Solved: Re: Where can I find the app: McAfee Email and Web...

arjangoos · ‎10-14-2011

Hi,

We upgraded from splunk 4.1.7 to 4.2.3. After the upgrade the application McAfee Email and Web Security Reporter (McAfeeEWSReporter) is not working anymore. I want to know if there is a new version of this app. But I can't find the app anywhere on splunk.com.

The errors I got are:
Unable to find an eventtype web-traffic
Unable to get viewstate information; formatting may not be correct
The lookup table 'reason_id' does not exist. It is referenced by configuration 'syslog'.
The lookup table 'scanner' does not exist. It is referenced by configuration 'syslog'.

Regards,

Arjan Goos

arjangoos · ‎10-19-2011

We found out that the app was developed by McAfee.

View solution in original post

mzeger · ‎06-04-2012

We can help you with that. We have developed an extension for Splunk, called WebGateway App. Ho it works:
Every administrator, who is responsible for systems on the gateway, should be able to interact
in the event of a failure of the proxy server. A quick overview of all running services is important. For fast and secure configuration and reaction to alerts, a good monitoring system is recommended. Splunk offers many possibilities for monitoring systems, analyzing log files and defining alerts. The „McAfee WebGateway App for Splunk“ has been specifically designed for evaluating traffic and monitoring appliances.
Please let me know which Splunk environment you're using at the moment and if that fits your expectaion.
/Mike

65pony · ‎05-08-2013

I am interested in the "McAfee WebGateway App for Splunk"? Where can I find it, we are running Splunk version 5.0.2....

yannK · ‎10-19-2011

Actually, the error banner for missing lookup is displayed in other apps, not in the McAfeeEWSReporter app.

Here is the setting to change to fix it :

Solution A : by making the lookups available only in the app (safer)
go to manager > lookups
select the app =McAfeeEWSReporter
then change the permissions on the 4 lookups to make then :

[x] this app only
[x] read by all
[x] write by admin (and others if you want)

Solution B : or by sharing the lookups in every app (will apply on every search having syslog data in the results, this may slow your search)

edit the file $SPLUNK_HOME/etc/apps/McAfeeEWSReporter/metadata/default.meta
and add [lookups] access = read : [ * ], write : [ * ] export = system
then restart splunk to apply.

yannK · ‎10-19-2011

I checked the lookups provided in the app,

lookups fields in props.conf



[syslog]

LOOKUP-email_direction = mail_direction direction AS direction OUTPUT traffic_direction AS traffic_direction

LOOKUP-event_id = event_id event_id AS event_id OUTPUTNEW name AS event_name

LOOKUP-reason_id = reason_id id AS reason_id OUTPUTNEW name AS reason_name

LOOKUP-scanner = scanner scanner AS scanner OUTPUTNEW description AS scanner_name

link between file and lookup name in transforms.conf

[mail_direction]
filename = direction.csv
[event_id]
filename = event_map.csv
[reason_id]
filename = logreasons.csv
[scanner]
filename = scanner.csv

lookups files shipped with the app

direction.csv
event_map.csv
logreasons.csv
scanner.csv

With this version 1.0 of the app, is the problem still occurring ?

arjangoos · ‎10-19-2011

We found out that the app was developed by McAfee.

yannK · ‎10-19-2011

ok
for who may be interested here is the app.

https://kc.mcafee.com/corporate/index?page=content&id=KB71152

the app was released by McAfee in feb2011 (for splunk 4.1.*) and may not be fully compatible with splunk 4.2.

yannK · ‎10-14-2011

I don't see this app in splunkbase. Is it an app you downloaded from splunkbase, or is it an app build internally in your company ?

Where can I find the app: McAfee Email and Web Security Reporter

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!