is there any news concerning the integration of McAfee ePo Logs into splunk? The last post on here i found is more than a year old and not very helpful. HAs anyone already figured out a suitable way to get ePo Info into splunk? Splunk with the ES App should be able to handle ePo logs accordingly, at least that's what the list of pretained sourcetypes of the ES app suggests.
I'd be very grateful for inputs!
i just installed the add-on app and i have db connect setup ... but the app has an error missing and index.xml file? and it looks like a clone of the symantec app ? can i call support about this and for help?
We use the ES app to grab the logs, its currently running some python script to query the database to put the data into a text file for splunk to index.
I just setup a DBconnect host as the ePO audit events were not being taken in. Connected to database, pointed at audit table and in the data came, can provide print screen more details if required.
If you don't plan on getting the ES app then I would look into the DBconnect app to connect to the mcafee ePO database and pull the required data, the audit events are easy and in a single table so start with that, looking at the SQL the ES app uses to pull event/threat data its a very complicated query with many tables. With the next upgrade I plan on moving all database extractions for ePO to my DBconnect box as that seems easier to manage.