We are using McAfee DATABASE ACTIVITY MONITOR solution and have integerated it with Splunk and do not get much fields even in verbose mode search on Splunk search head ,hence looking for some addon that can help in field extraction.
I hav tried installing few McAfee addons but they all seem to be for Mcafee ePO or Antivirus & IPS but none for McAfee DAM.
I don't believe there is an add-on for DAM, I looked a while back. I ended up creating my own props/transforms to extract all the fields. The fields DAM includes in its events are configurable as well, so my DAM logs may not be the same as your DAM logs. But here's what I've been using:
props.conf:
[dam-2]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^"[^"]+?","
TIME_FORMAT = %s%3N
MAX_TIMESTAMP_LOOKAHEAD = 15
TRUNCATE = 0
KV_MODE = none
EXTRACT-mcafee_dam-2_fields = "(?<ruleNameRaw>[^"]+)","(?<execTime>\d+)","(?<id>\d+)","(?<sourceIP>[^"]+)","(?<osUser>[^"]+)","(?<execUser>[^"]+)","(?<execProgram>[^"]+)","(?<sid>[^"]+)"\."McAfee Database Security","(?<cmdType>[^"]+)","(?<sqlStmt>.+?(?=","))","(?<accessedObjectsRaw>[^"]+)","(?<clientId>[^"]+)","(?<module>[^"]+)","(?<action>[^"]+)","(?<spid>[^"]+)","(?<inflowSqlStmt>.+?(?=","))","(?<inflowObjectsRaw>[^"]+)","(?<database>[^"]+)","(?<agentHost>[^"]+)","(?<sourceHost>[^"]+)","(?<schema>[^"]+)"
REPORT-mcafee_dam-2 = mcafee_dam-2_ruleName, mcafee_dam-2_accessedObjects, mcafee_dam-2_inflowObjects
transforms.conf:
[mcafee_dam-2_ruleName]
SOURCE_KEY = ruleNameRaw
REGEX = (?<ruleName>[^\|]+)
MV_ADD = true
[mcafee_dam-2_accessedObjects]
SOURCE_KEY = accessedObjectsRaw
REGEX = (?<accessedObjects>[^\|]+)
MV_ADD = true
[mcafee_dam-2_inflowObjects]
SOURCE_KEY = inflowObjectsRaw
REGEX = (?<inflowObjects>[^\|]+)
MV_ADD = true