Splunk® Supported Add-ons

Splunk Add-on for McAfee ePO Syslog

Configure inputs using TCP or UDP

Note the following:

To configure inputs using Splunk Connect For Syslog, see Configure Syslog Input

Manually enable UDP and TCP inputs

To manually enable the UDP or TCP inputs in inputs.conf:

  1. Create an inputs.conf file in the add-on local folder:
    • On *nix:
    $SPLUNK_HOME/etc/apps/Splunk_TA_mcafee_epo_syslog/local
    • On Windows:
    %SPLUNK_HOME%\etc\apps\Splunk_TA_mcafee_epo_syslog\local
  2. Open the local inputs.conf file:
    • On *nix:
    $SPLUNK_HOME/etc/apps/Splunk_TA_mcafee_epo_syslog/local/inputs.conf
    • On Windows:
    %SPLUNK_HOME%\etc\apps\Splunk_TA_mcafee_epo_syslog\local\inputs.conf
  3. To create a TCP input copy the following stanzas into your local inputs.conf file:
    [tcp://9515] <Change the value to custom port numbers if you used different ports on your McAfee server.>
    disabled = false
    connection_host=ip
    sourcetype = mcafee:epo:syslog
    
  4. To create a UDP input copy the following stanzas into your local inputs.conf file:
    [udp://9514] <Change the value to custom port numbers if you used different ports on your McAfee server.>
    disabled = false
    connection_host=ip
    sourcetype = mcafee:epo:syslog
    
  5. Restart the Splunk software.

Enable UDP and TCP inputs using Splunk Web

  1. Log into Splunk Web on your data collection node.
  2. Navigate to Settings > Data inputs.
  3. To collect data using TCP, click TCP then click Enable next to "TCP port 9515".
  4. To collect data using UDP, click UDP then click Enable next to "UDP port 9514".
  5. If you configured different port numbers on the McAfee ePO server, click New to add a custom port number.

You do not need to restart the Splunk software.

Enable decryption of encrypted syslog streamsm

If you get events in Splunk in an unreadable format(encrypted logs), the certificate used for communication between McAfee ePO Server and the Syslog server is either not valid, not present, or not trusted.

To generate a self-signed certificate and add its path on the Splunk side, refer to the documentation for your syslog server if not sending syslog directly to splunk.

Generate a self-signed certificate for Windows by following the steps from here - https://support.jetglobal.com/hc/en-us/articles/235636308-How-To-Create-a-SHA-256-Self-Signed-Certificate

To incorporate the certificate:

  1. After pasting the certificate in "Trusted Root Certification Authorities", double-click on the certificate, and navigate to "Details".
  2. Click on the "Copy to file" option, and click "Next".
  3. Select the "Yes, export the private key" option, and click "Next".
  4. Check the "Include all certificates in the certification path if possible" option under the Personal Information Exchange section and click "Next".
  5. Check the "Password" option and click "Next".
  6. Select where you want to save the exported certificate by clicking on "Browse", provide the filename, and click on "Save".
  7. Click "Next" and then click on Finish. A success message dialogue box should appear on the successful export of the certificate.
  8. The downloaded certificate will be in ".pfx" file format, user will need to convert it to ".pem" file format using an online editor.
  9. rovide this certificate path in $SPLUNK_HOME/etc/apps/search/local/inputs.conf.
  10. Below is the sample stanza for the same for Windows: [SSL] rootCA = $SPLUNK_HOME\etc\auth\cacert.pem serverCert = $SPLUNK_HOME\etc\newcert.pem sslPassword = <certificate password> Below is the sample stanza for *nix: [SSL] rootCA = $SPLUNK_HOME/etc/auth/cacert.pem serverCert = $SPLUNK_HOME/etc/newcert.pem sslPassword = <certificate password>/li>

  11. Restart Splunk. Your new events should appear in a readable format


Reference and troubleshooting links: https://community.splunk.com/t5/Getting-Data-In/how-to-configure-Mcafee-Epo-to-send-data-to-Splunk/m-p/532241

Last modified on 06 September, 2022
Install the Splunk Add-on for McAfee ePO Syslog   Configure Syslog Input

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters