We are currently collecting McAfee Intrushield firewall and IPS logs via syslog into Splunk without any EPO integration at all, as we don't have that component. We are using the Splunk Add-on for McAfee with some extra field extractions we have developed ourselves.
The Add-on documentation for Syslog states the following:
Some McAfee product logs are not gathered from ePO. Configure Network Security Platform (Intrushield) to send syslog to a Splunk Enterprise receiving network port or a syslog server that writes to a directory that Splunk Enterprise monitors. Configure Splunk Enterprise to set the source type to mcafee:ids. Data received by Splunk Enterprise that matches the source type rules in props.conf and transforms.conf is automatically recognized. For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see "Get data from TCP and UDP ports" in the Getting Data In manual.
Which I find incredibly limited and not specific enough so I was wondering if anyone in the community can share any experiences with McAfee Intrushield and no EPO integration.
Well for the Syslog format, I am just testing this, so the IDS is configured with this format, if your differs let me know, checked this with regex101 and the config in transforms.con - seems to be extracting the fields. Also suprised that it is not mentioned in the Splunk App doc.
Attack ID: $IV_ATTACK_ID$ ; Attack Name: $IV_ATTACK_NAME$ ; Result Status: $IV_RESULT_STATUS$ ; Admin Domain: $IV_ADMIN_DOMAIN$ ; Sensor Name: $IV_SENSOR_NAME$ ; Attack Time: $IV_ATTACK_TIME$ ; Interface: $IV_INTERFACE$ ; Direction: $IV_DIRECTION$ ; SIP: $IV_SOURCE_IP$ ; SPort: $IV_SOURCE_PORT$ ; DIP: $IV_DESTINATION_IP$ ; DPort: $IV_DESTINATION_PORT$ ; App Proto: $IV_APPLICATION_PROTOCOL$ ; Net Proto: $IV_NETWORK_PROTOCOL$ ; Alert ID: $IV_ALERT_ID$ ; Alert Type: $IV_ALERT_TYPE$ ; Attack Severity: $IV_ATTACK_SEVERITY$ ; Attack Conf: $IV_ATTACK_CONFIDENCE$ ; Cat: $IV_CATEGORY$ ; Sub-Cat: $IV_SUB_CATEGORY$ ; Detection Mech: $IV_DETECTION_MECHANISM$ ;
I've done something very similar using colon to separate key and value, and semicolon to separate key pairs.
It's working fine but I'm just concern there's no mention in the docs and the app is supposed to be CIM compliant so how can you be CIM compliant if you don't provide a list of fields you expect your Syslog message to have?