All Apps and Add-ons
Highlighted

Splunk DB Connect: How to collect data in EPO Database version 4.6.6 with Add-on for McAfee?

Communicator

Hi Splunkers,

I need help with Add-on for McAfee, because I want collect anti-virus information from EPO database. (EPO Version 4.6.6) I am following the documentation in splunk site, but I am having problem to collect information in database. I Believe the "stanza" in dbconnect is not recognizing the tables in my epo database.

In my dbx.log:

2014-09-02 17:22:31.673 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-tail://mcafeeepo4db/tamcafeeepo4input]: com.splunk.config.SplunkConfigurationException: Error validating dbmonTail for monitor=dbmon-tail://mcafeeepo4db/tamcafeeepo4input: Invalid object name 'EPOProdPropsViewANTISPYWARE'. with query = SELECT CAST([EPOEvents].[ReceivedUTC] as varchar) as [timestamp], [EPOEvents].[AutoID] as [eventid], [EPOEvents].[ThreatName] as [signature], [EPOEvents].[ThreatType] as [threat_type]
[.....]

/opt/splunk/etc/apps/SplunkTAmcafee/local/inputs.conf

[dbmon-tail://mcafeeepo4db/tamcafeeepo4input]
disabled = 0
host = ip
address
index = main
interval = * * * * *
output.format = kv
output.timestamp = 1
output.timestamp.column = timestamp
output.timestamp.format = yyyy-MM-dd HH:mm:ss
output.timestamp.parse.format = MMM dd yyyy HH:mmaa
query = SELECT CAST([EPOEvents].[ReceivedUTC] as varchar) as [timestamp], [EPOEvents].[AutoID] as [eventid], [EPOEvents].[ThreatName] as [signature], [EPOEvents].[ThreatType] as [threattype], [EPOEvents].[ThreatEventID] as [signatureid], [EPOEvents].[ThreatCategory] as [category], [EPOEvents].[ThreatSeverity] as [severityid], [EPOEventFilterDesc].[Name] as [eventdescription], [EPOEvents].[DetectedUTC] as [detectedtimestamp], [EPOEvents].[TargetFileName] as [filename], [EPOEvents].[AnalyzerDetectionMethod] as [detectionmethod], [EPOEvents].[ThreatActionTaken] as [action], [EPOEvents].[ThreatHandled] as [threathandled], [EPOEvents].[TargetUserName] as [logonuser], [EPOComputerProperties].[UserName] as [user], [EPOComputerProperties].[DomainName] as [destntdomain], [EPOEvents].[TargetHostName] as [destdns], [EPOEvents].[TargetHostName] as [destnthost], [EPOComputerProperties].[IPHostName] as [fqdn], [destip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),4,1))) ), [EPOComputerProperties].[SubnetMask] as [destnetmask], [EPOComputerProperties].[NetAddress] as [destmac], [EPOComputerProperties].[OSType] as [os], [EPOComputerProperties].[OSServicePackVer] as [sp], [EPOComputerProperties].[OSVersion] as [osversion], [EPOComputerProperties].[OSBuildNum] as [osbuild], [EPOComputerProperties].[TimeZone] as [timezone], [EPOEvents].[SourceHostName] as [srcdns], [srcip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[SourceMAC] as [srcmac], [EPOEvents].[SourceProcessName] as [process], [EPOEvents].[SourceURL] as [url], [EPOEvents].[SourceUserName] as [logonuser], [EPOComputerProperties].[IsPortable] as [islaptop], [EPOEvents].[AnalyzerName] as [product], [EPOEvents].[AnalyzerVersion] as [productversion], [EPOEvents].[AnalyzerEngineVersion] as [engineversion], [EPOEvents].[AnalyzerEngineVersion] as [datversion], [EPOProdPropsViewVIRUSCAN].[datver] as [vsedatversion], [EPOProdPropsViewVIRUSCAN].[enginever64] as [vseengine64version], [EPOProdPropsViewVIRUSCAN].[enginever] as [vseengineversion], [EPOProdPropsViewVIRUSCAN].[hotfix] as [vsehotfix], [EPOProdPropsViewVIRUSCAN].[productversion] as [vseproductversion], [EPOProdPropsViewVIRUSCAN].[servicepack] as [vsesp], [EPOProdPropsViewANTISPYWARE].[productversion] as [antispywareversion] FROM [EPOEvents] left join [EPOLeafNode] on [EPOEvents].[AgentGUID] = [EPOLeafNode].[AgentGUID] left join [EPOProdPropsViewANTISPYWARE] on [EPOLeafNode].[AutoID] = [EPOProdPropsViewANTISPYWARE].[LeafNodeID] left join [EPOProdPropsViewVIRUSCAN] on [EPOLeafNode].[AutoID] = [EPOProdPropsViewVIRUSCAN].[LeafNodeID] left join [EPOComputerProperties] on [EPOLeafNode].[AutoID] = [EPOComputerProperties].[ParentID] left join [EPOEventFilterDesc] on [EPOEvents].[ThreatEventID] = [EPOEventFilterDesc].[EventId] and (EPOEventFilterDesc.Language='0409') WHERE [EPOEvents].[AutoID] > 0 {{ AND [EPOEvents].$rising_column$ > ? }} ORDER BY [EPOEvents].[AutoID]
sourcetype = mcafee:epo
tail.rising.column = AutoID

/opt/splunk/etc/apps/dbx/local/database.conf
[mcafeeepo4db]
database = ePO4
ADC1PEPO01
host = myipaddress
username = company\svceposervice
password = shdisids
port = 1433
isolation
level = DATABASE_SETTING
readonly = 1
type = mssql
disabled = 0

Cheers.

Highlighted

Re: Splunk DB Connect: How to collect data in EPO Database version 4.6.6 with Add-on for McAfee?

SplunkTrust
SplunkTrust

Chances are you have version 5 of EPO (check with your EPO admin). Version 5 changed the DB schema, and as such the EPOProdPropsView_ANTISPYWARE object doesn't exist. There is another stanza included in the Add-on for McAfee which is designed for version 5.

View solution in original post

Highlighted

Re: Splunk DB Connect: How to collect data in EPO Database version 4.6.6 with Add-on for McAfee?

Communicator

Hi Splunkers,

First of all, thanks dshpritz and nkpiquette. I used another stanza included in the Add-on for McAfee to version 5.

That's great!

Cheers!

0 Karma
Highlighted

Re: Splunk DB Connect: How to collect data in EPO Database version 4.6.6 with Add-on for McAfee?

Path Finder

It appears that the Antispyware object is what is throwing off the 4.X input. To solve this I used the 5.x query and was able to get it to accept the input. Give this a shot and let us know if it worked please.