McAfee MAP-3300-SWG Product Guide - Page 272
Extended Syslog attributes for Splunk, Table 271
UPC - 731944547008
View all McAfee MAP-3300-SWG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 272 highlights
Overview of System features Logging, Alerting and SNMP Table 271 Email and Web Security Appliance v5.6 Connector Field Mappings (continued) McAfee-Specific Event Definition ArcSight Event Data Field The definition of this field depends on the value of cs1Label the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': 'virus-names' If cs5 is 'AS': 'spam-rules-broken' If cs5 is 'DL': 'dlpfile' If cs5 is 'FF': 'content-rules' If cs5 is 'PX': 'content-rules' The definition of this field depends on the value of cs2 the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': The version of the Anti-Virus engine If cs5 is 'AS': The spam score If cs5 is 'DL': The DLP categories that triggered If cs5 is 'PX': The terms that caused the content filter event The definition of this field depends on the value of cs2Label the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': 'av-engine-version' If cs5 is 'AS': 'spam-score' If cs5 is 'DL': 'dlp-rules' If cs5 is 'PX': 'compliance-terms' The definition of this field depends on the value of cs3 the field 'cs5': If cs5 is 'AS': The threshold the message exceeded The definition of this field depends on the value of cs3Label the field 'cs5': If cs5 is 'AS': 'spam-threshold-score' The attachments of the email (if available) cs4 'email-attachments' cs4Label For a detection event, the scanner which cs5 triggered the event: 'AP' - Anti-Phish 'AS' - Anti-Spam 'AV' - Anti-Virus 'DL' - Data Loss Prevention 'FF' - File Filtering 'MF' - Mail Filtering 'MS' - Mail Size 'PA' - Packer 'PU' - Potentially Unwanted Program 'PX' - Compliancy 'SA' - SiteAdvisor 'UF' - URL Filtering 'master-scan-type' cs5Label The subject of the email cs6 'email-subject' cs6Label Indicates if the action taken is the main action cn1 defined for the event. 1 indicates primary action 'is-primary-action' cn1Label The number of attachments in the email (if cn2 available) 'num-email-attachments' cn2Label The number of recipients of the email cn3 'num-email-recipients' cn3Label Extended Syslog attributes for Splunk Using the extended Syslog functions within the appliance, you can use external, third party software - such as Splunk - to generate Syslog reports. Table 272 Extended Syslog attributes for Splunk Syslog entry Notes Example Time and Appliance Name Dec 30 10:58:10 Appliance1 app Protocol Smtp 272 McAfee Email and Web Security Appliances 5.6.0 Product Guide