Splunk® Enterprise

Add McAfee data: Distributed deployment with indexer clustering

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Configure Splunk DB Connect v3.1 inputs for the Splunk Add-on for McAfee

The Splunk Add-on for McAfee gathers data from ePO through Splunk DB Connect. Follow the instructions that correspond to the version of DB Connect that you have installed.

Set up the database connection

Perform the following tasks to set up the database connection:

  1. Install the Microsoft JDBC driver for SQL Server, if it is not already installed.
  2. Create an identity in the Splunk platform for establishing a connection to the database.
  3. Create a database connection to the SQL Server using either the Splunk DB Connect GUI or the db_connections.conf file.

Download and install the Microsoft JDBC driver for SQL Server

To enable Microsoft SQL Server connections, download and install the Microsoft JDBC Driver for SQL Server.

  1. Log onto your SQL Server database using a SQL Server user name and password (non-domain attached).
  2. Download the appropriate JDBC driver for SQL Server.
    1. For the Microsoft JDBC Driver for SQL Server, which is the "MS Generic Driver".
      1. Go to the Microsoft JDBC Drivers for SQL Server download page and click Download.
      2. On the Choose the download you want page, select the checkboxes next to the appropriate download: sqljdbc_4.2.8112.100_enu.tar.gz for Linux or sqljdbc_4.2.8112.100_enu.exe for Windows. Be sure to download version 4.2 of the driver, and then click Next.
      3. Expand the downloaded file.
    2. For the open source jTDS driver download the driver from the jTDS Project.
  3. Move the driver file to the correct location:
    1. For the MS Generic Driver, perform the following steps from inside the sqljdbc_4.2 directory.
      1. Copy or move the sqljdbc42.jar file to the $SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers directory,
      2. On Windows hosts, the directory is %SPLUNK_HOME%\etc\apps\splunk_app_db_connect\drivers.
    2. If you need to use a database service account on Windows with the Generic driver, you will also need to install the JDBC Auth library:
      1. From the Microsoft JDBC Driver 4.2 for SQL Server download, locate the sqljdbc_auth.dll file. This file is at the following path, where <region_code> is the three-letter region code. In English, for example, the code is "enu." <architecture> is the processor type. Options are "x86" and "x64": Microsoft JDBC Driver 4.2 for SQL Server\sqljdbc_4.2\<region_code>\auth\<architecture>\sqljdbc_auth.dll.
      2. Copy the sqljdbc_auth.dll file to C:\Windows\System32 on your Splunk Enterprise server.
      3. From the Windows Control Panel, go to Services > get properties on Splunk Service.
      4. Click the Log On tab, and then change the Log on as setting from the Local System account to that of the logged on domain user. The domain user must have sufficient privileges to access the SQL Server instance.
      5. For the jTDS driver, copy the .jar file you downloaded to the $SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers directory. On Windows hosts, the directory %SPLUNK_HOME%\etc\apps\splunk_app_db_connect\drivers.
  4. Save your changes, and then restart the Splunk Enterprise server for the changes to take effect.

Create an identity in Splunk Enterprise

Create an identity for establishing a connection to the database. Make sure the user for this identity has the system role.

You can use a user name and password for authentication or use Windows Authentication. However, using DB Connect version 3.1 with Windows Authentication and the JDBC driver for SQL Server requires additional steps. See the Splunk DB Connect manual for more information.

Next, you need to create a database connection to the SQL Server using either the Splunk DB Connect GUI or the db_connections.conf file.

Configure database inputs using the Splunk DB Connect GUI

If you want to create McAfee database input, choose the template created for the Splunk Add-on for McAfee under Template in Splunk DB Connect.

Last modified on 09 June, 2023
Install the Add-on for McAfee onto your search head cluster   Configure syslog inputs for the Splunk Add-on for McAfee

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters