- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
McAfee epo integration with Splunk
Hi
We have to integrate McAfee epo(full fledged) instance with splunk i.e we want logs of EPO in splunk. What is the best way to do it. Should i install Universal forwarder on the epo machine or should i use EPO extended configuration and register my splunk as a syslog server there(donot know how to do this).Also we donot want to use ESS for this. Please help !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![jcoates_splunk jcoates_splunk](https://community.splunk.com/legacyfs/online/avatars/9610.jpg)
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
FYI, there's now a DB Connect based way to do EPO logs too: http://apps.splunk.com/app/1819/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![MuS MuS](https://community.splunk.com/legacyfs/online/avatars/2122.jpg)
Hi lohit,
both will work fine, if you can configure and/or setup it up in EPO.
Syslog
has some down sides, like data can get lost if the indexer is down for example. Personally I would configure EPO to create text Log file and install a Splunk Universalforwarder to monitor the log.
Hope this helps a bit to get you started.
Cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![MuS MuS](https://community.splunk.com/legacyfs/online/avatars/2122.jpg)
Hi Aaron, according to http://kc.mcafee.com/corporate/index?page=answerlink&url=spD2Ro8-7xeSDi5pMVrcP4NU4ttaDgfvDk2wLTCzMyu... you can configure the logs in a matter so it will write a txt log file. This can be monitored by Splunk, read more here http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![AaronMoorcroft AaronMoorcroft](https://community.splunk.com/legacyfs/online/avatars/159636.jpg)
Can anyone provide any further info on how to get EPO to export to a .txt file and then monitor with Splunk ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interested in a procedure to have epo write logs to text file. Also any props/transforms for the epo data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which part are you having trouble with?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Were you able to do this? If so please share a little how to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot MuS.
Totally agree with syslog downside. Only positive points from EPO setup is that we can actually log only a specific type of events to a syslog server from EPO console like for example based on severity instead of collecting all logs and then extracting it in splunk.
![](/skins/images/FE4825B2128CA5F641629E007E333890/responsive_peak/images/icon_anonymous_message.png)