Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Currently Being Moderated

CEF Syslog

Created on: Feb 22, 2013 12:48 PM by cnewman - Last Modified:  Feb 22, 2013 1:17 PM by cnewman

A CEF log file format (for use with ArcSight) with syslog.


First step in configuring the MWG data source is enabling syslog data forwarding from the Web Gateway, and ensuring it is properly configured to match the format required.



1.          Log into MWG console.   

2.          Under the Configuration / File Editor tab, make the edits indicated below to the file rsyslog.conf.  If you have multiple MGW appliances configured in a clustered deployment, you will need to make these changes to each cluster member.


To support remote syslog, the file /etc/rsyslog.conf needs to be modified to ensure that the correct events are sent to the Receiver, and to ensure that the McAfee Web Gateway events are not written to the /var/log/messages logfile, duplicating the data already present in the access.log logfile.



Modified rsyslog.conf


# default parameters

$DirCreateMode 0755

$FileCreateMode 0640

$FileGroup adm

$umask 0026



# Include config files in /etc/rsyslog.d

$IncludeConfig /etc/rsyslog.d/*.conf



# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.*                                                 /dev/console


# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!


# The below will direct all messages to the

# remote syslog server at [IP_OF_EVENT_RECEIVER]

# add @@ for TCP syslog @[IP_OF_EVENT_RECEIVER]

*.info;daemon.!=info;mail.none;authpriv.none;cron.none                -/var/log/messages


# The authpriv file has restricted access.

authpriv.*                                              /var/log/secure


# Log all the mail messages in one place.

mail.*                                                  -/var/log/maillog


# Log cron stuff

cron.*                                                  /var/log/cron


# Everybody gets emergency messages

*.emerg                                                 *


# Save news errors of level crit and higher in a special file.

uucp,news.crit                                          /var/log/spooler


# Save boot messages also to boot.log

local7.*                                                /var/log/boot.log


3.          Click the Save Changes to save the changes to rsyslog.conf.  This will also restart the MWG rsyslogd daemon. 



Next you need to import the attached ruleset.


1. Goto Policy -> Log Handler -> Default

2. Add New, from file

3. Refer to existing engine setting


At this point, data should flow into arcsight.

Comments (11)


Bookmarked By (2)

More Like This

  • Retrieving data ...