Some clients may use Splunk to monitor MEG appliances in the environment.  It has been asked how to configure MEG 7.x to work with Splunk like EWS 5.6 was able to.


The App to install for Splunk has not been updated as of yet for MEG 7.x but it does allow for basic logging functionality as per KB.  This is especially helpful when managing multiple MEG Appliances.


Please See:


To Configure Splunk with MEG 7.x.


Open the Appliance Management Console

Browse to System, Logging, Alerting and SNMP, System Log Settings

Click to Enable System Log Events

Select Splunk from the Logging Format

Enable the Event Types to be sent to Splunk

Expand off-box system log

Enter the IP of the Splunk Server.

For redudancy multiple Splunk IPs can also be configured.

Note! TCP 514 is automatically used


Example Below:



In this example if does happen to be off-line then will receive the traffic till come back on-line which both Splunk servers will receive traffic.


MEG normally caches 100 MB when the remote syslog server is off line.


Download the McAfeeEWSReporter.ZIP from KB71152 as above.


Extract McAfeeEWSReporter.ZIP to a temp directory so McAfeeEWSReporter.tar.gz is extracted.


Install the App in Splunk by clicking Manage Apps after logging in.




Click Install app from the menu




Click Choose file to Brows to the McAfeeEWSReporter.tar.gz extracted to a temp directory.



Click Upload ensuring that Upgrade app. Checking this will overwrite the app if it already exists.


Once the appliance has sent enough traffic to Splunk we should now be able to filter on the Dashboards.


From the Home Page for Splunk Click Dashboard for McAfee Email and Web Security then select EWS Main Dashboard.




We can now see items in the Dashboard from MEG 7.6.




Each Bar Chart can be clicked on in Splunk to reveal more information.  In our example we clicked on a few for Compliancy which shows graymail tests which were blocked.  Note! Some newer features that were added in MEG 7.x will not be available in the EWS App for Splunk which will show up as NULL.







File Format Blocking:


Capture7.JPG Test Virus:




To verify traffic is being sent to Splunk:


Syslog traffic being sent from MEG to Splunk via network captures can be verified by taking a capture MEG under Troubleshoot, Reports, Capture Network Traffic. 


Ensure everything is selected.


Let the capture run for 3 minutes then save it from the appliance.


Open the file downloaded in our case traffic_17-03-2014_165910.tar.gz using your favorite compression utility.


Open the eth0-000.cap file using Wireshark.


Filter for tcp.port == 514 to verify packets are being sent.