cancel
Showing results for 
Search instead for 
Did you mean: 
thepip3r
Level 7

HIPS Event.Log Format - Explanations?

7 1439772284 1.2.3.4   2048 17 1.2.3.255 138 1.2.3.4 138 1 0 4 SYSTEM Block All Traffic

9 1446769315 127.0.0.1  0 0 2 3905 2 0 1 2015-11-06 09:21:54 Files Domain\User  C:\WINDOWS\SYSTEM32\DLLHOST.EXE

6 1446806847 1.2.3.5  0 4 3  2015-11-06 10:47:27  6 1.2.3.5 88 1.2.3.5 32617 1 0 3700

...So I'm looking to be able to tune my policies by auditing my clients' log files to ensure that my policies aren't blocking unintended things.  It appears that the HIPS, Activity Log is a formatted version of the %ProgramData%\McAfee\Host Intrusion Prevention\Event.log but I'm having a really hard time translating what means what from the GUI to the log.

In researching this prior to this post, it seems like this log changes format quite often.  I've seen posts referencing that there is binary/hex data in the log -- which I see none of in my log. I believe I also have two different versions of entries in my own log as well.  If you look at the output above, the first line and the last two lines are either in two different formats or the client simply logs information differently based on the event fired.

So my question is this:  What does each column mean and do you have the enumerations somewhere that I can map each column's value back to a translated value that actually has meaning (similar to the 'Export' button on the interface).  OR... is there a way switch on a binary that will perform the 'Export' function via command-line so that I don't have to do all the translations manually?

Thanks!

0 Kudos
1 Reply
McAfee Employee

Re: HIPS Event.Log Format - Explanations?


thepip3r wrote:




...I'm having a really hard time translating what means what from the GUI to the log.


KB84471 - How to use the Host Intrusion Prevention ClientControl tool to convert event.log to a readable log file

0 Kudos