cancel
Showing results for 
Search instead for 
Did you mean: 

Integrate ePO with Splunk

Hello everyone,

I need to send events from McAfee ePO to a Splunk server.

I've already registered the server, checked Enable event forwarding and tested the connection.

When I tested, it appeared three dots, is that a signal that ePO conected with Splunk?

On Splunk side, we wasn't able to see any traffic on Splunk port. Do I need to do more configurations on ePO side?

 

Thanks in advance.

12 Replies
cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 13

Re: Integrate ePO with Splunk

3 dots indicate the Splunk siem is not using tls.  We require tls 1.2 enabled syslog server type.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Integrate ePO with Splunk

So basically, enabling TLS 1.2 will allow syslog event receiving? 

cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 13

Re: Integrate ePO with Splunk

On the syslog server, yes, it should.  Keep in mind you also have to go to server settings, event filtering and enable which events you want to go to siem.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: Integrate ePO with Splunk

Right !

I'll provide TLS 1.2 between Splunk em ePO.

 

Another question is, after enabling TLS, will McAfee ePO send logs automatically and directly to Splunk? Or I'll need a server between them?

Re: Integrate ePO with Splunk

I've read about a DB Connector that connects Splunk with ePO database.

Is this necessary to integrate those tools?

Thanks in Advance !

cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 13

Re: Integrate ePO with Splunk

If you go that route, keep in mind that pulling directly from database can introduce performance issues and deadlocks.  You can, however, mirror the database and pull from the mirror to avoid that.  Also, the settings in epo event filtering are only applicable to a registered syslog server that does not pull directly from database like that.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Integrate ePO with Splunk

Hello,

Understood.

Let me ask you another thing. What if I set Splunk to colect logs directly from DB about hourly?

Wil this impact too much?

Thanks in advance.

cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 13

Re: Integrate ePO with Splunk

It is all going to depend on the amount of events, the products you are using, resources on sql server, extension versions (remote possibility there).  You would really have to test it.  Your environment may be able to handle it fine even pulling in real time.  I would suggest testing it out to see what kind of impact it has.  It may or may not be anything noticeable.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Integrate ePO with Splunk

Hello cdinet,

Thanks for your response,

Ok, I'll test DBConnect configuration here.

Do you know where I can get a query to bring logs from epo DB? Or this is a information that Splunk needs to provide?

Thanks in advance

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community