One answer might be to utilize ePO's Web API that they enabled with 4.6 and script the output into Splunk. It works with python, so you should be able to create a script within Splunk to go out and pull the logs down for you.
core.executeQuery?target=EPOMasterCatalog&select=(select EPOMasterCatalog.ProductVersion)&where=(where (eq EPOMasterCatalog.ProductName "DAT"))
Thanks for your interests and contacting me.
Our App for McAfee ePO is a commertial App we typically sell to our McAfee customers.
What we do not have implemented into the App yet is a mechanism for licence management.
So we are not able to give you a full version from our App at this time for testing.
But what I would like to offer to you is a web-session were we can talk about the requirements and were we can show all functions from our ePO App direktly to you.
In addition to that I would like to give you a Data Sheet that gives you a first impression.
I hope that this meets your expectation
Best Regards and greetings from Vienna /Mike
We can help you with that. We have developed an extension for Splunk, called ePO App.
How it works:
A Splunk forwarder is a dedicated Splunk package installed on an ePolicy Orchestrator Server that collects data directly from the ePolicy Orchestrator database.
The Splunk instance forwards the dumped data to another Splunk server (Indexer).
The Splunk instance that indexes the data transforms raw data into events, placing the results into an index, which is then searchable.
Forwarders are lean and secure. They can be deployed to provide real-time data collection from tens of thousands of sources.
Please let me know which Splunk environment you're using at the moment and if that meets your expectation.
McAfee used to have table in the database called
EPOEvents, or something very similar.
You can either create a scripted input to have Splunk poll that table for new events, or you can use a third-party product (Adiscon makes one) to forward new records out via syslog.
Take a look at this thread: