topic Splunk_TA_mcafee-wg fields wrong? in All Apps and Add-ons

Splunk_TA_mcafee-wg fields wrong?

dominiquevocat — Tue, 29 Sep 2020 20:30:36 GMT

Is it me or are the extractions in Splunk_TA_mcafee-wg next to totaly wrong?

To take an example Log entry from some of my activity the log looks like this:

for src, src_ip,user,user_agent the value is "unknown"

There is the field auth_user containing the dn but i think user should contain the cn...

What am i doing wrong?

jbrocks — Wed, 01 Aug 2018 14:01:08 GMT

Hi dominiquevocat, did you found a solution to your problem?

sudosplunk — Tue, 29 Sep 2020 20:46:28 GMT

Hello, can you paste your props.conf and transforms.conf from Splunk_TA_mcafee-wg/default OR local.

dominiquevocat — Fri, 03 Aug 2018 07:30:26 GMT

nope, we opened a support ticket and have a enhancement request going

dominiquevocat — Fri, 03 Aug 2018 07:31:16 GMT

hi, we use the TA out of the box - we have a newer version of mcafee web gateway then is supported by the TA

jbrocks — Fri, 03 Aug 2018 10:15:30 GMT

I am not sure if this will help you, but I think the MWG AddOn only works with syslog. So you need to import a .xml file to MWG which helps splunk decoding the headers and parsing the right fields. As far as i understood this article: https://docs.splunk.com/Documentation/AddOns/released/McAfeeWG/Setup
https://answers.splunk.com/answers/138800/import-log-file.html

pkellyz — Tue, 14 Jan 2020 21:38:43 GMT

@dominiquevocat @jbrocks Did either of you ever get a solution to this? I appear to have the same problem.

As far as I'm aware we are also using the TA as it was downloaded and no changes were made to props or transforms files.

dominiquevocat — Fri, 24 Jan 2020 12:31:39 GMT

no update on the enhancement request - i m not sure if we tried to fix it ourselfs