All Apps and Add-ons

Integrating McAfee ePO with Splunk, do we install Splunk DB Connect on the search head or heavy forwarder?

himapate
Explorer

Hi ,

We are integrating McAfee ePO with Splunk where we require Splunk DB Connect to be installed. Went through the docs and found that DB Connect can be installed at the Search Head or Heavy forwarder:

Splunk DB Connect on a heavy forwarder to support continual data gathering or output.
Splunk DB Connect on a search head for more interactive use, including lookups,

Which is the best location to install the app?
We also have Splunk Enterprise Security and need these logs to be integrated.

0 Karma
1 Solution

adauria_splunk
Splunk Employee
Splunk Employee

The epo integration is all about data collection and does not involve dynamic lookups. If this is currently your primary or only need for db connect, a heavy forwarder probably makes more sense.

View solution in original post

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

The epo integration is all about data collection and does not involve dynamic lookups. If this is currently your primary or only need for db connect, a heavy forwarder probably makes more sense.

0 Karma

himapate
Explorer

Hi ,

In our scenario we have the Mcafee manager and the Database hosted on 2 different servers.
As per the document we need to open port 1433 for DB connect app to connect. Does this require the port to be open from Heavy forwarder and database or Heavy forwarder and manager, as the manager has the information form the DB
Also, for syslog in order to configure inputs we need to configure it at the Mcafee manager or Database server to connect to Splunk.

Thanks

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

The connectivity would be from the heavy forwarder (with Splunk DB Connect and Splunk TA for McAfee ePO) to the MS SQL DB Server. 1433 is the default MS SQL port (you may have it configured differently). DB Connect does not ever need to connect to the ePO management server at all.

Pulling McAfee ePO data does not require or use syslog inputs. Part of the TA for McAfee includes a component for collecting and parsing syslog events from McAfee Network IPS/Intrushield (last time I looked at it, at least), which is completely separate from ePO endpoint data collection. If you don't use McAfee Network IPS you won't use syslog. Host IPS, however, is a function of ePO. Those events are collected via the DB Connect pulls from the SQL database.

Another point - read the documentation for DB Connect - specifically adding the required JDBC driver to the DB connect app on the heavy forwarder. Due to licensing, DB Connect doesn't ship with the driver (jar file) needed to connect. You will need to manually follow the instructions to add it to the heavy forwarder, found here:
http://docs.splunk.com/Documentation/DBX/2.3.0/DeployDBX/Installdatabasedrivers

Good luck!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...