All Apps and Add-ons

How to integrate Mcafee ePO in a distributed environment with Splunk DB Connect and the Splunk Add-on for McAfee?

Path Finder


I'm planning to install McAfee + Splunk DB Connect on several heavy forwarders (4) using the Deployment Server.
The fact is, I don't know what will happen if all the TAs start collecting at the same time. Will it end up with duplicate or more entries for the same event!? not cool...

Can I really use this TA in a distributed environment or must I choose a specific forwarder and do a "manual" fail over in case of failure (eg: enable/disable DB Connect ePO config)? (same behavior with opsec-lea add on)

0 Karma


Having more than one TA reading from the same database using the same query will result in duplicate data. Use a single HF for that and have the input disabled on a second HF as a cold standby.

If this reply helps you, an upvote would be appreciated.