Getting Data In

how to configure Mcafee Epo to send data to Splunk

junier16
Explorer

How can i get data from Mcafee ePo directly to splunk ? i see that there is an Add on for MacAfee but that required syslog configuration over tls, which im having issue configuring 

0 Karma

hazelbrooks
Observer

Can you tell me whether it's possible to learn more about this issue with the help of a dissertation abstract example?

0 Karma

abpe
Path Finder

I have managed to connect McAfee ePO with Splunk using syslog-tls. The key setting is the cipherSuite in inputs.conf, where I have added AES256-GCM-SHA384 cipher so that ePO and Splunk can talk together. See below an example extract:

[tcp-ssl://6514]
index = mcafee_epo
sourcetype = mcafee:epo:syslog
source = mcafee:epo:syslog

[SSL]
serverCert = /opt/splunk/etc/path/to/your/certificate_and_key.pem
sslPassword = your_private_key_password
# AES256-GCM-SHA384 suite has been added to support McAfee ePO
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384

 

Note: The default cipherSuite for inputs differs between Splunk versions. To obtain yours, you can run the command below:

./splunk btool inputs list --debug | grep cipher

ejahnke
Explorer

Did you do anything else? Your example does not work for me unfortunatly.

I keep getting this error:

 

 

WARN  SSLCommon - Received fatal SSL3 alert. ssl_state='error', alert_description='handshake failure'.

 

 

 Also I've added all the suits mentioned on here, without any luck.

My config looks like this:

 

# mcafee epo
[tcp-ssl:1506]
index = epo
sourcetype= mcafee:epo:syslog
disbled=false
queue = indexQueue

[SSL]
serverCert = /opt/splunk/etc/path/to/cert.pem
sslPassword = <<password>>
requireClientCert = 0
rootCA = /opt/splunk/etc/path/to/root.pem
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES256-SHA:AES128-SHA:AES256-SHA:AES128-SHA

 

0 Karma

abpe
Path Finder

You can test with openssl if a particular cipher works. In your case, the following command can be run on the Splunk server to test if your input can negotiate cipher "AES256-GCM-SHA384" :

 

openssl s_client -cipher "AES256-GCM-SHA384" -connect localhost:1506

 

0 Karma

Adevill
Loves-to-Learn Lots

Hi @ejahnke . Where you able to get a successful connection? I'm having the same problem here...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...