Configure syslog inputs for the Splunk Add-on for McAfee
Some McAfee product logs are not gathered from the McAfee ePO database.
Configure McAfee Network Security Platform, also known as IntruShield, to send syslog to a Splunk Enterprise receiving network port or to a syslog server that writes to a directory that Splunk Enterprise monitors.
Configure Splunk Enterprise to set the source type to
mcafee:ids. Data sent to Splunk Enterprise that matches the source type rules in
transforms.conf is automatically recognized.
Get data from TCP and UDP ports
You can configure Splunk Enterprise to accept an input on any TCP or UDP port. Splunk Enterprise consumes any data that arrives on these ports. Use this method to capture data from network services such as syslog.
TCP is the network protocol that underlies the Splunk Enterprise data distribution scheme. Use it to send data from any remote host to your Splunk Enterprise server. Splunk Enterprise can index remote data from
syslog-ng or any other application that transmits through TCP.
Use TCP to send network data instead whenever possible. UDP does not guarantee delivery of network packets.
When you monitor TCP network ports, the user that Splunk Enterprise runs as must have access to the port you want to monitor. On many Unix operating systems, by default you must run Splunk Enterprise as the root user to listen directly on a port below 1024.
See Working with UDP connections on the Splunk Community Wiki for recommendations if you must send network data with UDP.
Confirm how your network device handles external monitoring before you use the network monitoring input
Before you begin monitoring the output of a network device with the Splunk Enterprise network monitor, confirm how the device interacts with external network monitors.
If you configure TCP logging on some network devices, such as a Cisco Adaptive Security Appliance (ASA), and the device cannot connect to the monitor, it might cause reduced performance or stop logging. By default, the Cisco ASA stops accepting incoming network connections when it encounters network congestion or connectivity problems.
Add a network input using Splunk Web
- Click the Add Data link in Splunk Home.
- Click Monitor to monitor a network port on the local machine, or Forward to receive network data from another machine.
- If you select Forward, choose or create the group of forwarders you want this input to apply to.
- Click Next.
Specify the network input
- In the left pane, click TCP / UDP to add an input.
- Click the TCP or UDP button to choose between a TCP or UDP input.
- In the Port field, enter a port number.
- Consult Splunk Support before changing the
Source name overridevalue.
- For a TCP input, specify whether this port accepts connections from all hosts or only one host in the
Only accept connections fromfield. If you only want the input to accept connections from one host, enter the host name or IP address. You can use wildcards to specify hosts.
- Click Next.
Specify input settings
The Input Settings page lets you specify source type, application context, default host value, and index. All of these parameters are optional.
- Set the Source type. This is a default field that Splunk Enterprise adds to events and uses to determine processing characteristics, such as timestamps and event boundaries.
- Set the Host name value. Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network. You have several choices:
- IP sets the input processor to rewrite the host with the IP address of the remote server.
- DNS Sets the host to the DNS entry of the remote server.
- Custom Sets the host to a user-defined label.
- Set the Index that Splunk Enterprise sends data to for this input. Leave the value as default unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this drop-down box.
- Click Review.
Review your choices
After specifying your input settings, review your selections. Splunk Enterprise lists the options you selected, including the type of monitor, source, source type, application context, and index.
- Review the settings.
- If they are not what you want, click < to go back to the previous step in the wizard. Otherwise, click Submit.
Splunk Enterprise then loads a confirmation page and begins indexing the specified network input.
Configure Splunk DB Connect v3.1 inputs for the Splunk Add-on for McAfee
Verify your McAfee data
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8