Getting Data In

how to configure Mcafee Epo to send data to Splunk

junier16
Explorer

How can i get data from Mcafee ePo directly to splunk ? i see that there is an Add on for MacAfee but that required syslog configuration over tls, which im having issue configuring 

0 Karma

hazelbrooks
Observer

Can you tell me whether it's possible to learn more about this issue with the help of a dissertation abstract example?

0 Karma

abpe
Path Finder

I have managed to connect McAfee ePO with Splunk using syslog-tls. The key setting is the cipherSuite in inputs.conf, where I have added AES256-GCM-SHA384 cipher so that ePO and Splunk can talk together. See below an example extract:

[tcp-ssl://6514]
index = mcafee_epo
sourcetype = mcafee:epo:syslog
source = mcafee:epo:syslog

[SSL]
serverCert = /opt/splunk/etc/path/to/your/certificate_and_key.pem
sslPassword = your_private_key_password
# AES256-GCM-SHA384 suite has been added to support McAfee ePO
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384

 

Note: The default cipherSuite for inputs differs between Splunk versions. To obtain yours, you can run the command below:

./splunk btool inputs list --debug | grep cipher

ejahnke
Explorer

Did you do anything else? Your example does not work for me unfortunatly.

I keep getting this error:

 

 

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='error', alert_description='handshake failure'.

 

 

 Also I've added all the suits mentioned on here, without any luck.

My config looks like this:

 

# mcafee epo
[tcp-ssl:1506]
index = epo
sourcetype= mcafee:epo:syslog
disbled=false
queue = indexQueue

[SSL]
serverCert = /opt/splunk/etc/path/to/cert.pem
sslPassword = <<password>>
requireClientCert = 0
rootCA = /opt/splunk/etc/path/to/root.pem
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES256-SHA:AES128-SHA:AES256-SHA:AES128-SHA

 

0 Karma

abpe
Path Finder

You can test with openssl if a particular cipher works. In your case, the following command can be run on the Splunk server to test if your input can negotiate cipher "AES256-GCM-SHA384" :

 

openssl s_client -cipher "AES256-GCM-SHA384" -connect localhost:1506

 

0 Karma

Adevill
Loves-to-Learn Lots

Hi @ejahnke . Where you able to get a successful connection? I'm having the same problem here...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...