|
I'm trying to extract the fields of the mcafee ips syslogs being sent to Splunk. Here is a raw log if someone can help me create the regex. Still learning up about this. 7:00:51.000 PM Dec 6 19:00:53 192.168.1.30 SyslogAlertForwarder: 2011-12-06 19:00:51 EST Medium Mcafee-Sensor-01 ARP: ARP Spoofing Detected 0x42400100 N/A N/A N/A PolicyViolation Outbound Suspicious N/A N/A host=shared-syslog-001.server.company.com Options| sourcetype=mcafee_ips Options| source=/var/log/syslog/system-192.168.1.30.log Options |
|
index=XXX sourcetype=mcafee_ips | rex ".s(?<alert_level>S?)s(?<device>S?)s(?<proto_class>S?):(?<message>.?)s(?<hex>dx.?)ss?(?<src>.?)s(?<dst>.?)s(?<port>d?)s(?<policy>S?)s(?<direction>S?)s(?<status>(Blocked|Maybesuccessful|Suspicious|Successful))s(?<proto_l7>.?)s(?<proto_l4>.*?)$" Still working this puppy but this will break out the fields so you can start choosing what you want to do next. More to come. |
|
Successful exploits index=XXX sourcetype=mcafee_ips | rex ".s(?<alert_level>S?)s(?<device>S?)s(?<proto_class>S?):(?<message>.?)s(?<hex>dx.?)ss?(?<src>.?)s(?<dst>.?)s(?<port>d?)s(?<policy>S?)s(?<direction>S?)s(?<status>(Blocked|Maybesuccessful|Suspicious|Successful))s(?<proto_l7>.?)s(?<proto_l4>.*?)$" | search policy="Exploit" status="Successful" |