Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: McAfee Host Intrusion Prevention event logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From what I've been able to find, McAfee Host Intrusion Prevention does not write to its event.log file in a human readable format. How can I get that read in by Splunk in a useful format?
A previous answer I found (http://answers.splunk.com/answers/95340/mcafee-epo-integration-with-splunk) talked about configuring ePolicy Orchestrator to create a text log file, but wouldn't that cause the source of all the events to be listed as the ePolicy server as opposed to the computer the event actually occurred on?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could probably make an index-time transform to pull out the correct source host name from the events to replace the hostname of the ePO server.
props.conf
[your_epo_sourcetype]
TRANSFORMS-set_host
transforms.conf
[set_host]
REGEX = your regex here
DEST_KEY = MetaData:Host
FORMAT = host::$1
read more here:
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Advancedsourcetypeoverrides
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After discovering the event.log was binary-- but the file would seemingly load up fine in notepad, or notepad++.. I discovered the file was actually in a different character set called UCS-2 LE, which according to (http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Configurecharactersetencoding) maps to the utf-16le characterset- that I had to specify that in the props.conf on the forwarder.
[monitor://C:\ProgramData\McAfee\Host Intrusion Prevention\Event.log]
index=
disabled = 0
sourcetype = hipsfw
followTail = 1
in props.conf (still on forwarder)
[hipsfw]
NO_BINARY_CHECK = true
CHARSET = utf-16le
This should get everyone going.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could probably make an index-time transform to pull out the correct source host name from the events to replace the hostname of the ePO server.
props.conf
[your_epo_sourcetype]
TRANSFORMS-set_host
transforms.conf
[set_host]
REGEX = your regex here
DEST_KEY = MetaData:Host
FORMAT = host::$1
read more here:
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Advancedsourcetypeoverrides
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
