Browse to System, Logging, Alerting and SNMP, System Log Settings
Click to Enable System Log Events
Select Splunk from the Logging Format
Enable the Event Types to be sent to Splunk
Expand off-box system log
Enter the IP of the Splunk Server.
For redudancy multiple Splunk IPs can also be configured.
Note! TCP 514 is automatically used
In this example if 172.16.0.220 does happen to be off-line then 172.16.0.222 will receive the traffic till 172.16.0.220 come back on-line which both Splunk servers will receive traffic.
MEG normally caches 100 MB when the remote syslog server is off line.
Download the McAfeeEWSReporter.ZIP from KB71152 as above.
Extract McAfeeEWSReporter.ZIP to a temp directory so McAfeeEWSReporter.tar.gz is extracted.
Install the App in Splunk by clicking Manage Apps after logging in.
Click Install app from the menu
Click Choose file to Brows to the McAfeeEWSReporter.tar.gz extracted to a temp directory.
Click Upload ensuring that Upgrade app. Checking this will overwrite the app if it already exists.
Once the appliance has sent enough traffic to Splunk we should now be able to filter on the Dashboards.
From the Home Page for Splunk Click Dashboard for McAfee Email and Web Security then select EWS Main Dashboard.
We can now see items in the Dashboard from MEG 7.6.
Each Bar Chart can be clicked on in Splunk to reveal more information. In our example we clicked on a few for Compliancy which shows graymail tests which were blocked. Note! Some newer features that were added in MEG 7.x will not be available in the EWS App for Splunk which will show up as NULL.
File Format Blocking:
Eicar.com Test Virus:
To verify traffic is being sent to Splunk:
Syslog traffic being sent from MEG to Splunk via network captures can be verified by taking a capture MEG under Troubleshoot, Reports, Capture Network Traffic.
Ensure everything is selected.
Let the capture run for 3 minutes then save it from the appliance.
Open the file downloaded in our case traffic_17-03-2014_165910.tar.gz using your favorite compression utility.
Open the eth0-000.cap file using Wireshark.
Filter for tcp.port == 514 to verify packets are being sent.