- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to configure Mcafee Epo to send data to Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to configure Mcafee Epo to send data to Splunk
How can i get data from Mcafee ePo directly to splunk ? i see that there is an Add on for MacAfee but that required syslog configuration over tls, which im having issue configuring
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you tell me whether it's possible to learn more about this issue with the help of a dissertation abstract example?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have managed to connect McAfee ePO with Splunk using syslog-tls. The key setting is the cipherSuite in inputs.conf, where I have added AES256-GCM-SHA384 cipher so that ePO and Splunk can talk together. See below an example extract:
[tcp-ssl://6514]
index = mcafee_epo
sourcetype = mcafee:epo:syslog
source = mcafee:epo:syslog
[SSL]
serverCert = /opt/splunk/etc/path/to/your/certificate_and_key.pem
sslPassword = your_private_key_password
# AES256-GCM-SHA384 suite has been added to support McAfee ePO
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384
Note: The default cipherSuite for inputs differs between Splunk versions. To obtain yours, you can run the command below:
./splunk btool inputs list --debug | grep cipher- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you do anything else? Your example does not work for me unfortunatly.
I keep getting this error:
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='error', alert_description='handshake failure'.
Also I've added all the suits mentioned on here, without any luck.
My config looks like this:
# mcafee epo
[tcp-ssl:1506]
index = epo
sourcetype= mcafee:epo:syslog
disbled=false
queue = indexQueue
[SSL]
serverCert = /opt/splunk/etc/path/to/cert.pem
sslPassword = <<password>>
requireClientCert = 0
rootCA = /opt/splunk/etc/path/to/root.pem
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES256-SHA:AES128-SHA:AES256-SHA:AES128-SHA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can test with openssl if a particular cipher works. In your case, the following command can be run on the Splunk server to test if your input can negotiate cipher "AES256-GCM-SHA384" :
openssl s_client -cipher "AES256-GCM-SHA384" -connect localhost:1506
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ejahnke . Where you able to get a successful connection? I'm having the same problem here...
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
