All Apps and Add-ons

Splunk Add-on for McAfee: How to collect McAfee Intrushield IPS and Firewall Syslog and Layer 7 without McAfee EPO?

SplunkTrust
SplunkTrust

Hi all,

We are currently collecting McAfee Intrushield firewall and IPS logs via syslog into Splunk without any EPO integration at all, as we don't have that component. We are using the Splunk Add-on for McAfee with some extra field extractions we have developed ourselves.

The Add-on documentation for Syslog states the following:

Some McAfee product logs are not gathered from ePO.

Configure Network Security Platform (Intrushield) to send syslog to a Splunk Enterprise receiving network port or a syslog server that writes to a directory that Splunk Enterprise monitors.

Configure Splunk Enterprise to set the source type to mcafee:ids. Data received by Splunk Enterprise that matches the source type rules in props.conf and transforms.conf is automatically recognized.

For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see "Get data from TCP and UDP ports" in the Getting Data In manual.

Which I find incredibly limited and not specific enough so I was wondering if anyone in the community can share any experiences with McAfee Intrushield and no EPO integration.

  • Is there any preferred Syslog format for the data? By looking at transforms.conf we managed to hardcode a customized Syslog format for our logs, but we couldn't find any instructions or documentation about it
  • Can it be collected via other methods such as database?
  • Can we collect IPS, Firewall and Server logs?
  • Syslog does not provide Layer 7 data so we ended up ingesting Intrushield daily CSV reports in order to enrich the IPS logs. Does anybody have any experience here that you can share?
  • Will the TA support CIM normalization if you don't use McAfee EPO?
  • Is there any other app available that might help? I have already checked this other one but it's even more limited than the official one.

Thanks,
J

0 Karma

Explorer

Hi

Well for the Syslog format, I am just testing this, so the IDS is configured with this format, if your differs let me know, checked this with regex101 and the config in transforms.con - seems to be extracting the fields. Also suprised that it is not mentioned in the Splunk App doc.

Attack ID: $IVATTACKID$ ; Attack Name: $IVATTACKNAME$ ; Result Status: $IVRESULTSTATUS$ ; Admin Domain: $IVADMINDOMAIN$ ; Sensor Name: $IVSENSORNAME$ ; Attack Time: $IVATTACKTIME$ ; Interface: $IVINTERFACE$ ; Direction: $IVDIRECTION$ ; SIP: $IVSOURCEIP$ ; SPort: $IVSOURCEPORT$ ; DIP: $IVDESTINATIONIP$ ; DPort: $IVDESTINATIONPORT$ ; App Proto: $IVAPPLICATIONPROTOCOL$ ; Net Proto: $IVNETWORKPROTOCOL$ ; Alert ID: $IVALERTID$ ; Alert Type: $IVALERTTYPE$ ; Attack Severity: $IVATTACKSEVERITY$ ; Attack Conf: $IVATTACKCONFIDENCE$ ; Cat: $IVCATEGORY$ ; Sub-Cat: $IVSUBCATEGORY$ ; Detection Mech: $IVDETECTION_MECHANISM$ ;

rgds

SplunkTrust
SplunkTrust

I've done something very similar using colon to separate key and value, and semicolon to separate key pairs.
It's working fine but I'm just concern there's no mention in the docs and the app is supposed to be CIM compliant so how can you be CIM compliant if you don't provide a list of fields you expect your Syslog message to have?

0 Karma