I have raw event like : time action severity host , etc.,
But when I checked interesting filed action filed is not showing. All the logs are related to mcafee getting from tcp:9997
Can some one please let me know what can be the issue and what actions can I take to correct this ?
Also , it would be a great help if you can suggest about undefined logs and what kind these are :
Feb 17 15:41:44 SyslogAlertForwarder: ....0;;; HTTP Host == 10.10.198.187:8080;;; HTTP Response Content Type == application/javascript Last-Modified: Tue, 26 Feb 2019 16:11:46 GMT;;; "
cribl_pipe = uk_mnshost = undefinedids_type = networkindex = eits_ips_prod_ussource = tcp:9997sourcetype = mcafee:nsm
Feb 17 15:41:07 SyslogAlertForwarder: ...P Response Content Type == application/octet-stream;;; "
cribl_pipe = uk_mnshost = undefinedids_type = networkindex = eits_ips_prod_ussource = tcp:9997sourcetype = mcafee:nsm
Please find the sample log :
Feb 17 00:12:22 SyslogAuditLogForwarder: time="2021-02-17 00:12:22 BRT" domain="Serasa" category="Sensor" signature="Deploying updates to "spobripsgw02"." action="Set Deployment" result="succeeded" user="Administrator" comment="N/A" delta="N/A"
category = Sensorcribl_pipe = br_mnshost = 10.52.225.200ids_type = networkindex = eits_ips_prod_ussignature = Deploying updates tosource = tcp:9997sourcetype = mcafee:nsm
Hi scelikok
These are mcafee nsm logs not McAfee ePO Syslog
Hi @sasankganta,
What are you using as a sourcetype on data input? Can you please post a sample log ?
Hi @sasankganta,
Did you ingest McAfee logs using correct sourcetype that mentioned in the related app?
If these logs are from "McAfee ePO Syslog" your sourcetype should be "mcafee:epo:syslog". If you are ingesting using something other than this sourcetype, none of the extractions will work.
Can you please post a screenshot that shows your search, results and interesting fields?
I don't think here i can extract fields , because it's a Intrusion detection system data model and we directly get mcafee logs from tcp:9997
Hi @sasankganta,
yes, you're receiving McAfee logs from tcp:9997 but after logs are indexed, you have to parse your logs to extract fields before archiving in Data Model.
Is there an app for McAfee in your Search Head?
If yes, try again your search inside this app.
Otherwise, you have to parse your logs.
Ciao.
Giuseppe
Hi @sasankganta,
Splunk automatically recognizes fields when they are in the format "field_name=field_value".
Otherwise you have to extract them and you have two choices:
there's a third choice if you have a csv or a json file, but it isn't your case.
Anyway, are you using an Add-on containing the field extractions?
if not, you have to create the fields extractions.
Ciao.
Giuseppe
Tried in all search modes still the same issue, raw event is showing "action" , but interesting filed it's not showing action field
yes searching in verbose mode
Are you searching in Verbose Mode?