Configure inputs using TCP or UDP
Note the following:
- The source type for this add-on is
mcafee:epo:syslog
. See Source types for the Splunk Add-on for McAfee. - The ports for the add-on must match the ports you specified when you configured the McAfee ePO system for logging. You must enable these inputs using either Splunk Web on your heavy forwarder or by manually editing the
inputs.conf
See How to edit a configurationfile.
To configure inputs using Splunk Connect For Syslog, see Configure Syslog Input
Manually enable UDP and TCP inputs
To manually enable the UDP or TCP inputs in inputs.conf
:
- Create an
inputs.conf
file in the add-on local folder:- On *nix:
$SPLUNK_HOME/etc/apps/Splunk_TA_mcafee_epo_syslog/local
- On Windows:
%SPLUNK_HOME%\etc\apps\Splunk_TA_mcafee_epo_syslog\local
- Open the local
inputs.conf
file:- On *nix:
$SPLUNK_HOME/etc/apps/Splunk_TA_mcafee_epo_syslog/local/inputs.conf
- On Windows:
%SPLUNK_HOME%\etc\apps\Splunk_TA_mcafee_epo_syslog\local\inputs.conf
- To create a TCP input copy the following stanzas into your local
inputs.conf
file:[tcp://9515] <Change the value to custom port numbers if you used different ports on your McAfee server.> disabled = false connection_host=ip sourcetype = mcafee:epo:syslog
- To create a UDP input copy the following stanzas into your local
inputs.conf
file:[udp://9514] <Change the value to custom port numbers if you used different ports on your McAfee server.> disabled = false connection_host=ip sourcetype = mcafee:epo:syslog
- Restart the Splunk software.
Enable UDP and TCP inputs using Splunk Web
- Log into Splunk Web on your data collection node.
- Navigate to Settings > Data inputs.
- To collect data using TCP, click TCP then click Enable next to "TCP port 9515".
- To collect data using UDP, click UDP then click Enable next to "UDP port 9514".
- If you configured different port numbers on the McAfee ePO server, click New to add a custom port number.
You do not need to restart the Splunk software.
Enable decryption of encrypted syslog streamsm
If you get events in Splunk in an unreadable format(encrypted logs), the certificate used for communication between McAfee ePO Server and the Syslog server is either not valid, not present, or not trusted.
To generate a self-signed certificate and add its path on the Splunk side, refer to the documentation for your syslog server if not sending syslog directly to splunk.
Generate a self-signed certificate for Windows by following the steps from here - https://support.jetglobal.com/hc/en-us/articles/235636308-How-To-Create-a-SHA-256-Self-Signed-Certificate
To incorporate the certificate:
- After pasting the certificate in "Trusted Root Certification Authorities", double-click on the certificate, and navigate to "Details".
- Click on the "Copy to file" option, and click "Next".
- Select the "Yes, export the private key" option, and click "Next".
- Check the "Include all certificates in the certification path if possible" option under the Personal Information Exchange section and click "Next".
- Check the "Password" option and click "Next".
- Select where you want to save the exported certificate by clicking on "Browse", provide the filename, and click on "Save".
- Click "Next" and then click on Finish. A success message dialogue box should appear on the successful export of the certificate.
- The downloaded certificate will be in ".pfx" file format, user will need to convert it to ".pem" file format using an online editor.
- rovide this certificate path in $SPLUNK_HOME/etc/apps/search/local/inputs.conf.
- Restart Splunk. Your new events should appear in a readable format
Below is the sample stanza for the same for Windows: [SSL] rootCA = $SPLUNK_HOME\etc\auth\cacert.pem serverCert = $SPLUNK_HOME\etc\newcert.pem sslPassword = <certificate password> Below is the sample stanza for *nix: [SSL] rootCA = $SPLUNK_HOME/etc/auth/cacert.pem serverCert = $SPLUNK_HOME/etc/newcert.pem sslPassword = <certificate password>/li>
Reference and troubleshooting links: https://community.splunk.com/t5/Getting-Data-In/how-to-configure-Mcafee-Epo-to-send-data-to-Splunk/m-p/532241
Install the Splunk Add-on for McAfee ePO Syslog | Configure Syslog Input |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!