Getting Data In

How to import McAfee EPO 4.6 logs?


I am running McAfee EPO 4.6 and want to get the logs into splunk. I have an account on the EPO DB Server and just need to be pointed in the right direction to set up splunk to consume the logs.

Thanks Jock

Path Finder

One answer might be to utilize ePO's Web API that they enabled with 4.6 and script the output into Splunk. It works with python, so you should be able to create a script within Splunk to go out and pull the logs down for you.

core.executeQuery?target=EPOMasterCatalog&select=(select EPOMasterCatalog.ProductVersion)&where=(where (eq EPOMasterCatalog.ProductName "DAT"))


0 Karma



Thanks for your interests and contacting me.

Our App for McAfee ePO is a commertial App we typically sell to our McAfee customers.
What we do not have implemented into the App yet is a mechanism for licence management.
So we are not able to give you a full version from our App at this time for testing.

But what I would like to offer to you is a web-session were we can talk about the requirements and were we can show all functions from our ePO App direktly to you.
In addition to that I would like to give you a Data Sheet that gives you a first impression.
I hope that this meets your expectation

Best Regards and greetings from Vienna /Mike

New Member


Can you share your ePO App please?

0 Karma


We can help you with that. We have developed an extension for Splunk, called ePO App.

How it works:
A Splunk forwarder is a dedicated Splunk package installed on an ePolicy Orchestrator Server that collects data directly from the ePolicy Orchestrator database.
The Splunk instance forwards the dumped data to another Splunk server (Indexer).
The Splunk instance that indexes the data transforms raw data into events, placing the results into an index, which is then searchable.
Forwarders are lean and secure. They can be deployed to provide real-time data collection from tens of thousands of sources.

Please let me know which Splunk environment you're using at the moment and if that meets your expectation.


Maybe use this "registered executable" feature to call out a syslog command line logger.

Set up your data in key={value} format for easy analysis.

0 Karma


McAfee used to have table in the database called Events, or EPOEvents, or something very similar.

You can either create a scripted input to have Splunk poll that table for new events, or you can use a third-party product (Adiscon makes one) to forward new records out via syslog.

Take a look at this thread:

Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...