Getting Data In

how to configure Mcafee Epo to send data to Splunk


How can i get data from Mcafee ePo directly to splunk ? i see that there is an Add on for MacAfee but that required syslog configuration over tls, which im having issue configuring 

0 Karma


Can you tell me whether it's possible to learn more about this issue with the help of a dissertation abstract example?

0 Karma

Path Finder

I have managed to connect McAfee ePO with Splunk using syslog-tls. The key setting is the cipherSuite in inputs.conf, where I have added AES256-GCM-SHA384 cipher so that ePO and Splunk can talk together. See below an example extract:

index = mcafee_epo
sourcetype = mcafee:epo:syslog
source = mcafee:epo:syslog

serverCert = /opt/splunk/etc/path/to/your/certificate_and_key.pem
sslPassword = your_private_key_password
# AES256-GCM-SHA384 suite has been added to support McAfee ePO


Note: The default cipherSuite for inputs differs between Splunk versions. To obtain yours, you can run the command below:

./splunk btool inputs list --debug | grep cipher


Did you do anything else? Your example does not work for me unfortunatly.

I keep getting this error:



WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='error', alert_description='handshake failure'.



 Also I've added all the suits mentioned on here, without any luck.

My config looks like this:


# mcafee epo
index = epo
sourcetype= mcafee:epo:syslog
queue = indexQueue

serverCert = /opt/splunk/etc/path/to/cert.pem
sslPassword = <<password>>
requireClientCert = 0
rootCA = /opt/splunk/etc/path/to/root.pem


0 Karma

Path Finder

You can test with openssl if a particular cipher works. In your case, the following command can be run on the Splunk server to test if your input can negotiate cipher "AES256-GCM-SHA384" :


openssl s_client -cipher "AES256-GCM-SHA384" -connect localhost:1506


0 Karma

Loves-to-Learn Lots

Hi @ejahnke . Where you able to get a successful connection? I'm having the same problem here...

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...