https://community.splunk.com/t5/Getting-Data-In/McAfee-Host-Intrusion-Prevention-event-logs/m-p/122411#M25350 <P>You could probably make an index-time transform to pull out the correct source host name from the events to replace the hostname of the ePO server.</P> <P>props.conf </P> <PRE><CODE>[your_epo_sourcetype] TRANSFORMS-set_host </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[set_host] REGEX = your regex here DEST_KEY = MetaData:Host FORMAT = host::$1 </CODE></PRE> <P>read more here: </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Advancedsourcetypeoverrides">http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Advancedsourcetypeoverrides</A></P> Thu, 23 Jan 2014 01:20:56 GMT kristian_kolb 2014-01-23T01:20:56Z https://community.splunk.com/t5/Getting-Data-In/McAfee-Host-Intrusion-Prevention-event-logs/m-p/122410#M25349 <P>From what I've been able to find, McAfee Host Intrusion Prevention does not write to its event.log file in a human readable format. How can I get that read in by Splunk in a useful format?</P> <P>A previous answer I found (<A href="http://answers.splunk.com/answers/95340/mcafee-epo-integration-with-splunk">http://answers.splunk.com/answers/95340/mcafee-epo-integration-with-splunk</A>) talked about configuring ePolicy Orchestrator to create a text log file, but wouldn't that cause the source of all the events to be listed as the ePolicy server as opposed to the computer the event actually occurred on?</P> Wed, 22 Jan 2014 22:45:02 GMT https://community.splunk.com/t5/Getting-Data-In/McAfee-Host-Intrusion-Prevention-event-logs/m-p/122410#M25349 APNelson 2014-01-22T22:45:02Z https://community.splunk.com/t5/Getting-Data-In/McAfee-Host-Intrusion-Prevention-event-logs/m-p/122411#M25350 <P>You could probably make an index-time transform to pull out the correct source host name from the events to replace the hostname of the ePO server.</P> <P>props.conf </P> <PRE><CODE>[your_epo_sourcetype] TRANSFORMS-set_host </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[set_host] REGEX = your regex here DEST_KEY = MetaData:Host FORMAT = host::$1 </CODE></PRE> <P>read more here: </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Advancedsourcetypeoverrides">http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Advancedsourcetypeoverrides</A></P> Thu, 23 Jan 2014 01:20:56 GMT https://community.splunk.com/t5/Getting-Data-In/McAfee-Host-Intrusion-Prevention-event-logs/m-p/122411#M25350 kristian_kolb 2014-01-23T01:20:56Z https://community.splunk.com/t5/Getting-Data-In/McAfee-Host-Intrusion-Prevention-event-logs/m-p/122412#M25351 <P>After discovering the event.log was binary-- but the file would seemingly load up fine in notepad, or notepad++.. I discovered the file was actually in a different character set called UCS-2 LE, which according to (<A href="http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Configurecharactersetencoding" target="_blank">http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Configurecharactersetencoding</A>) maps to the utf-16le characterset- that I had to specify that in the props.conf on the forwarder.</P> <P>[monitor://C:\ProgramData\McAfee\Host Intrusion Prevention\Event.log]<BR /> index=<BR /> disabled = 0<BR /> sourcetype = hipsfw<BR /> followTail = 1</P> <P>in props.conf (still on forwarder)</P> <P>[hipsfw]<BR /> NO_BINARY_CHECK = true<BR /> CHARSET = utf-16le</P> <P>This should get everyone going. </P> Tue, 29 Sep 2020 07:47:25 GMT https://community.splunk.com/t5/Getting-Data-In/McAfee-Host-Intrusion-Prevention-event-logs/m-p/122412#M25351 daniel_goolsby_ 2020-09-29T07:47:25Z