Splunk® Enterprise

Add McAfee data: Distributed deployment with indexer clustering

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Configure syslog inputs for the Splunk Add-on for McAfee

Some McAfee product logs are not gathered from the McAfee ePO database.

Configure McAfee Network Security Platform, also known as IntruShield, to send syslog to a Splunk Enterprise receiving network port or to a syslog server that writes to a directory that Splunk Enterprise monitors.

Configure Splunk Enterprise to set the source type to mcafee:ids. Data sent to Splunk Enterprise that matches the source type rules in props.conf and transforms.conf is automatically recognized.

Get data from TCP and UDP ports

You can configure Splunk Enterprise to accept an input on any TCP or UDP port. Splunk Enterprise consumes any data that arrives on these ports. Use this method to capture data from network services such as syslog.

TCP is the network protocol that underlies the Splunk Enterprise data distribution scheme. Use it to send data from any remote host to your Splunk Enterprise server. Splunk Enterprise can index remote data from syslog-ng or any other application that transmits through TCP.

Use TCP to send network data instead whenever possible. UDP does not guarantee delivery of network packets.

When you monitor TCP network ports, the user that Splunk Enterprise runs as must have access to the port you want to monitor. On many Unix operating systems, by default you must run Splunk Enterprise as the root user to listen directly on a port below 1024.

See Working with UDP connections on the Splunk Community Wiki for recommendations if you must send network data with UDP.

Confirm how your network device handles external monitoring before you use the network monitoring input

Before you begin monitoring the output of a network device with the Splunk Enterprise network monitor, confirm how the device interacts with external network monitors.

If you configure TCP logging on some network devices, such as a Cisco Adaptive Security Appliance (ASA), and the device cannot connect to the monitor, it might cause reduced performance or stop logging. By default, the Cisco ASA stops accepting incoming network connections when it encounters network congestion or connectivity problems.

Add a network input using Splunk Web

  1. Click the Add Data link in Splunk Home.
  2. Click Monitor to monitor a network port on the local machine, or Forward to receive network data from another machine.
  3. If you select Forward, choose or create the group of forwarders you want this input to apply to.
  4. Click Next.

Specify the network input

  1. In the left pane, click TCP / UDP to add an input.
  2. Click the TCP or UDP button to choose between a TCP or UDP input.
  3. In the Port field, enter a port number.
  4. Consult Splunk Support before changing the Source name override value.
  5. For a TCP input, specify whether this port accepts connections from all hosts or only one host in the Only accept connections from field. If you only want the input to accept connections from one host, enter the host name or IP address. You can use wildcards to specify hosts.
  6. Click Next.

Specify input settings

The Input Settings page lets you specify source type, application context, default host value, and index. All of these parameters are optional.

  1. Set the Source type. This is a default field that Splunk Enterprise adds to events and uses to determine processing characteristics, such as timestamps and event boundaries.
  2. Set the Host name value. Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network. You have several choices:
    1. IP sets the input processor to rewrite the host with the IP address of the remote server.
    2. DNS Sets the host to the DNS entry of the remote server.
    3. Custom Sets the host to a user-defined label.
  3. Set the Index that Splunk Enterprise sends data to for this input. Leave the value as default unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this drop-down box.
  4. Click Review.

Review your choices

After specifying your input settings, review your selections. Splunk Enterprise lists the options you selected, including the type of monitor, source, source type, application context, and index.

  1. Review the settings.
  2. If they are not what you want, click < to go back to the previous step in the wizard. Otherwise, click Submit.

Splunk Enterprise then loads a confirmation page and begins indexing the specified network input.

Last modified on 09 June, 2023
Configure Splunk DB Connect v3.1 inputs for the Splunk Add-on for McAfee   Verify your McAfee data

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters