All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Having trouble establishing connection with Splunk server for McAfee ePO integration.

raphaalmeida
New Member
‎04-16-2020 10:25 AM

I'm the ePO administrator at my company and we are trying to integrate McAfee with Splunk.
McAfee told me that on the ePO side I just need to set the Splunk server as a Registered Server (as I've set on this image below), but I'm not able to establish a connection with Splunk and forward Syslogs.
What can I do to establish a connection with Splunk and send syslogs?
Do we need to install the McAfee add-on and/or install DB Connect?

alt text

Preview file
57 KB
0 Karma
Reply

elf337
Loves-to-Learn
‎11-10-2023 05:03 AM

hi all, i still failed to decrypt the epo logs. this is my config.

[tcp://6514]
connection_host = ip
host = DCHQ-SIMSL-01
source = 10.220.34.23:6514
sourcetype = mcafee:epo:syslog
index = mcafee


[SSL]
serverCert=/splunk/cert/splunk-epo-remote.pem

requireClientCert=false

cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

 

any ideas? huhh

0 Karma
Reply

raphaalmeida
New Member
‎05-01-2020 07:00 AM

Hello,

We've tried to do this method but without success.

We're trying to use DB Connect to directly connect to ePO DB.

On DB connect screen, we have put server address, port number, but I have one doubt about put our instance/db.

Can I put on DB field PR02DS\EPODB (instance\Database) ?

Or do I need to put this on server address like "serverepo.dom.com\pr02ds" ?

Thanks in advance.

0 Karma
Reply

PavelP
Motivator
‎04-16-2020 11:55 PM

try this configuration :

[tcp-ssl:6514]
sourcetype = mcafee:epo

[SSL]
password =
requireClientCert = false
rootCA = /opt/splunk/certs/root-ca.pem
serverCert = /opt/splunk/certs/cert.pem

check this link for a configuration example: https://virtuallyhyper.com/2013/06/install-splunk-and-send-logs-to-splunk-with-rsyslog-over-tcp-with...

Reply

raphaalmeida
New Member
‎04-17-2020 06:29 AM

@PavelP

Thanks for the tip.

I'll try this with our team and let you know if that worked.

Thank you

0 Karma
Reply

efika
Communicator
‎12-20-2021 05:24 AM

Adding my 2c to this thread since I've found it be so very useful:

1. The ePO to splunk TLS connection requires only a splunk-side cert. I've used a self-signed cert by doing the following:

1.a.  sudo openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout splunk-epo-remote.key -out splunk-epo-remote.crt

1.b. cat  splunk-epo-remote.crt  splunk-epo-remote.key >  splunk-epo-remote.pem

2. the [SSL] stanza in input.conf is:

serverCert=/opt/splunk/certs/ splunk-epo-remote.pem

requireClientCert=false

 

I've also updated the ciperSuite based on this link https://community.splunk.com/t5/Getting-Data-In/how-to-configure-Mcafee-Epo-to-send-data-to-Splunk/m... to add the AES256-GCM-SHA384 cipher

 

 

0 Karma
Reply

PavelP
Motivator
‎04-16-2020 02:59 PM

Hello @raphaalmeida ,

there are two types of data you can get from ePO - mcafee:epo using DB Connect and mcafee:ids using syslog:
https://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/DataTypes

ePO outputs TLS encrypted syslog, you need to set up TLS on the syslog side, here are a few examples:

https://kc.mcafee.com/corporate/index?page=content&id=KB91194

https://kc.mcafee.com/corporate/index?page=content&id=KB87927

https://docs.mcafee.com/bundle/web-gateway-7.7.1-product-guide-unmanaged/page/GUID-A4BA3C74-963A-448...

What kind of receiver (rsyslog or syslog-ng, Windows or Linux) do you have?

Reply

raphaalmeida
New Member
‎04-16-2020 05:51 PM

Hello @PavelP

Thanks for your response.

I'm trying to forward syslogs directly to Splunk server.

Is this possible? Or do I need to setup a middle server to receive those syslogs and after send it to Splunk?

Thanks for your help.

0 Karma
Reply

krvamsireddy
Explorer
‎06-05-2021 12:09 AM

@raphaalmeida I am planning to forward logs from McAfee ePO to Splunk Syslog-ng server. but while testing the connection i see like Syslog connection failed.

Please let us know how you configured the log forwarding.

Preview file
12 KB
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...