Re: Integration of splunk with Mcafee ESM

ramkidurai · ‎01-07-2014

Hi,

I would need to integrate splunk(version 6.0) with Mcafee ESM(Version 9.2.1).

What is the requirements to be met in order to forward the splunk logs into ESM. I have enabled the forwarded with the IP and port number to forward logs.

Also at the ESM end, the properties are set to receive logs.

Iam new to splunk as well as new to ESM, and I believe I have missed out some configuration/settings to be made. Please let me know if any one has tried this and succeeded. Awaiting for suggestions/help.

Thanks,
Ramesh

araitz · ‎01-07-2014

Check out this documentation on forwarding to a third-party system:

http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Forwarddatatothird-partysystemsd

ramkidurai · ‎02-12-2014

Hi,

I have this document already and configured/made changes to output.conf, props.conf and transforms.conf files as per this. Still I could not forward logs from Splunk to McAfee ESM. I would need all syslog data to forward from Splunk.

Irrespective of data/port, when I enable forwarding or receiving in splunk, I get an error msg:
"Tcp output pipeline blocked. Attempt '100' to insert data failed." Any idea on this error would be helpful.

Also let me know what would be the target group in output.conf under :Forward Syslog data([syslog:]). ?

Integration of splunk with Mcafee ESM

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability