Configure Splunk DB Connect v3.1 inputs for the Splunk Add-on for McAfee
The Splunk Add-on for McAfee gathers data from ePO through Splunk DB Connect. Follow the instructions that correspond to the version of DB Connect that you have installed.
Set up the database connection
Perform the following tasks to set up the database connection:
- Install the Microsoft JDBC driver for SQL Server, if it is not already installed.
- Create an identity in the Splunk platform for establishing a connection to the database.
- Create a database connection to the SQL Server using either the Splunk DB Connect GUI or the
db_connections.conf
file.
Download and install the Microsoft JDBC driver for SQL Server
To enable Microsoft SQL Server connections, download and install the Microsoft JDBC Driver for SQL Server.
- Log onto your SQL Server database using a SQL Server user name and password (non-domain attached).
- Download the appropriate JDBC driver for SQL Server.
- For the Microsoft JDBC Driver for SQL Server, which is the "MS Generic Driver".
- Go to the Microsoft JDBC Drivers for SQL Server download page and click Download.
- On the Choose the download you want page, select the checkboxes next to the appropriate download:
sqljdbc_4.2.8112.100_enu.tar.gz
for Linux orsqljdbc_4.2.8112.100_enu.exe
for Windows. Be sure to download version 4.2 of the driver, and then click Next. - Expand the downloaded file.
- For the open source jTDS driver download the driver from the jTDS Project.
- For the Microsoft JDBC Driver for SQL Server, which is the "MS Generic Driver".
- Move the driver file to the correct location:
- For the MS Generic Driver, perform the following steps from inside the
sqljdbc_4.2
directory.- Copy or move the
sqljdbc42.jar
file to the$SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers
directory, - On Windows hosts, the directory is
%SPLUNK_HOME%\etc\apps\splunk_app_db_connect\drivers
.
- Copy or move the
- If you need to use a database service account on Windows with the Generic driver, you will also need to install the JDBC Auth library:
- From the Microsoft JDBC Driver 4.2 for SQL Server download, locate the
sqljdbc_auth.dll
file. This file is at the following path, where <region_code> is the three-letter region code. In English, for example, the code is "enu." <architecture> is the processor type. Options are "x86" and "x64":Microsoft JDBC Driver 4.2 for SQL Server\sqljdbc_4.2\<region_code>\auth\<architecture>\sqljdbc_auth.dll
. - Copy the
sqljdbc_auth.dll
file toC:\Windows\System32
on your Splunk Enterprise server. - From the Windows Control Panel, go to Services > get properties on Splunk Service.
- Click the Log On tab, and then change the Log on as setting from the Local System account to that of the logged on domain user. The domain user must have sufficient privileges to access the SQL Server instance.
- For the jTDS driver, copy the .jar file you downloaded to the
$SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers
directory. On Windows hosts, the directory%SPLUNK_HOME%\etc\apps\splunk_app_db_connect\drivers
.
- From the Microsoft JDBC Driver 4.2 for SQL Server download, locate the
- For the MS Generic Driver, perform the following steps from inside the
- Save your changes, and then restart the Splunk Enterprise server for the changes to take effect.
Create an identity in Splunk Enterprise
Create an identity for establishing a connection to the database. Make sure the user for this identity has the system role.
You can use a user name and password for authentication or use Windows Authentication. However, using DB Connect version 3.1 with Windows Authentication and the JDBC driver for SQL Server requires additional steps. See the Splunk DB Connect manual for more information.
Next, you need to create a database connection to the SQL Server using either the Splunk DB Connect GUI or the db_connections.conf
file.
Configure database inputs using the Splunk DB Connect GUI
If you want to create McAfee database input, choose the template created for the Splunk Add-on for McAfee under Template in Splunk DB Connect.
Install the Add-on for McAfee onto your search head cluster | Configure syslog inputs for the Splunk Add-on for McAfee |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Feedback submitted, thanks!