All Apps and Add-ons

Integrating McAfee ePO with Splunk, do we install Splunk DB Connect on the search head or heavy forwarder?

himapate
Explorer

Hi ,

We are integrating McAfee ePO with Splunk where we require Splunk DB Connect to be installed. Went through the docs and found that DB Connect can be installed at the Search Head or Heavy forwarder:

Splunk DB Connect on a heavy forwarder to support continual data gathering or output.
Splunk DB Connect on a search head for more interactive use, including lookups,

Which is the best location to install the app?
We also have Splunk Enterprise Security and need these logs to be integrated.

0 Karma
1 Solution

adauria_splunk
Splunk Employee
Splunk Employee

The epo integration is all about data collection and does not involve dynamic lookups. If this is currently your primary or only need for db connect, a heavy forwarder probably makes more sense.

View solution in original post

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

The epo integration is all about data collection and does not involve dynamic lookups. If this is currently your primary or only need for db connect, a heavy forwarder probably makes more sense.

0 Karma

himapate
Explorer

Hi ,

In our scenario we have the Mcafee manager and the Database hosted on 2 different servers.
As per the document we need to open port 1433 for DB connect app to connect. Does this require the port to be open from Heavy forwarder and database or Heavy forwarder and manager, as the manager has the information form the DB
Also, for syslog in order to configure inputs we need to configure it at the Mcafee manager or Database server to connect to Splunk.

Thanks

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

The connectivity would be from the heavy forwarder (with Splunk DB Connect and Splunk TA for McAfee ePO) to the MS SQL DB Server. 1433 is the default MS SQL port (you may have it configured differently). DB Connect does not ever need to connect to the ePO management server at all.

Pulling McAfee ePO data does not require or use syslog inputs. Part of the TA for McAfee includes a component for collecting and parsing syslog events from McAfee Network IPS/Intrushield (last time I looked at it, at least), which is completely separate from ePO endpoint data collection. If you don't use McAfee Network IPS you won't use syslog. Host IPS, however, is a function of ePO. Those events are collected via the DB Connect pulls from the SQL database.

Another point - read the documentation for DB Connect - specifically adding the required JDBC driver to the DB connect app on the heavy forwarder. Due to licensing, DB Connect doesn't ship with the driver (jar file) needed to connect. You will need to manually follow the instructions to add it to the heavy forwarder, found here:
http://docs.splunk.com/Documentation/DBX/2.3.0/DeployDBX/Installdatabasedrivers

Good luck!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...