Getting Data In

how to configure Mcafee Epo to send data to Splunk

junier16
Explorer

How can i get data from Mcafee ePo directly to splunk ? i see that there is an Add on for MacAfee but that required syslog configuration over tls, which im having issue configuring 

0 Karma

hazelbrooks
Observer

Can you tell me whether it's possible to learn more about this issue with the help of a dissertation abstract example?

0 Karma

abpe
Path Finder

I have managed to connect McAfee ePO with Splunk using syslog-tls. The key setting is the cipherSuite in inputs.conf, where I have added AES256-GCM-SHA384 cipher so that ePO and Splunk can talk together. See below an example extract:

[tcp-ssl://6514]
index = mcafee_epo
sourcetype = mcafee:epo:syslog
source = mcafee:epo:syslog

[SSL]
serverCert = /opt/splunk/etc/path/to/your/certificate_and_key.pem
sslPassword = your_private_key_password
# AES256-GCM-SHA384 suite has been added to support McAfee ePO
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384

 

Note: The default cipherSuite for inputs differs between Splunk versions. To obtain yours, you can run the command below:

./splunk btool inputs list --debug | grep cipher

ejahnke
Explorer

Did you do anything else? Your example does not work for me unfortunatly.

I keep getting this error:

 

 

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='error', alert_description='handshake failure'.

 

 

 Also I've added all the suits mentioned on here, without any luck.

My config looks like this:

 

# mcafee epo
[tcp-ssl:1506]
index = epo
sourcetype= mcafee:epo:syslog
disbled=false
queue = indexQueue

[SSL]
serverCert = /opt/splunk/etc/path/to/cert.pem
sslPassword = <<password>>
requireClientCert = 0
rootCA = /opt/splunk/etc/path/to/root.pem
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES256-SHA:AES128-SHA:AES256-SHA:AES128-SHA

 

0 Karma

abpe
Path Finder

You can test with openssl if a particular cipher works. In your case, the following command can be run on the Splunk server to test if your input can negotiate cipher "AES256-GCM-SHA384" :

 

openssl s_client -cipher "AES256-GCM-SHA384" -connect localhost:1506

 

0 Karma

Adevill
Loves-to-Learn Lots

Hi @ejahnke . Where you able to get a successful connection? I'm having the same problem here...

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...