How do we import McAfee EPO into Splunk?


We have a DB account on the MS SQL database. Is there an easy way to do this?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Update from the future.... DB Connect is now free, and there's an add-on that uses it to get McAFee EPO data.


Thanks for your interests and contacting me.

Our DBX App is a commertial App we typically sell to our customers.
What we do not have implemented into the App yet is a mechanism for licence management.
So we are not able to give you or to you customer a full version from our App at this time for testing.

But what I would like to offer to you is a web-session were we can talk about the requirements from your customer and were we can show all functions from our DBX App direktly to your customer.
In addition to that I would like to give you a Data Sheet that gives you a first impression.

I hope that this meets your expectation and if you don´t mind I would like to ask you to bring us in direct touch with your customer.

Best Regards and greetings from Vienna / Mike

0 Karma


We can help you with that. We have developed an extension for Splunk, called DBX, that serves as a universal SQL database connector. So it allows to simply configure database inputs.

Please let me know which Splunk environment you're using at the moment (Splunk Version, Operating System, approx. Data volume, Physical/Virtual server).


New Member


Can you share that DBX extension please?

0 Karma


Splunk Enterprise Security 2.0 (formally called ESS - Enterprise Security Suite) is a pay to play add-on to Splunk. It includes McAfee EPO Anti-virus as an out of the box datasource. For a list of supported datasources see

There are many advantages to ESS, including really cool correlation technology, which would allow for better APT (Advanced Persistent Threat) detection, for example, by building rules that look at infections, AV service halts with firewall and IDS/IPS activity.

The other anti-virus add-in's provided with ES 2.0 are TA-sep which supports Symantec AntiVirus version 10 and earlier, and Symantec AntiVirus 11 and later; and TA-trendmicro for Trend Micro.

I would hope that Splunk would see good sense in making the TA-McAfee more generally available, since their licensing is built on data volumes and not on features. But for the moment this is a niche requirement, with some really innovative technology that goes beyond "normal Splunk". I understand why early adopters have to pay for this.

You can also create custom add-ons to EA for other anti-virus datasources. For information about creating technology add-ons for ES 2.0 see

0 Karma



The easiest solution would be to (as kristian says) configure EPO to create a text file.

However, there is some documentation (I have not followed it myself as I have not got the need for DB input) here. The example used polls a DB and reproduces it's results in a format easily recognisable by Splunk.

Hope this helps answer your question.

If it does answer you question. Please mark the answer as accepted to help the community.



Ultra Champion

I think it's easier if you configure EPO to create text files and have a Splunk Forwarder installed to monitor the log, if possible.


0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!