Getting Data In
Highlighted

McAfee epo integration with Splunk

Path Finder

Hi

We have to integrate McAfee epo(full fledged) instance with splunk i.e we want logs of EPO in splunk. What is the best way to do it. Should i install Universal forwarder on the epo machine or should i use EPO extended configuration and register my splunk as a syslog server there(donot know how to do this).Also we donot want to use ESS for this. Please help !!

Tags (3)
0 Karma
Highlighted

Re: McAfee epo integration with Splunk

SplunkTrust
SplunkTrust

Hi lohit,

both will work fine, if you can configure and/or setup it up in EPO.
Syslog has some down sides, like data can get lost if the indexer is down for example. Personally I would configure EPO to create text Log file and install a Splunk Universalforwarder to monitor the log.

Hope this helps a bit to get you started.

Cheers, MuS

Highlighted

Re: McAfee epo integration with Splunk

Path Finder

Thanks a lot MuS.

Totally agree with syslog downside. Only positive points from EPO setup is that we can actually log only a specific type of events to a syslog server from EPO console like for example based on severity instead of collecting all logs and then extracting it in splunk.

0 Karma
Highlighted

Re: McAfee epo integration with Splunk

Communicator

Were you able to do this? If so please share a little how to.

0 Karma
Highlighted

Re: McAfee epo integration with Splunk

Super Champion

Which part are you having trouble with?

0 Karma
Highlighted

Re: McAfee epo integration with Splunk

Communicator

Interested in a procedure to have epo write logs to text file. Also any props/transforms for the epo data.

0 Karma
Highlighted

Re: McAfee epo integration with Splunk

Communicator

Can anyone provide any further info on how to get EPO to export to a .txt file and then monitor with Splunk ?

0 Karma
Highlighted

Re: McAfee epo integration with Splunk

SplunkTrust
SplunkTrust

Hi Aaron, according to http://kc.mcafee.com/corporate/index?page=answerlink&url=spD2Ro8-7xeSDi5pMVrcP4NU4ttaDgfvDk2wLTCzMyu... you can configure the logs in a matter so it will write a txt log file. This can be monitored by Splunk, read more here http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor

0 Karma
Highlighted

Re: McAfee epo integration with Splunk

Splunk Employee
Splunk Employee

FYI, there's now a DB Connect based way to do EPO logs too: http://apps.splunk.com/app/1819/