This process is more straightforward than it initially seems. Here is the step-by-step from for a freshly installed MWG.


1. Download the SIEM (Nitro) Integration rule set and untar it to a local directory.


2. Log into the MWG - https://MGW:4712.


3. Click the Configuration button at the top, then File Editor tab on the left. Expand the top level and click rsyslog.conf



4. Locate the line following line about midway through:


*.info;mail.none;authpriv.none;cron.none                /var/log/messages


Change it to:


*.info;daemon.!=info;mail.none;authpriv.none;cron.none     -/var/log/messages


Then add the following line below it:                                           @@<REC-IP>


5. Click Save Changes at the top right.


6. Then click the Policy button at the top and click Log Handler at the bottom left and highlight the Default rule set.




6. Click Add | Rule Set from Library


7. Click the Import from file button at the bottom and select the ruleset.xml downloaded in step 1. Click OK.


8. Check the Send to Syslog box and click the Save Changes button.




9. For the ESM, add your data source and roll out the policy.




And we have logs: