A CEF log file format (for use with ArcSight) with syslog.
First step in configuring the MWG data source is enabling syslog data forwarding from the Web Gateway, and ensuring it is properly configured to match the format required.
1. Log into MWG console.
2. Under the Configuration / File Editor tab, make the edits indicated below to the file rsyslog.conf. If you have multiple MGW appliances configured in a clustered deployment, you will need to make these changes to each cluster member.
To support remote syslog, the file /etc/rsyslog.conf needs to be modified to ensure that the correct events are sent to the Receiver, and to ensure that the McAfee Web Gateway events are not written to the /var/log/messages logfile, duplicating the data already present in the access.log logfile.
# default parameters
# Include config files in /etc/rsyslog.d
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# The below will direct all daemon.info messages to the
# remote syslog server at [IP_OF_EVENT_RECEIVER]
# add @@ for TCP syslog
# The authpriv file has restricted access.
# Log all the mail messages in one place.
# Log cron stuff
# Everybody gets emergency messages
# Save news errors of level crit and higher in a special file.
# Save boot messages also to boot.log
3. Click the Save Changes to save the changes to rsyslog.conf. This will also restart the MWG rsyslogd daemon.
Next you need to import the attached ruleset.
1. Goto Policy -> Log Handler -> Default
2. Add New, from file
3. Refer to existing engine setting
At this point, data should flow into arcsight.