https://community.splunk.com/t5/Security/Log-example-for-Imperva-SecureSphere-CEF-LEEF/m-p/127049#M3857 <P>Normally, I would expect KVPs in LEEF records to be separated by TABs. There is more discussion and a sample in </P> <P><A href="https://answers.splunk.com/answers/507704/does-splunk-recognize-leef-formatted.html">https://answers.splunk.com/answers/507704/does-splunk-recognize-leef-formatted.html</A></P> Thu, 26 Jul 2018 09:20:09 GMT Rob_van_Hoboken 2018-07-26T09:20:09Z https://community.splunk.com/t5/Security/Log-example-for-Imperva-SecureSphere-CEF-LEEF/m-p/127047#M3855 <P>Hi all.<BR /> I want to do a test between Imperva's SecureSphere logs and Splunk but i haven't for now a sample of the log data. Anyone have an example file (with altered information of course)? I only see standard templates like:</P> <PRE><CODE>LEEF:1.0|Imperva|SecureSphere|10.0.0|Firewall None|Alert ID=912905|devTimeFormat=yyyy-MM-dd HH:mm:ss.S|devTime=2014-07-22 06:59:58.0|Alert type=Firewall|src=10.0.0.1|usrName=n/a|Application name=${Alert.applicationName}|Service name=${Alert.serviceName}|Alert Description=TCP - TCP Unexpected SYN|Severity=High|Simulation Mode=false|Immediate Action=None|Event ID=4238139139125767123|dst=10.0.0.2|dp=443|Server Group=securitynik_servers|Affected Application=|Affected Application (violation)=$item.alert.applicationName|HTTP Method=|HTTP Host=|Query= </CODE></PRE> <P>I want to see detailed examples to try regular expressions and more.</P> <P>Thank you!</P> <P>Regards.</P> Mon, 25 May 2015 22:20:04 GMT https://community.splunk.com/t5/Security/Log-example-for-Imperva-SecureSphere-CEF-LEEF/m-p/127047#M3855 changux 2015-05-25T22:20:04Z https://community.splunk.com/t5/Security/Log-example-for-Imperva-SecureSphere-CEF-LEEF/m-p/127048#M3856 <P>This related question answers partially my own.</P> <P><A href="http://answers.splunk.com/answers/140326/cef-parsing-using-custom-field-labels-and-the-cefutils-app.html">http://answers.splunk.com/answers/140326/cef-parsing-using-custom-field-labels-and-the-cefutils-app.html</A></P> <P>Thanks!</P> Tue, 26 May 2015 03:31:38 GMT https://community.splunk.com/t5/Security/Log-example-for-Imperva-SecureSphere-CEF-LEEF/m-p/127048#M3856 changux 2015-05-26T03:31:38Z https://community.splunk.com/t5/Security/Log-example-for-Imperva-SecureSphere-CEF-LEEF/m-p/127049#M3857 <P>Normally, I would expect KVPs in LEEF records to be separated by TABs. There is more discussion and a sample in </P> <P><A href="https://answers.splunk.com/answers/507704/does-splunk-recognize-leef-formatted.html">https://answers.splunk.com/answers/507704/does-splunk-recognize-leef-formatted.html</A></P> Thu, 26 Jul 2018 09:20:09 GMT https://community.splunk.com/t5/Security/Log-example-for-Imperva-SecureSphere-CEF-LEEF/m-p/127049#M3857 Rob_van_Hoboken 2018-07-26T09:20:09Z