All Apps and Add-ons

McAfee ePO Splunk Integration

ESIMatNeforce
Path Finder

Hello splunkers,

is there any news concerning the integration of McAfee ePo Logs into splunk? The last post on here i found is more than a year old and not very helpful. HAs anyone already figured out a suitable way to get ePo Info into splunk? Splunk with the ES App should be able to handle ePo logs accordingly, at least that's what the list of pretained sourcetypes of the ES app suggests.

I'd be very grateful for inputs!

  • Flo
Tags (2)

peetchow
Loves-to-Learn Lots

i just installed the add-on app and i have db connect setup ... but the app has an error missing and index.xml file? and it looks like a clone of the symantec app ? can i call support about this and for help?

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

I am pleased to announce that we've just released an add-on that can help you with this: http://apps.splunk.com/app/1819/

0 Karma

clbutler71
New Member

Any update on when this TA will support the many modules contained within the EPO/HBSS product? DLP, HIPS, ABM/ACCM, etc. Currently it would seem that it only supports VSE.

0 Karma

sanhema
New Member

Hi,

Could you please post any update if you have got on this?

Thanks in Advance

0 Karma

Pierceyuk
Path Finder

We use the ES app to grab the logs, its currently running some python script to query the database to put the data into a text file for splunk to index.

I just setup a DBconnect host as the ePO audit events were not being taken in. Connected to database, pointed at audit table and in the data came, can provide print screen more details if required.

If you don't plan on getting the ES app then I would look into the DBconnect app to connect to the mcafee ePO database and pull the required data, the audit events are easy and in a single table so start with that, looking at the SQL the ES app uses to pull event/threat data its a very complicated query with many tables. With the next upgrade I plan on moving all database extractions for ePO to my DBconnect box as that seems easier to manage.

0 Karma