Re: Log example for Imperva SecureSphere CEF/LEEF

changux · ‎05-25-2015

Hi all.
I want to do a test between Imperva's SecureSphere logs and Splunk but i haven't for now a sample of the log data. Anyone have an example file (with altered information of course)? I only see standard templates like:

LEEF:1.0|Imperva|SecureSphere|10.0.0|Firewall None|Alert ID=912905|devTimeFormat=yyyy-MM-dd HH:mm:ss.S|devTime=2014-07-22 06:59:58.0|Alert type=Firewall|src=10.0.0.1|usrName=n/a|Application name=${Alert.applicationName}|Service name=${Alert.serviceName}|Alert Description=TCP - TCP Unexpected SYN|Severity=High|Simulation Mode=false|Immediate Action=None|Event ID=4238139139125767123|dst=10.0.0.2|dp=443|Server Group=securitynik_servers|Affected Application=|Affected Application (violation)=$item.alert.applicationName|HTTP Method=|HTTP Host=|Query=

I want to see detailed examples to try regular expressions and more.

Thank you!

Regards.

Rob_van_Hoboken · ‎07-26-2018

Normally, I would expect KVPs in LEEF records to be separated by TABs. There is more discussion and a sample in

https://answers.splunk.com/answers/507704/does-splunk-recognize-leef-formatted.html

changux · ‎05-25-2015

This related question answers partially my own.

http://answers.splunk.com/answers/140326/cef-parsing-using-custom-field-labels-and-the-cefutils-app....

Thanks!

Log example for Imperva SecureSphere CEF/LEEF

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Join the Conversation