Hi all,
We are currently collecting McAfee Intrushield firewall and IPS logs via syslog into Splunk without any EPO integration at all, as we don't have that component. We are using the Splunk Add-on for McAfee with some extra field extractions we have developed ourselves.
The Add-on [documentation][1] for Syslog states the following:
Some McAfee product logs are not gathered from ePO.
Configure Network Security Platform (Intrushield) to send syslog to a Splunk Enterprise receiving network port or a syslog server that writes to a directory that Splunk Enterprise monitors.
Configure Splunk Enterprise to set the source type to mcafee:ids. Data received by Splunk Enterprise that matches the source type rules in props.conf and transforms.conf is automatically recognized.
For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see "Get data from TCP and UDP ports" in the Getting Data In manual.
Which I find incredibly limited and not specific enough so I was wondering if anyone in the community can share any experiences with McAfee Intrushield and no EPO integration.
- Is there any preferred Syslog format for the data? By looking at transforms.conf we managed to hardcode a customized Syslog format for our logs, but we couldn't find any instructions or documentation about it
- Can it be collected via other methods such as database?
- Can we collect IPS, Firewall and Server logs?
- Syslog does not provide Layer 7 data so we ended up ingesting Intrushield daily CSV reports in order to enrich the IPS logs. Does anybody have any experience here that you can share?
- Will the TA support CIM normalization if you don't use McAfee EPO?
- Is there any other app available that might help? I have already checked [this other one][2] but it's even more limited than the official one.
Thanks,
J
[1]: http://docs.splunk.com/Documentation/AddOns/latest/McAfeeEPO/ConfigureSyslogInput
[2]: https://splunkbase.splunk.com/app/2735/
↧