when i click  on test connection after adding the registered server the connection failed, so im not able to connect syslog server with ePO ( i think is because tls required) . I also see that the Splunk Add on required syslog to work. Is there another way to get data from ePo to Splunk ?

Hi,

We had the same problem with rsyslog yesterday and found out that *.key file had no read access.

So from:

-rw-------

To:

-rw-r--r--

/Tomas

Did changing the permission for .key solved the issue ?

Hi,

Yes it did! We are up and running. At least Test connection and Eicar test event.

/Tomas

I have been fighting this battle for a while now off and on.

ePO has different places to configure logging depending on the product and it's still not totally clear to me.  But from what I have found standard McAfee syslog (registered syslog server) and App Control (registered SolidCore syslog appear) to be CEF TLS Syslog.  The "default" port is 6514 as you mention.  That means that you need to have a certificate on your syslog server on 6514TCP.  For further information check out some light reading of standards IETF 5424 + 5425.  DLP is different, but looks like it may work with the same setup.  That's because it can be UDP (which can be without TLS) or TCP.

Then you need to have some form to monitor the syslog collection to get it to your Splunk server.  The easiest way to do that is to have the forwarder monitor on the system and send it over.  If that's the case you probably want to add the Splunk Add-on for McAfee ePO Syslog on to your forwarder along with the sourcetype to ease the burden on your indexer.

We use a product called NXLog for now, and with the app McAfee ePO Syslog app, we are able to collect and parse with the sourcetype mcafee:epo:syslog.  It looks kind of ugly in the raw event, but the fields seem to be parsed perfectly, which is the important thing.

For DLP we are going to see what's best DBConnect or syslog.  If you use DBConnect you have to basically reverse engineer the fields using querys provided by ePO as the fields change from version to version.  Hopefully they will standardize that in the coming releases because seems to be awfully tedious.

-Tony

Can you share you conf file statement that you used ?  Im using the below statement with the the cert, but syslog is not listening to the port.

source source_6514_tls {
tcp(port(6514)
tls(
key-file("/etc/syslog-ng/cert.d/server.key")
cert-file("/etc/syslog-ng/cert.d/server.crt")
peer-verify(optional-untrusted)
)
flags(no-multi-line)
);
};

destination dest_6514_local { file("/var/log/syslog/logs"); };

log {source(source_6514_tls); destination(dest_6514_local); };

Did you ever get the config correct?  I need the same thing and am not having any success with the right configuration.

no i never did. I used DBconnect to ingest the events

I've been successful using Splunk DB Connect to pull information from the EPO database, but that was a while ago and things could have changed since then.

But let's back up a little.  Where are you when you click on "test connection"?  Have you checked your firewalls to make sure none are blocking the connections?  Which Splunk add-on are you talking about?