Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can Trellix/Epo on a windows server send data to indexers or HF?

domino30
Path Finder
‎04-10-2023 02:39 PM

As stated by the Title

We have a test env for learning but at some point it will be a larger production deployment

with that said we have a Clustered Env on a vsphere server and one of the boxes is a win2019 server with EPO/Trellix on it.

So I would really like to know what best practice step by step on sending that data over rom the EPO server to Splunk whether that be to a indexer or to a heavy forwarder?

Do I need to put up some kind of syslog server somewhere or since its a Windows server should I just put a forwarder on it and use that to send data?

 

 

Labels (3)
Tags (1)
0 Karma
Reply

Doreluss
Loves-to-Learn Lots
‎04-11-2023 02:37 PM

Good day - 

The Splunk Engineer recommended ePO as the HF 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-10-2023 03:40 PM

https://splunkbase.splunk.com/app/5085 this is an addon for ePO. See the docs for installation instructions.

0 Karma
Reply

domino30
Path Finder
‎04-11-2023 07:34 AM

Thanks Pickle Rick

 I am aware of the Apps, and I think I know the answer but I want to make sure because there is a lot of documentation about splunk for syslog and what not but I figured since McAfee was on a Windows box I would ask if it would be easier to  just put a forwarder on that box and send data to an indexer.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-11-2023 10:07 AM

As far as I remember (but I haven't touched ePO for several years), you just configure it to send syslog to some receiver, right?

Receiving raw network stream by UF of HF is not recommended. You can do that in lab environment but generally the recommended solution is to either use a syslog daemon which will write the events to files and have a forwarder read those files or - recently - use an intermediate "syslog gateway" like SC4S.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...