https://community.splunk.com/t5/Getting-Data-In/How-can-Trellix-Epo-on-a-windows-server-send-data-to-indexers-or/m-p/639528#M109198 <P>As far as I remember (but I haven't touched ePO for several years), you just configure it to send syslog to some receiver, right?</P><P>Receiving raw network stream by UF of HF is not recommended. You can do that in lab environment but generally the recommended solution is to either use a syslog daemon which will write the events to files and have a forwarder read those files or - recently - use an intermediate "syslog gateway" like SC4S.</P> Tue, 11 Apr 2023 17:07:59 GMT PickleRick 2023-04-11T17:07:59Z https://community.splunk.com/t5/Getting-Data-In/How-can-Trellix-Epo-on-a-windows-server-send-data-to-indexers-or/m-p/639430#M109178 <P>As stated by the Title</P> <P>We have a test env for learning but at some point it will be a larger production deployment</P> <P>with that said we have a Clustered Env on a vsphere server and one of the boxes is a win2019 server with EPO/Trellix on it.</P> <P>So I would really like to know what best practice step by step on sending that data over rom the EPO server to Splunk whether that be to a indexer or to a heavy forwarder?</P> <P>Do I need to put up some kind of syslog server somewhere or since its a Windows server should I just put a forwarder on it and use that to send data?</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 12 Apr 2023 16:37:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-Trellix-Epo-on-a-windows-server-send-data-to-indexers-or/m-p/639430#M109178 domino30 2023-04-12T16:37:00Z https://community.splunk.com/t5/Getting-Data-In/How-can-Trellix-Epo-on-a-windows-server-send-data-to-indexers-or/m-p/639434#M109179 <P><A href="https://splunkbase.splunk.com/app/5085" target="_blank">https://splunkbase.splunk.com/app/5085</A> this is an addon for ePO. See the docs for installation instructions.</P> Mon, 10 Apr 2023 22:40:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-Trellix-Epo-on-a-windows-server-send-data-to-indexers-or/m-p/639434#M109179 PickleRick 2023-04-10T22:40:55Z https://community.splunk.com/t5/Getting-Data-In/How-can-Trellix-Epo-on-a-windows-server-send-data-to-indexers-or/m-p/639514#M109195 <P>Thanks Pickle Rick</P><P>&nbsp;I am aware of the Apps, and I think I know the answer but I want to make sure because there is a lot of documentation about splunk for syslog and what not but I figured since McAfee was on a Windows box I would ask if it would be easier to&nbsp; just put a forwarder on that box and send data to an indexer.</P> Tue, 11 Apr 2023 14:34:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-Trellix-Epo-on-a-windows-server-send-data-to-indexers-or/m-p/639514#M109195 domino30 2023-04-11T14:34:42Z https://community.splunk.com/t5/Getting-Data-In/How-can-Trellix-Epo-on-a-windows-server-send-data-to-indexers-or/m-p/639528#M109198 <P>As far as I remember (but I haven't touched ePO for several years), you just configure it to send syslog to some receiver, right?</P><P>Receiving raw network stream by UF of HF is not recommended. You can do that in lab environment but generally the recommended solution is to either use a syslog daemon which will write the events to files and have a forwarder read those files or - recently - use an intermediate "syslog gateway" like SC4S.</P> Tue, 11 Apr 2023 17:07:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-Trellix-Epo-on-a-windows-server-send-data-to-indexers-or/m-p/639528#M109198 PickleRick 2023-04-11T17:07:59Z https://community.splunk.com/t5/Getting-Data-In/How-can-Trellix-Epo-on-a-windows-server-send-data-to-indexers-or/m-p/639565#M109205 <P>Good day -&nbsp;</P><P>The Splunk Engineer recommended ePO as the HF&nbsp;</P> Tue, 11 Apr 2023 21:37:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-Trellix-Epo-on-a-windows-server-send-data-to-indexers-or/m-p/639565#M109205 Doreluss 2023-04-11T21:37:55Z