cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco Web Security Appliance

Hi,

I have just recently added a cisco web security appliance on my receiver but cannot seem to get the logs flowing in a manner that makes sense. Here is how I configured the data source:

I am not sure if the problem is with the Data Format or Support Generic Syslog option field.

Cisco.PNG

5 Replies
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Cisco Web Security Appliance

What do you mean by "cannot seem to get the logs flowing in a manner that makes sense"?

What's the problem your having.  Generally, we set all data sources to log unknown events rather than do nothing.  That way, we first know that the events are coming into the SIEM, and which may not be getting parsed, then we'll proceed to write custom parsers for events we deem important enough.

Re: Cisco Web Security Appliance

Thanks for the response.

 

Normally with these settings on other data sources, I get some logs that are normailzed by mcafee automatically and some that are uncategorized, then I create parsing rules for those.

 

I have set the data source to log "unknown syslog" events and all I have been getting is the logs below, which do not make sense for me o create a parsing rule. Hence I am asking if maybe my settings are correct

 

CiscoLogs.PNG

Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Cisco Web Security Appliance

Looks like you're sending debug level logging.  I rarely enable that for data sources to the SIEM.  It tends to be very noisy and only good when troubleshooting the actual application that is sending the logs.

Re: Cisco Web Security Appliance

What settings do you use on your cisco web security appliance data source?

Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: Cisco Web Security Appliance

I don't manage one.  Regardless of the data source, I don't send debug level logs to the SIEM.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.