Security

Log example for Imperva SecureSphere CEF/LEEF

Builder

Hi all.
I want to do a test between Imperva's SecureSphere logs and Splunk but i haven't for now a sample of the log data. Anyone have an example file (with altered information of course)? I only see standard templates like:

LEEF:1.0|Imperva|SecureSphere|10.0.0|Firewall None|Alert ID=912905|devTimeFormat=yyyy-MM-dd HH:mm:ss.S|devTime=2014-07-22 06:59:58.0|Alert type=Firewall|src=10.0.0.1|usrName=n/a|Application name=${Alert.applicationName}|Service name=${Alert.serviceName}|Alert Description=TCP - TCP Unexpected SYN|Severity=High|Simulation Mode=false|Immediate Action=None|Event ID=4238139139125767123|dst=10.0.0.2|dp=443|Server Group=securitynik_servers|Affected Application=|Affected Application (violation)=$item.alert.applicationName|HTTP Method=|HTTP Host=|Query=

I want to see detailed examples to try regular expressions and more.

Thank you!

Regards.

0 Karma

New Member

Normally, I would expect KVPs in LEEF records to be separated by TABs. There is more discussion and a sample in

https://answers.splunk.com/answers/507704/does-splunk-recognize-leef-formatted.html

0 Karma

Builder
0 Karma