Getting Data In

McAfee Host Intrusion Prevention event logs

APNelson
Explorer

From what I've been able to find, McAfee Host Intrusion Prevention does not write to its event.log file in a human readable format. How can I get that read in by Splunk in a useful format?

A previous answer I found (http://answers.splunk.com/answers/95340/mcafee-epo-integration-with-splunk) talked about configuring ePolicy Orchestrator to create a text log file, but wouldn't that cause the source of all the events to be listed as the ePolicy server as opposed to the computer the event actually occurred on?

Tags (3)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

You could probably make an index-time transform to pull out the correct source host name from the events to replace the hostname of the ePO server.

props.conf

[your_epo_sourcetype]
TRANSFORMS-set_host

transforms.conf

[set_host]
REGEX = your regex here
DEST_KEY = MetaData:Host
FORMAT = host::$1

read more here:

http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Advancedsourcetypeoverrides

View solution in original post

daniel_goolsby_
Explorer

After discovering the event.log was binary-- but the file would seemingly load up fine in notepad, or notepad++.. I discovered the file was actually in a different character set called UCS-2 LE, which according to (http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Configurecharactersetencoding) maps to the utf-16le characterset- that I had to specify that in the props.conf on the forwarder.

[monitor://C:\ProgramData\McAfee\Host Intrusion Prevention\Event.log]
index=
disabled = 0
sourcetype = hipsfw
followTail = 1

in props.conf (still on forwarder)

[hipsfw]
NO_BINARY_CHECK = true
CHARSET = utf-16le

This should get everyone going.

0 Karma

kristian_kolb
Ultra Champion

You could probably make an index-time transform to pull out the correct source host name from the events to replace the hostname of the ePO server.

props.conf

[your_epo_sourcetype]
TRANSFORMS-set_host

transforms.conf

[set_host]
REGEX = your regex here
DEST_KEY = MetaData:Host
FORMAT = host::$1

read more here:

http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Advancedsourcetypeoverrides

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...