Hello,

We are currently working on collecting the logs from McAfee EPO (without pooling the database ) using the agent as the syslog server .

In the EPO we can configure a syslog server to send our events , in that case the syslog server is our agent

We try some configuration but still not working

<Extension clean_fields_mcafee_epo> Module xm_rewrite Keep time, host, source, sourcetype, event, classification, os, dc, severity, module, stanza, collector_hostname, collector_received_at </Extension>

<Input i_mcafee_epo_raw> Module im_ssl ListenAddr 127.0.0.1:1572 CAFile "McAfeeEpo\Apache2\conf\ssl.crt\ca.cer" CertFile "McAfeeEpo\Apache2\conf\ssl.crt\cert.crt" CertKeyFile "McAfeeEpo\Apache2\conf\ssl.crt\cert.key" AllowUntrusted TRUE FlowControl TRUE <Exec> parse_syslog(); $source = "mcafee_epo"; log_info("event : " +$event); </Exec> </Input>

<Output onul> Module om_null </Output>

<Route r_raw_epo> Path i_mcafee_epo_raw => onul </Route>

I was wondering I we need to use the module xm_syslog as the module