Splunk® Supported Add-ons

Splunk Add-on for McAfee NSP

Format specifications for event types with the Splunk Add-on for McAfee NSP release 1.1.0

McAfee Network Security Platform Manager provides a highly configurable message format. Users can include or exclude various event fields so as to extract information as needed. The Add-on supports the KV pair format and extracts related information in the specified format. Events must be generated in the key="value" format.

The best practice is to copy the entire log format given below which has all the security and CIM relevant fields:

The McAfee release 10.7.65 and onwards changed format specification from " to $ sign. Updated format below

Audit Event Format

audit_action=$IV_AUDIT_ACTION$ audit_result=$IV_AUDIT_RESULT$ audit_time=$IV_AUDIT_TIME$ user=$IV_AUDIT_USER$ category=$IV_AUDIT_CATEGORY$ audit_domain=$IV_AUDIT_DOMAIN$ detail_comment=$IV_AUDIT_DETAIL_COMMENT$ detail_delta=$IV_AUDIT_DETAIL_DELTA$

Alert/Attack Event Format

admin_domain=$IV_ADMIN_DOMAIN$ alert_id=$IV_ALERT_ID$ alert_type=$IV_ALERT_TYPE$ app_protocol=$IV_APPLICATION_PROTOCOL$ confidence=$IV_ATTACK_CONFIDENCE$ attack_count=$IV_ATTACK_COUNT$ attack_id=$IV_ATTACK_ID$ attack_name=$IV_ATTACK_NAME$ severity=$IV_ATTACK_SEVERITY$ alert_signature=$IV_ATTACK_SIGNATURE$ attack_time=$IV_ATTACK_TIME$ category=$IV_CATEGORY$ dest_ip=$IV_DESTINATION_IP$ dest_name=$IV_DESTINATION_NAME$ dest_port=$IV_DESTINATION_PORT$ device_name=$IV_DEVICE_NAME$ direction=$IV_DIRECTION$ confidence=$IV_MALWARE_CONFIDENCE$ file_name=$IV_MALWARE_FILE_NAME$ file_hash=$IV_MALWARE_FILE_MD5_HASH$ file_type=$IV_MALWARE_FILE_TYPE$ virus_name=$IV_MALWARE_VIRUS_NAME$ action_status=$IV_MCAFEE_NAC_ACTION_STATUS$ error_status=$IV_MCAFEE_NAC_ERROR_STATUS$ protocol=$IV_NETWORK_PROTOCOL$ result=$IV_RESULT_STATUS$ src_ip=$IV_SOURCE_IP$ src_name=$IV_SOURCE_NAME$ src_port=$IV_SOURCE_PORT$

Fault Event Format

Fault : dvc=$IV_DEVICE_NAME$ description=$IV_DESCRIPTION$ ack_information=$IV_ACK_INFORMATION$ additional_text=$IV_ADDITIONAL_TEXT$ admin_domain=$IV_ADMIN_DOMAIN$ fault_component=$IV_FAULT_COMPONENT$ fault_level=$IV_FAULT_LEVEL$ fault_name=$IV_FAULT_NAME$ fault_source=$IV_FAULT_SOURCE$ fault_time=$IV_FAULT_TIME$ fault_type=$IV_FAULT_TYPE$ member_device=$IV_MEMBER_DEVICE_NAME$ owner_id=$IV_OWNER_ID$ recommended_action=$IV_RECOMMENDED_ACTION$ severity=$IV_SEVERITY$

Firewall Event Format

acl_action=$ACL_ACTION$ description=$ACL_DESCRIPTION$ policy=$ACL_POLICY$ rule_id=$ACL_RULE_NUMBER$ admin_domain=$ADMIN_DOMAINS$ alert_count=$ALERT_COUNT$ direction=$ALERT_DIRECTION$ duration=$ALERT_DURATION$ application=$APPLICATION$ app=$APPLICATION_PROTOCOL$ dest_country=$DESTINATION_COUNTRY$ dest_hostname=$DESTINATION_HOSTNAME$ dest_ip=$DESTINATION_IP$ dest_port=$DESTINATION_PORT$ interface=$INTERFACE$ acl_protocol=$NETWORK_PROTOCOL$ sensor_name=$SENSOR_NAME$ src_country=$SOURCE_COUNTRY$ src_host=$SOURCE_HOSTNAME$ src_ip=$SOURCE_IP$ src_port=$SOURCE_PORT$ user=$USER_NAME$

This is a configurable key-value log format for all the sources that enables users to add/remove relevant fields in their log message. However, for each type of event, the source will be identified by a specific field which users must add in their custom log format. Also keep in mind that McAfee has a maximum length limit for the format input, even though this doesn't impact the overall length of the log message.

