Is it me or are the extractions in Splunk_TA_mcafee-wg next to totaly wrong?
To take an example Log entry from some of my activity the log looks like this:
Jul 18 08:44:27 xxx_hostname_xxx mwg: McAfeeWG|time_stamp=[18/Jul/2018:08:44:27 +0200]|auth_user=cn=XXXX,ou=XXX,ou=XXXX,ou=XXX,o=XXX|src_ip=10.9.16.6|server_ip=18.104.22.168|host=www.google.com|url_port=443|status_code=200|bytes_from_client=958|bytes_to_client=426|categories=Sea... Engines|rep_level=Minimal Risk|method=GET|url=https://www.google.com/searchdomaincheck?format=domain&type=chrome|media_type=text/plain|application... (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36|referer=|block_res=0|block_reason=|virus_name=|hash=|filename=searchdomaincheck|filesize=426|
for src, src_ip,user,user_agent the value is "unknown"
There is the field auth_user containing the dn but i think user should contain the cn...
What am i doing wrong?
@dominiquevocat @jbrocks Did either of you ever get a solution to this? I appear to have the same problem.
As far as I'm aware we are also using the TA as it was downloaded and no changes were made to props or transforms files.
I am not sure if this will help you, but I think the MWG AddOn only works with syslog. So you need to import a .xml file to MWG which helps splunk decoding the headers and parsing the right fields. As far as i understood this article: https://docs.splunk.com/Documentation/AddOns/released/McAfeeWG/Setup