Splunk® Enterprise

Add McAfee data: Splunk Cloud

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Configure syslog inputs for the Splunk Add-on for McAfee

Some McAfee product logs are not gathered from the McAfee ePO database.

Configure McAfee Network Security Platform, also known as IntruShield, to send syslog to a Splunk Enterprise receiving network port or to a syslog server that writes to a directory that Splunk Enterprise monitors.

Configure Splunk Enterprise to set the source type to mcafee:ids. Data received by Splunk Enterprise that matches the source type rules in props.conf and transforms.conf is automatically recognized.

Get data from TCP and UDP ports

You can configure Splunk Enterprise to accept an input on any TCP or UDP port. Splunk Enterprise consumes any data that arrives on these ports. Use this method to capture data from network services such as syslog.

TCP is the network protocol that underlies the Splunk Enterprise data distribution scheme. Use it to send data from any remote host to your Splunk Enterprise server. Splunk Enterprise can index remote data from syslog-ng or any other application that transmits through TCP.

Use TCP to send network data instead whenever possible. UDP does not guarantee delivery of network packets.

When you monitor TCP network ports, the user that Splunk Enterprise runs as must have access to the port you want to monitor. On many Unix operating systems, by default you must run Splunk Enterprise as the root user to listen directly on a port below 1024.

See Working with UDP connections on the Splunk Community Wiki for recommendations if you must send network data with UDP.

Confirm how your network device handles external monitoring before you use the network monitoring input

Before you begin monitoring the output of a network device with the Splunk Enterprise network monitor, confirm how the device interacts with external network monitors.

Add a network input using the CLI

To access the Splunk Enterprise CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command.

If you get stuck, the CLI has help. Access the main CLI help by typing splunk help. Individual commands have their own help pages as well and can be accessed by typing splunk help <command>.

The following CLI commands are available for network input configuration:

Command Command syntax Action
add add tcp|udp <port> [-parameter value] ... Add inputs from <port>.
edit edit tcp|udp <port> [-parameter value] ... Edit a previously added input for <port>.
remove remove tcp|udp <port> Remove a previously added data input.
list list tcp|udp [<port>] List the currently configured monitor.

The <port> is the port number on which to listen for data. The user you run Splunk as must have access to this port.

You can modify the configuration of each input by setting any of these additional parameters:

Parameter Required? Description
sourcetype No Specify a sourcetype field value for events from the input source.
index No Specify the destination index for events from the input source.
hostname No Specify a host name to set as the host field value for events from the input source.
remotehost No Specify an IP address to exclusively accept data from.
resolvehost No Set to true or false (T | F). Default is False. Set to true to use DNS to set the host field value for events from the input source.
restrictToHost No Specify a host name or IP address that this input should accept connections from only.

Examples

  • Configure a UDP input to watch port 514 and set the source type to "syslog":
     ./splunk add udp 514 -sourcetype syslog
  • Set the UDP input host value through a DNS. Use auth with your username and password:
     ./splunk edit udp 514 -resolvehost true -auth admin:changeme

For information on best practices for using UDP, see Best practices for configuring Syslog input in the Community Wiki.

Last modified on 07 December, 2018
Install the Splunk Add-on for McAfee on your Splunk Cloud deployment   Configure Splunk DB Connect v3.1 inputs for the Splunk Add-on for McAfee

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters