements and were we can show all functions from our ePO App direktly to you.
In addition to that I would like to give you a Data Sheet that gives you a first impression.
I hope that this meets your expectation
Best Regards and greetings from Vienna /Mike
Mike,
Can you share your ePO App please?
We can help you with that. We have developed an extension for Splunk, called ePO App.
How it works:
A Splunk forwarder is a dedicated Splunk package installed on an ePolicy Orchestrator Server that collects data directly from the ePolicy Orchestrator database.
The Splunk instance forwards the dumped data to another Splunk server (Indexer).
The Splunk instance that indexes the data transforms raw data into events, placing the results into an index, which is then searchable.
Forwarders are lean and secure. They can be deployed to provide real-time data collection from tens of thousands of sources.
Please let me know which Splunk environment you're using at the moment and if that meets your expectation.
/Mike
Maybe use this "registered executable" feature to call out a syslog command line logger.
http://www.youtube.com/watch?v=XykFT1_8N4k
Set up your data in key={value} format for easy analysis.
McAfee used to have table in the database called Events
, or EPOEvents
, or something very similar.
You can either create a scripted input to have Splunk poll that table for new events, or you can use a third-party product (Adiscon makes one) to forward new records out via syslog.
Take a look at this thread:
http://answers.splunk.com/questions/2040/what-is-the-most-effective-ways-to-poll-databases-such-as-m...