I'm the ePO administrator at my company and we are trying to integrate McAfee with Splunk.
McAfee told me that on the ePO side I just need to set the Splunk server as a Registered Server (as I've set on this image below), but I'm not able to establish a connection with Splunk and forward Syslogs.
What can I do to establish a connection with Splunk and send syslogs?
Do we need to install the McAfee add-on and/or install DB Connect?
Hello @raphaalmeida ,
there are two types of data you can get from ePO - mcafee:epo using DB Connect and mcafee:ids using syslog:
ePO outputs TLS encrypted syslog, you need to set up TLS on the syslog side, here are a few examples:
What kind of receiver (rsyslog or syslog-ng, Windows or Linux) do you have?
Thanks for your response.
I'm trying to forward syslogs directly to Splunk server.
Is this possible? Or do I need to setup a middle server to receive those syslogs and after send it to Splunk?
Thanks for your help.
try this configuration :
[tcp-ssl:6514] sourcetype = mcafee:epo [SSL] password = requireClientCert = false rootCA = /opt/splunk/certs/root-ca.pem serverCert = /opt/splunk/certs/cert.pem
check this link for a configuration example: https://virtuallyhyper.com/2013/06/install-splunk-and-send-logs-to-splunk-with-rsyslog-over-tcp-with...
Thanks for the tip.
I'll try this with our team and let you know if that worked.
We've tried to do this method but without success.
We're trying to use DB Connect to directly connect to ePO DB.
On DB connect screen, we have put server address, port number, but I have one doubt about put our instance/db.
Can I put on DB field PR02DS\EPODB (instance\Database) ?
Or do I need to put this on server address like "serverepo.dom.com\pr02ds" ?
Thanks in advance.