Splunk and ePO: Best Practices to prevent wasted log data?
Good afternoon all!
My organization just got licensing for on-prem splunk installations; one of my networks that has ePO running with McAfee agent 5.7.1 and VSE 8.8.15 for On-Access scanning is absolutely destroying my daily data license for splunk.
The issue seems to be the elevated rights to security logs, every hit on the security logs is causing splunk to trigger and run it's queries. Does anyone have a link to a best practices guide or general suggestions to avoid wasted limited-use data? Do any of you setup whitelists within splunk to not trigger on McAfee events and if so how do you prevent false-negatives?
Re: Splunk and ePO: Best Practices to prevent wasted log data?
Do you mean that VSE is triggering too many events that is consuming splunk logs? That can be controlled by VSE policies. What you need to look at is what are those events - malware detections, access protection events, etc. For access protection, look at the access protection policy to see what rules are enabled to report and which rules are triggering the most and whether you want to see those or not. I will also move this over to the VSE team so they can get a little more info from you for what you are seeing. They can better assist with fine tuning the policies.
Was my reply helpful? If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.