Is it me or are the extractions in Splunk_TA_mcafee-wg next to totaly wrong?
To take an example Log entry from some of my activity the log looks like this:
Jul 18 08:44:27 xxx_hostname_xxx mwg: McAfeeWG|time_stamp=[18/Jul/2018:08:44:27 +0200]|auth_user=cn=XXXX,ou=XXX,ou=XXXX,ou=XXX,o=XXX|src_ip=10.9.16.6|server_ip=172.217.22.100|host=www.google.com|url_port=443|status_code=200|bytes_from_client=958|bytes_to_client=426|categories=Search Engines|rep_level=Minimal Risk|method=GET|url=https://www.google.com/searchdomaincheck?format=domain&type=chrome|media_type=text/plain|application_name=Google|user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36|referer=|block_res=0|block_reason=|virus_name=|hash=|filename=searchdomaincheck|filesize=426|
for src, src_ip,user,user_agent the value is "unknown"
There is the field auth_user containing the dn but i think user should contain the cn...
What am i doing wrong?
... View more