I'm trying to extract the fields of the mcafee ips syslogs being sent to Splunk. Here is a raw log if someone can help me create the regex. Still learning up about this.
7:00:51.000 PM Dec 6 19:00:53 192.168.1.30 SyslogAlertForwarder: 2011-12-06 19:00:51 EST Medium Mcafee-Sensor-01 ARP: ARP Spoofing Detected 0x42400100 N/A N/A N/A PolicyViolation Outbound Suspicious N/A N/A
host=shared-syslog-001.server.company.com Options| sourcetype=mcafee_ips Options| source=/var/log/syslog/system-192.168.1.30.log Options
Successful exploits
index=XXX sourcetype=mcafee_ips | rex ".\s(?
index=XXX sourcetype=mcafee_ips | rex ".\s(?
Still working this puppy but this will break out the fields so you can start choosing what you want to do next. More to come.