# Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
#
# This file looks for McAfee EPO logs
filter {
  if [type] == "mcafee" {
    # NXLog should be sending the logs in JSON format so they auto parse
    json {
      source => "message"
    }
	# This section converts the UTC fields to the proper time format
    date {
      match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
      target => [ "ReceivedUTC" ]
    }
    date {
      match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
      target => [ "DetectedUTC" ]
    }
	mutate {
		#add_tag => [ "conf_file_1032"]
	}
  }
}