From what I've been able to find, McAfee Host Intrusion Prevention does not write to its event.log file in a human readable format. How can I get that read in by Splunk in a useful format?
A previous answer I found (http://answers.splunk.com/answers/95340/mcafee-epo-integration-with-splunk) talked about configuring ePolicy Orchestrator to create a text log file, but wouldn't that cause the source of all the events to be listed as the ePolicy server as opposed to the computer the event actually occurred on?
You could probably make an index-time transform to pull out the correct source host name from the events to replace the hostname of the ePO server.
REGEX = your regex here
DEST_KEY = MetaData:Host
FORMAT = host::$1
read more here:
View solution in original post
After discovering the event.log was binary-- but the file would seemingly load up fine in notepad, or notepad++.. I discovered the file was actually in a different character set called UCS-2 LE, which according to (http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Configurecharactersetencoding) maps to the utf-16le characterset- that I had to specify that in the props.conf on the forwarder.
[monitor://C:\ProgramData\McAfee\Host Intrusion Prevention\Event.log]
disabled = 0
sourcetype = hipsfw
followTail = 1
in props.conf (still on forwarder)
NO_BINARY_CHECK = true
CHARSET = utf-16le
This should get everyone going.