cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cluce
Level 8
Report Inappropriate Content
Message 1 of 2

Splunk and ePO: Best Practices to prevent wasted log data?

Good afternoon all!

My organization just got licensing for on-prem splunk installations; one of my networks that has ePO running with McAfee agent 5.7.1 and VSE 8.8.15 for On-Access scanning is absolutely destroying my daily data license for splunk.

The issue seems to be the elevated rights to security logs, every hit on the security logs is causing splunk to trigger and run it's queries.  Does anyone have a link to a best practices guide or general suggestions to avoid wasted limited-use data?  Do any of you setup whitelists within splunk to not trigger on McAfee events and if so how do you prevent false-negatives?

1 Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Splunk and ePO: Best Practices to prevent wasted log data?

Do you mean that VSE is triggering too many events that is consuming splunk logs?  That can be controlled by VSE policies.  What you need to look at is what are those events - malware detections, access protection events, etc.  For access protection, look at the access protection policy to see what rules are enabled to report and which rules are triggering the most and whether you want to see those or not.  I will also move this over to the VSE team so they can get a little more info from you for what you are seeing.  They can better assist with fine tuning the policies.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community