Types of Events Log field Field name for extraction
Alert/Attack logs IV_ALERT_TYPE alert_type
Audit logs IV_AUDIT_ACTION audit_action
Fault logs IV_FAULT_NAME fault_name
Firewall logs ACL_ACTION acl_action


Format specifications for event types for the Splunk Add-on for McAfee NSP

McAfee Network Security Platform Manager provides a highly configurable message format. Users can include or exclude various event fields so as to extract information as needed. The Add-on supports the KV pair format and extracts related information in the specified format. Events must be generated in the key="value" format.

The best practice is to copy the entire log format given below which has all the security and CIM relevant fields:

Audit Event Format

audit_action="IV_AUDIT_ACTION" audit_result="IV_AUDIT_RESULT" audit_time="IV_AUDIT_TIME" user="IV_AUDIT_USER" category="IV_AUDIT_CATEGORY" audit_domain="IV_AUDIT_DOMAIN" detail_comment="IV_AUDIT_DETAIL_COMMENT" detail_delta="IV_AUDIT_DETAIL_DELTA"

Alert/Attack Event Format

admin_domain="IV_ADMIN_DOMAIN" alert_id="IV_ALERT_ID" alert_type="IV_ALERT_TYPE" app_protocol="IV_APPLICATION_PROTOCOL" confidence="IV_ATTACK_CONFIDENCE" attack_count="IV_ATTACK_COUNT" attack_id="IV_ATTACK_ID" attack_name="IV_ATTACK_NAME" severity="IV_ATTACK_SEVERITY" alert_signature="IV_ATTACK_SIGNATURE" attack_time="IV_ATTACK_TIME" category="IV_CATEGORY" dest_ip="IV_DESTINATION_IP" dest_name="IV_DESTINATION_NAME" dest_port="IV_DESTINATION_PORT" device_name="IV_DEVICE_NAME" direction="IV_DIRECTION" confidence="IV_MALWARE_CONFIDENCE" file_name="IV_MALWARE_FILE_NAME" file_hash="IV_MALWARE_FILE_MD5_HASH" file_type="IV_MALWARE_FILE_TYPE" virus_name="IV_MALWARE_VIRUS_NAME" action_status=IV_MCAFEE_NAC_ACTION_STATUS" error_status="IV_MCAFEE_NAC_ERROR_STATUS" protocol="IV_NETWORK_PROTOCOL" result="IV_RESULT_STATUS" src_ip="IV_SOURCE_IP" src_name="IV_SOURCE_NAME" src_port="IV_SOURCE_PORT"

Fault Event Format

Fault : dvc="IV_DEVICE_NAME" description="IV_DESCRIPTION" ack_information="IV_ACK_INFORMATION" additional_text="IV_ADDITIONAL_TEXT" admin_domain="IV_ADMIN_DOMAIN" fault_component="IV_FAULT_COMPONENT" fault_level="IV_FAULT_LEVEL" fault_name="IV_FAULT_NAME" fault_source="IV_FAULT_SOURCE" fault_time="IV_FAULT_TIME" fault_type="IV_FAULT_TYPE" member_device="IV_MEMBER_DEVICE_NAME" owner_id="IV_OWNER_ID" recommended_action="IV_RECOMMENDED_ACTION" severity="IV_SEVERITY"

Firewall Event Format

acl_action="ACL_ACTION" description="ACL_DESCRIPTION" policy="ACL_POLICY" rule_id="ACL_RULE_NUMBER" admin_domain="ADMIN_DOMAINS" alert_count="ALERT_COUNT" direction="ALERT_DIRECTION" duration="ALERT_DURATION" application="APPLICATION" app="APPLICATION_PROTOCOL" dest_country="DESTINATION_COUNTRY" dest_hostname="DESTINATION_HOSTNAME" dest_ip="DESTINATION_IP" dest_port="DESTINATION_PORT" interface="INTERFACE" acl_protocol="NETWORK_PROTOCOL" sensor_name="SENSOR_NAME" src_country="SOURCE_COUNTRY" src_host="SOURCE_HOSTNAME" src_ip="SOURCE_IP" src_port="SOURCE_PORT" user="USER_NAME"

This is a configurable key-value log format for all the sources that enables users to add/remove relevant fields in their log message. However, for each type of event, the source will be identified by a specific field which users must add in their custom log format. Also keep in mind that McAfee has a maximum length limit for the format input, even though this doesn't impact the overall length of the log message.

Types of Events Log field Field name for extraction
Alert/Attack logs IV_ALERT_TYPE alert_type
Audit logs IV_AUDIT_ACTION audit_action
Fault logs IV_FAULT_NAME fault_name
Firewall logs ACL_ACTION acl_action
Last modified on 11 May, 2023
Configure inputs for the the Splunk Add-on for McAfee NSP   Lookups for the Splunk Add-on for McAfee NSP

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters