Mcafee IPS Field Extraction

kcobrien1 · ‎12-06-2011

I'm trying to extract the fields of the mcafee ips syslogs being sent to Splunk. Here is a raw log if someone can help me create the regex. Still learning up about this.

7:00:51.000 PM Dec 6 19:00:53 192.168.1.30 SyslogAlertForwarder: 2011-12-06 19:00:51 EST Medium Mcafee-Sensor-01 ARP: ARP Spoofing Detected 0x42400100 N/A N/A N/A PolicyViolation Outbound Suspicious N/A N/A

host=shared-syslog-001.server.company.com Options| sourcetype=mcafee_ips Options| source=/var/log/syslog/system-192.168.1.30.log Options

kcobrien1 · ‎12-07-2011

Successful exploits

kcobrien1 · ‎12-07-2011

index=XXX sourcetype=mcafee_ips | rex ".\s(?\S?)\s(?\S*?)\s(?\S*?):(?.?)\s(?\dx.?)\s\s?(?.?)\s(?.?)\s(?\d*?)\s(?\S*?)\s(?\S*?)\s(?(Blocked|May\be\successful|Suspicious|Successful))\s(?.?)\s(?.?)$"

Still working this puppy but this will break out the fields so you can start choosing what you want to do next. More to come.

Mcafee IPS Field Extraction

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest