All Apps and Add-ons

Where can I find the app: McAfee Email and Web Security Reporter

arjangoos
Path Finder

Hi,

We upgraded from splunk 4.1.7 to 4.2.3. After the upgrade the application McAfee Email and Web Security Reporter (McAfeeEWSReporter) is not working anymore. I want to know if there is a new version of this app. But I can't find the app anywhere on splunk.com.

The errors I got are:
Unable to find an eventtype web-traffic
Unable to get viewstate information; formatting may not be correct
The lookup table 'reason_id' does not exist. It is referenced by configuration 'syslog'.
The lookup table 'scanner' does not exist. It is referenced by configuration 'syslog'.

Regards,

Arjan Goos

Tags (1)
0 Karma
1 Solution

arjangoos
Path Finder

We found out that the app was developed by McAfee.

View solution in original post

0 Karma

mzeger
Explorer

We can help you with that. We have developed an extension for Splunk, called WebGateway App. Ho it works:
Every administrator, who is responsible for systems on the gateway, should be able to interact
in the event of a failure of the proxy server. A quick overview of all running services is important. For fast and secure configuration and reaction to alerts, a good monitoring system is recommended. Splunk offers many possibilities for monitoring systems, analyzing log files and defining alerts. The „McAfee WebGateway App for Splunk“ has been specifically designed for evaluating traffic and monitoring appliances.
Please let me know which Splunk environment you're using at the moment and if that fits your expectaion.
/Mike

0 Karma

65pony
Explorer

I am interested in the "McAfee WebGateway App for Splunk"? Where can I find it, we are running Splunk version 5.0.2....

0 Karma

yannK
Splunk Employee
Splunk Employee

Actually, the error banner for missing lookup is displayed in other apps, not in the McAfeeEWSReporter app.

Here is the setting to change to fix it :

Solution A : by making the lookups available only in the app (safer)
go to manager > lookups
select the app =McAfeeEWSReporter
then change the permissions on the 4 lookups to make then :

  • [x] this app only
  • [x] read by all
  • [x] write by admin (and others if you want)

Solution B : or by sharing the lookups in every app (will apply on every search having syslog data in the results, this may slow your search)

  • edit the file $SPLUNK_HOME/etc/apps/McAfeeEWSReporter/metadata/default.meta
  • and add [lookups] access = read : [ * ], write : [ * ] export = system
  • then restart splunk to apply.

yannK
Splunk Employee
Splunk Employee

I checked the lookups provided in the app,

  • lookups fields in props.conf


    [syslog]
    LOOKUP-email_direction = mail_direction direction AS direction OUTPUT traffic_direction AS traffic_direction
    LOOKUP-event_id = event_id event_id AS event_id OUTPUTNEW name AS event_name
    LOOKUP-reason_id = reason_id id AS reason_id OUTPUTNEW name AS reason_name
    LOOKUP-scanner = scanner scanner AS scanner OUTPUTNEW description AS scanner_name

    • link between file and lookup name in transforms.conf
      [mail_direction]
      filename = direction.csv
      [event_id]
      filename = event_map.csv
      [reason_id]
      filename = logreasons.csv
      [scanner]
      filename = scanner.csv
      
    • lookups files shipped with the app
      direction.csv
      event_map.csv
      logreasons.csv
      scanner.csv
      

With this version 1.0 of the app, is the problem still occurring ?

0 Karma

arjangoos
Path Finder

We found out that the app was developed by McAfee.

0 Karma

yannK
Splunk Employee
Splunk Employee

ok
for who may be interested here is the app.

https://kc.mcafee.com/corporate/index?page=content&id=KB71152

the app was released by McAfee in feb2011 (for splunk 4.1.*) and may not be fully compatible with splunk 4.2.

0 Karma

yannK
Splunk Employee
Splunk Employee

I don't see this app in splunkbase. Is it an app you downloaded from splunkbase, or is it an app build internally in your company ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...