Archive

Mcafee IPS Field Extraction

New Member

I'm trying to extract the fields of the mcafee ips syslogs being sent to Splunk. Here is a raw log if someone can help me create the regex. Still learning up about this.

7:00:51.000 PM Dec 6 19:00:53 192.168.1.30 SyslogAlertForwarder: 2011-12-06 19:00:51 EST Medium Mcafee-Sensor-01 ARP: ARP Spoofing Detected 0x42400100 N/A N/A N/A PolicyViolation Outbound Suspicious N/A N/A

host=shared-syslog-001.server.company.com Options| sourcetype=mcafee_ips Options| source=/var/log/syslog/system-192.168.1.30.log Options

Tags (2)
0 Karma

New Member

Successful exploits

index=XXX sourcetype=mcafee_ips | rex ".\s(?\S?)\s(?\S*?)\s(?\S*?):(?.?)\s(?\dx.?)\s\s?(?.?)\s(?.?)\s(?\d*?)\s(?\S*?)\s(?\S*?)\s(?(Blocked|May\be\successful|Suspicious|Successful))\s(?.?)\s(?.?)$" | search policy="Exploit" status="Successful"

0 Karma

New Member

index=XXX sourcetype=mcafee_ips | rex ".\s(?\S?)\s(?\S*?)\s(?\S*?):(?.?)\s(?\dx.?)\s\s?(?.?)\s(?.?)\s(?\d*?)\s(?\S*?)\s(?\S*?)\s(?(Blocked|May\be\successful|Suspicious|Successful))\s(?.?)\s(?.?)$"

Still working this puppy but this will break out the fields so you can start choosing what you want to do next. More to come.

0 Karma