We have to integrate McAfee epo(full fledged) instance with splunk i.e we want logs of EPO in splunk. What is the best way to do it. Should i install Universal forwarder on the epo machine or should i use EPO extended configuration and register my splunk as a syslog server there(donot know how to do this).Also we donot want to use ESS for this. Please help !!
both will work fine, if you can configure and/or setup it up in EPO.
Syslog has some down sides, like data can get lost if the indexer is down for example. Personally I would configure EPO to create text Log file and install a Splunk Universalforwarder to monitor the log.
Hope this helps a bit to get you started.
Thanks a lot MuS.
Totally agree with syslog downside. Only positive points from EPO setup is that we can actually log only a specific type of events to a syslog server from EPO console like for example based on severity instead of collecting all logs and then extracting it in splunk.
Hi Aaron, according to http://kc.mcafee.com/corporate/index?page=answerlink&url=spD2Ro8-7xeSDi5pMVrcP4NU4ttaDgfvDk2wLTCzMyu... you can configure the logs in a matter so it will write a txt log file. This can be monitored by Splunk, read more here http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor