cancel
Showing results for 
Search instead for 
Did you mean: 

Content Security Reporter: Configuring log file pushing in McAfee Web Gateway (MWG)

Introduction

This document contains the steps needed to set up a McAfee Web Gateway log source in Content Security Reporter that will accept log files that are being pushed from Web Gateway.

Alternatively, it is possible to have Content Security Reporter collect logs from McAfee Web Gateway using the steps provided in https://kc.mcafee.com/corporate/index?page=content&id=KB77478.

 

Configuring McAfee Web Gateway

To properly configure McAfee Web Gateway for reporting purposes follow these steps.

 

1. Logon to the Web Gateway admin user interface and navigate to:

Policy > Settings > Engines > File System Logging > Access Log Configuration. Expand "Settings for Rotation, Pushing, and Deletion".

 

NOTE:  DO NOT CONFIGURE log pushing from the Configuration >  [[Appliance Name]] > Log File Manager section as this will result in unwanted logs getting sent to Web Reporter.  See Troubleshooting section below.

 

2. Under Auto Pushing select the "Enable auto pushing" check box and configure the URL to Content Security Reporter.

 

3. In the "Destination" field enter the Content Security Reporter log processing URL. For example, ftp://ContentSecurityReporterIP:9121, http://ContentSecurityReporterIP:9111/logloader/.

 

4. Create a username and password unique to this function and enter them under the "User name" section.

Note: The username and password defined here will be needed later in the Content Security Reporter configuration (below). If you have multiple Web Gateways pushing logs to one Content Security Reporter server, please review the following KB for details on using variables as usernames: McAfee Corporate KB - How to configure Web Gateway in a Central Management Cluster to push to separa...

 

5. It is recommended to setup the Web Gateway to automatically push the logs immediately after rotation. For that keep the “Enable pushing log files directly after rotation” checked. 

 

If you would like to use time based push intervals instead, uncheck "Enable pushing log files directly after rotation" and set your “Push interval” hours and minutes.

 

Save Changes in the Web Gateway UI after configuring the Auto Pushing section.

 

Configuring Content Security Reporter

To configure a McAfee Web Gateway log source in Content Security Reporter that will accept log files that are being pushed from Web Gateway:

 

  1. Log in to ePO and go the Report Server Settings menu.
  2. Click on Log Sources, then Actions, and select New.
  3. The Mode should be "Accept incoming log files" with the type set to "FTP / HTTP(S)".  For the Log format, select "McAfee Web Gateway (Webwasher) - Auto Discover".
  4. Enter a name for the log source that does not contain spaces.
  5. Enter a username and password in the Logon name and Password fields that will be used by McAfee Web Gateway to access this log source when pushing logs.

    CsrLogSourceConfig.png

   6. (Optional) Configure any other desired options for the log source under the User-Defined Columns, Processing, and Post-Processing tabs.

   7. Click OK in the bottom-right corner to save the log source.

 

Validating Log Source Configuration

If everything was configured properly and a log file push was triggered on Web Gateway, there should be log file jobs displayed in Content Security Reporter.

Log file jobs can be found under Report Server Settings by expanding Log Sources and then selecting Job Queue.

 

Here is an example of successful log jobs as they are displayed in the user interface:

CsrLogJobs.PNG

 

Common Issues and Troubleshooting

For information on troubleshooting issues that may result from configuring McAfee Web Gateway to push logs to Content Security, please see Common issues and Troubleshooting in the document

.  The process of pushing logs is the same in the case of Web Reporter as it is for Content Security Reporter, so the same troubleshooting applies.

Labels (1)
Comments

easy and perfect

Hi does this component is available as free  add on with McAfee Web Gateway or McAfee Content Security Report Server ?

Hello,

Is there any free version of epo to download and use the reporting features for Web gateway?

Thanks,

tavi

ePO and CSR are free to any web protection customer

 

Just FYI: following ports are used by CSR. 

  • 9111 http log push,
  • 9112 https log push + epo,
  • 9121 ftp log push
  • 9129 DB MariaDB
  • 1433 DB mssql
  • 3306 DB mysql
Contributors
Version history
Revision #:
3 of 3
Last update:
‎04-03-2018 12:45 PM
Updated by: