Some clients may use Splunk to monitor MEG appliances in the environment.  It has been asked how to configure MEG 7.x to work with Splunk like EWS 5.6 was able to.

 

The App to install for Splunk has not been updated as of yet for MEG 7.x but it does allow for basic logging functionality as per KB.  This is especially helpful when managing multiple MEG Appliances.

 

Please See:

https://kc.mcafee.com/corporate/index?page=content&id=KB71152

 

To Configure Splunk with MEG 7.x.

 

Open the Appliance Management Console

Browse to System, Logging, Alerting and SNMP, System Log Settings

Click to Enable System Log Events

Select Splunk from the Logging Format

Enable the Event Types to be sent to Splunk

Expand off-box system log

Enter the IP of the Splunk Server.

For redudancy multiple Splunk IPs can also be configured.

Note! TCP 514 is automatically used

 

Example Below:

Capture.JPG

 

In this example if 172.16.0.220 does happen to be off-line then 172.16.0.222 will receive the traffic till 172.16.0.220 come back on-line which both Splunk servers will receive traffic.

 

MEG normally caches 100 MB when the remote syslog server is off line.

 

Download the McAfeeEWSReporter.ZIP from KB71152 as above.

 

Extract McAfeeEWSReporter.ZIP to a temp directory so McAfeeEWSReporter.tar.gz is extracted.

 

Install the App in Splunk by clicking Manage Apps after logging in.

 

Untitled.jpg

 

Click Install app from the menu

 

Capture2.JPG

 

Click Choose file to Brows to the McAfeeEWSReporter.tar.gz extracted to a temp directory.

 

Capture3.JPG

Click Upload ensuring that Upgrade app. Checking this will overwrite the app if it already exists.

 

Once the appliance has sent enough traffic to Splunk we should now be able to filter on the Dashboards.

 

From the Home Page for Splunk Click Dashboard for McAfee Email and Web Security then select EWS Main Dashboard.

 

Capture4.JPG

 

We can now see items in the Dashboard from MEG 7.6.

 

Capture5.JPG

 

Each Bar Chart can be clicked on in Splunk to reveal more information.  In our example we clicked on a few for Compliancy which shows graymail tests which were blocked.  Note! Some newer features that were added in MEG 7.x will not be available in the EWS App for Splunk which will show up as NULL.

 

Graymail:

Capture6.JPG

 

 

 

File Format Blocking:

 

Capture7.JPG

 

Eicar.com Test Virus:

 

Capture8.JPG

 

To verify traffic is being sent to Splunk:

 

Syslog traffic being sent from MEG to Splunk via network captures can be verified by taking a capture MEG under Troubleshoot, Reports, Capture Network Traffic. 

 

Ensure everything is selected.

 

Let the capture run for 3 minutes then save it from the appliance.

 

Open the file downloaded in our case traffic_17-03-2014_165910.tar.gz using your favorite compression utility.

 

Open the eth0-000.cap file using Wireshark.

 

Filter for tcp.port == 514 to verify packets are being sent.

 

Capture9.JPG

 

Thanks,

 

John