I have my correct policy configured to send in the right format to splunk.
I have my rsyslog.conf configuration for remote logging to be:
I recieve all my correct "virus found" logs. However im recieving some extra junk i dont want to get ingested by splunk. Mostly some systemd stuff, thta still comes through as the same sourcetype "mcafee_foundviruses". For example, "HOSTNAME systemd: Started cleaup up temporary directories". Ive tried adjusting my logging level, but it ends up stoppign my found viruses logs from coming through. Any idea how to get rid of the other stuff and only have my virus logs come through?
your setup sends all daemon.info messages to Syslog which is mostly the logs generated by the Web Gateway, but there is no filter specific for the Web Gateway, so also other messages matching the facility/priority are sent via Syslog to the remote server.
If there is no way to simply ignore those messages on the receiver you could think about changing the rsyslog.conf to something like this:
if $programname == 'mwg' and $msg contains 'LEEF:1.0|' then @@ipaddress:port
This is for the "LEEF" format, so it is checked if the log line contains a string "LEEF:1.0|". Check if you find a common string which you can use. Alternatively you can change the log file and add one (e.g. make the log line start with FOUND_VIRUS|) , so you can make sure only these specific matching lines are given to the remote server.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.