1 Reply Latest reply on Nov 16, 2015 1:03 PM by Kary Tankink

    HIPS Event.Log Format - Explanations?

    thepip3r

      7 1439772284 1.2.3.4   2048 17 1.2.3.255 138 1.2.3.4 138 1 0 4 SYSTEM Block All Traffic

      9 1446769315 127.0.0.1  0 0 2 3905 2 0 1 2015-11-06 09:21:54 Files Domain\User  C:\WINDOWS\SYSTEM32\DLLHOST.EXE

      6 1446806847 1.2.3.5  0 4 3  2015-11-06 10:47:27  6 1.2.3.5 88 1.2.3.5 32617 1 0 3700

       

      ...So I'm looking to be able to tune my policies by auditing my clients' log files to ensure that my policies aren't blocking unintended things.  It appears that the HIPS, Activity Log is a formatted version of the %ProgramData%\McAfee\Host Intrusion Prevention\Event.log but I'm having a really hard time translating what means what from the GUI to the log.

       

      In researching this prior to this post, it seems like this log changes format quite often.  I've seen posts referencing that there is binary/hex data in the log -- which I see none of in my log. I believe I also have two different versions of entries in my own log as well.  If you look at the output above, the first line and the last two lines are either in two different formats or the client simply logs information differently based on the event fired.

       

      So my question is this:  What does each column mean and do you have the enumerations somewhere that I can map each column's value back to a translated value that actually has meaning (similar to the 'Export' button on the interface).  OR... is there a way switch on a binary that will perform the 'Export' function via command-line so that I don't have to do all the translations manually?

       

      Thanks!