7 1439772284 22.214.171.124 2048 17 126.96.36.199 138 188.8.131.52 138 1 0 4 SYSTEM Block All Traffic
9 1446769315 127.0.0.1 0 0 2 3905 2 0 1 2015-11-06 09:21:54 Files Domain\User C:\WINDOWS\SYSTEM32\DLLHOST.EXE
6 1446806847 184.108.40.206 0 4 3 2015-11-06 10:47:27 6 220.127.116.11 88 18.104.22.168 32617 1 0 3700
...So I'm looking to be able to tune my policies by auditing my clients' log files to ensure that my policies aren't blocking unintended things. It appears that the HIPS, Activity Log is a formatted version of the %ProgramData%\McAfee\Host Intrusion Prevention\Event.log but I'm having a really hard time translating what means what from the GUI to the log.
In researching this prior to this post, it seems like this log changes format quite often. I've seen posts referencing that there is binary/hex data in the log -- which I see none of in my log. I believe I also have two different versions of entries in my own log as well. If you look at the output above, the first line and the last two lines are either in two different formats or the client simply logs information differently based on the event fired.
So my question is this: What does each column mean and do you have the enumerations somewhere that I can map each column's value back to a translated value that actually has meaning (similar to the 'Export' button on the interface). OR... is there a way switch on a binary that will perform the 'Export' function via command-line so that I don't have to do all the translations manually?
...I'm having a really hard time translating what means what from the GUI to the log.
KB84471 - How to use the Host Intrusion Prevention ClientControl tool to convert event.log to a readable log file