I have a McAfee Firewall Appliance log (Sidewinder for those of us familiar with the tool) that comes to Splunk by way of syslog and I'm trying to extract k/v from the log. Here's an example:
2013-07-19T12:31:41-04:00 Firewall_host auditd: 2013-07-19 16:31:41 +0000 f_ntp_daemon a_server t_netprobe p_major pid: 24912 logid: 0 cmd: 'ntpd' hostname: Firewall_host.fq.dn event: probe attempt srcip: 0.0.0.0 srcport: 123 srczone: internal protocol: 17 dstip: 0.0.0.0 dstport: 123 attackip: 0.0.0.0 attackzone: internal reason: Received a connection attempt destined for a service that the current policy does not support.
I can't figure out what to use as the pairdelim and kvdelim values. I've tried pairdelim=" ", kvdelim=":"; pairdelim="p_major ", kvdelim=":"; pairdelim="p_major\s", kvdelim=":\s"--and every variation in between. Usually I'll place a '| table, srcip' on the end to see if it extracts the fields, but no such luck.
-Josh