https://community.splunk.com/t5/Getting-Data-In/Parsing-McAfee-Firewall-Logs/m-p/542536#M90640 <P>From my perspective your props.conf looks good. Are your events currently being indexed line by line?</P> Fri, 05 Mar 2021 11:06:50 GMT dave_null 2021-03-05T11:06:50Z https://community.splunk.com/t5/Getting-Data-In/Parsing-McAfee-Firewall-Logs/m-p/542422#M90635 <P>Hello All!</P><P>I am trying to parse McAfee firewall logs but the props.conf I am using doesn't seem to work.</P><P>This is my props.conf:</P><P>[source::&lt;source location&gt;]<BR />TIME_PREFIX = Time:\s+<BR />TIME_FORMAT = %m/%d/%Y %H:%M:%S<BR />LINE_BREAKER = ([\r\n]+)Time:<BR />SHOULD_LINEMERGE = false</P><P>This is the log that I want to break at each timestamp line:</P><P>Time: 03/04/2021 17:31:18<BR />Event: Traffic<BR />IP Address: 172.16.0.21<BR />Description:<BR />Path:<BR />Message: Blocked Incoming UDP - Source 172.16.0.21 : (54915) Destination 172.16.0.255 : (54915)<BR />Matched Rule: Block all traffic<BR />Time: 03/04/2021 17:31:19<BR />Event: Traffic<BR />IP Address: 172.16.0.21<BR />Description:<BR />Path:<BR />Message: Blocked Incoming UDP - Source 172.16.0.21 : (54915) Destination 172.16.0.255 : (54915)<BR />Matched Rule: Block all traffic<BR />Time: 03/04/2021 17:31:20<BR />Event: Traffic<BR />IP Address: 172.16.0.21<BR />Description:<BR />Path:<BR />Message: Blocked Incoming UDP - Source 172.16.0.21 : (54915) Destination 172.16.0.255 : (54915)<BR />Matched Rule: Block all traffic<BR />Time: 03/04/2021 17:31:21<BR />Event: Traffic<BR />IP Address: 172.16.0.21<BR />Description:<BR />Path:<BR />Message: Blocked Incoming UDP - Source 172.16.0.21 : (54915) Destination 172.16.0.255 : (54915)<BR />Matched Rule: Block all traffic<BR />Time: 03/04/2021 17:31:22<BR />Event: Traffic<BR />IP Address: 172.16.0.21<BR />Description:<BR />Path:<BR />Message: Blocked Incoming UDP - Source 172.16.0.21 : (54915) Destination 172.16.0.255 : (54915)<BR />Matched Rule: Block all traffic</P><P>...</P><P>&nbsp;</P><P>Thank you so much!</P> Thu, 04 Mar 2021 22:40:15 GMT https://community.splunk.com/t5/Getting-Data-In/Parsing-McAfee-Firewall-Logs/m-p/542422#M90635 weicai88 2021-03-04T22:40:15Z https://community.splunk.com/t5/Getting-Data-In/Parsing-McAfee-Firewall-Logs/m-p/542536#M90640 <P>From my perspective your props.conf looks good. Are your events currently being indexed line by line?</P> Fri, 05 Mar 2021 11:06:50 GMT https://community.splunk.com/t5/Getting-Data-In/Parsing-McAfee-Firewall-Logs/m-p/542536#M90640 dave_null 2021-03-05T11:06:50Z https://community.splunk.com/t5/Getting-Data-In/Parsing-McAfee-Firewall-Logs/m-p/542562#M90642 <P>Yeah, the vast majority are 1 line, and there are many other line counts. What I need is events with 7 lines.&nbsp; BTW, the props.conf is on heavy forwarders to send to Splunk Cloud.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="weicai88_0-1614954366545.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/13191i0DF9B4FE57EBBDBE/image-size/medium?v=v2&amp;px=400" role="button" title="weicai88_0-1614954366545.png" alt="weicai88_0-1614954366545.png" /></span></P><P>&nbsp;</P> Fri, 05 Mar 2021 14:27:59 GMT https://community.splunk.com/t5/Getting-Data-In/Parsing-McAfee-Firewall-Logs/m-p/542562#M90642 weicai88 2021-03-05T14:27:59Z https://community.splunk.com/t5/Getting-Data-In/Parsing-McAfee-Firewall-Logs/m-p/542579#M90647 <P>Just figured it out, instead of using source, sourcetype should be used in the props.conf. Now I am seeing proper events break-up:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="weicai88_0-1614957483098.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/13197iCDC79470BA2429E5/image-size/medium?v=v2&amp;px=400" role="button" title="weicai88_0-1614957483098.png" alt="weicai88_0-1614957483098.png" /></span></P><P>&nbsp;</P> Fri, 05 Mar 2021 15:18:41 GMT https://community.splunk.com/t5/Getting-Data-In/Parsing-McAfee-Firewall-Logs/m-p/542579#M90647 weicai88 2021-03-05T15:18:41Z