Splunk® Supported Add-ons

Splunk Add-on for McAfee NSP

Configure Network Security Manager to send syslog data to the Splunk Add-on for McAfee

To enable the Splunk Add-on for McAfee NSP to collect data from McAfee Network Security Manager, you need to configure McAfee Network Security Manager to send the events using syslog in custom format to the data collection node of your Splunk platform installation. Splunk best practice is to use SC4S.

Enable Syslog for Firewall Access Events

  1. Navigate to Manager -> <Admin Domain> -> Setup -> Notification -> Firewall Access Events
  2. Select "Yes" for the "Enable Syslog Notification" option
  3. Provide all the necessary and relevant information and click Save
  4. After saving the changes, "System Default" and "Customized" message body options are available. Select the "Customized" option and click on "Edit".
  5. Enter the customized event format for Firewall Events and click on Save.
  6. Click on "Save" again on the Firewall Access Events page for saving all the changes.

Enable Syslog for Alert Events

  1. Navigate to Manager -> <Admin Domain> -> Setup -> Notification -> IPS Events -> Syslog
  2. Select "Yes" for the "Enable Syslog Notification" option and click on Save
  3. Create a Syslog Notification Profile by clicking on "+" and provide all the necessary and relevant information.
  4. Enter the customized event format for Alert Events and click on Save

Enable Syslog for Fault Events

  1. Navigate to Manager -> <Admin Domain> -> Setup -> Notification -> Faults -> Syslog
  2. Select "Yes" for the "Enable Syslog Notification" option
  3. Provide all the necessary and relevant information and click Save
  4. After that, you are provided an option for System Default or Customized Message Preference. Select the "Customized" option and click on Edit.
  5. Enter the customized event format for Fault Events and click on Save.
  6. Click on "Save" on the Fault Syslog page for saving all the changes.

Enable Syslog for Audit Events

  1. Navigate to Manager -> <Admin Domain> -> Setup -> Notification -> User Activity -> Syslog
  2. Select "Yes" for the "Enable Syslog Notification" option
  3. Provide all the necessary and relevant information
  4. Click on Apply. After that, you are provided an option for System Default or Customized Message Preference. Select the "Customized" option and click on Edit.
  5. Enter the customized event format for Audit Events and click on Save.
  6. Click on "Save" on the Audit Syslog page for saving all the changes.

See Format specification for different types of events for a customized event format.

Last modified on 11 May, 2023
Install the Splunk Add-on for McAfee NSP   Configure inputs for the the Splunk Add-on for McAfee NSP

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters