cancel
Showing results for 
Search instead for 
Did you mean: 
prajoshgeorge
Level 10

Audit Log via syslog

Jump to solution

Hello,

How can I sent the audit log via syslog to a SIEM. I am currently using MWG 7.3.0.2.

I saw the below discussion for rsyslogd.conf

https://community.mcafee.com/message/261146#261146

I used the example to get the audit logs

I get the audit log entries but I get a single audit log entry in multiple lines. Is there any way to consolidate it into a single line or tag all the lines of the log entry with a unique ID so that the SIEM can identify them?

Thanks

Message was edited by: prajoshgeorge on 20/02/13 09:01:32 CST
0 Kudos
1 Solution

Accepted Solutions
prajoshgeorge
Level 10

Re: Audit Log via syslog

Jump to solution

Hi, I managed to send the audit.log entries to the SIEM

I needed to do this

  1. Make the multiline entries into a single line
  2. Remove the '_____________________' at the beginning of each entry
  3. Remove the return character and replace the same with a tab
  4. configure the rsyslog

Here is what I made

tail -f /opt/mwg/log/audit/audit.log | perl -pe 'BEGIN { $| = 1 } chomp; s/^(_____)/\n$1/; s/_{80}//; s/\r/\t/' | logger -p local2.notice

I put the above command in cronjob. In the rsyslog.conf, I put the entry

local2.notice                              @"IP of SIEM"

This seems to work fine.

EDIT: There is a problem when receiving events larger than 1KB, it gets split into 1KB entries on the SIEM.  Maybe the limitation of the rsyslog version on MWG 7.3. Not sure.

Message was edited by: prajoshgeorge on 9/24/13 4:10:44 PM AST
0 Kudos
4 Replies
McAfee Employee

Re: Audit Log via syslog

Jump to solution

I'm not to sure how this could be done from the Web Gateway's syslog module, this would most likley have to be done on the other side (syslog server).

Perhaps look for a string of lines with the _______________________________ representing a new audit log entry?

Other than that I dont there isnt away that I know of to control how the audit log writes its entries.

Best,

Jon

0 Kudos
prajoshgeorge
Level 10

Re: Audit Log via syslog

Jump to solution

Searching through multiple audit files to check all the changes made to a rule over a period by an administrator would be tedious I guess.

0 Kudos
prajoshgeorge
Level 10

Re: Audit Log via syslog

Jump to solution

Hi, I managed to send the audit.log entries to the SIEM

I needed to do this

  1. Make the multiline entries into a single line
  2. Remove the '_____________________' at the beginning of each entry
  3. Remove the return character and replace the same with a tab
  4. configure the rsyslog

Here is what I made

tail -f /opt/mwg/log/audit/audit.log | perl -pe 'BEGIN { $| = 1 } chomp; s/^(_____)/\n$1/; s/_{80}//; s/\r/\t/' | logger -p local2.notice

I put the above command in cronjob. In the rsyslog.conf, I put the entry

local2.notice                              @"IP of SIEM"

This seems to work fine.

EDIT: There is a problem when receiving events larger than 1KB, it gets split into 1KB entries on the SIEM.  Maybe the limitation of the rsyslog version on MWG 7.3. Not sure.

Message was edited by: prajoshgeorge on 9/24/13 4:10:44 PM AST
0 Kudos

Re: Audit Log via syslog

Jump to solution

Hi,

I'm trying to configure my MWG (version 7.4.2.6) with your settings and it seems there is a problem. After the script starts the first log is sent to SIEM correctly but after that, for each new log line syslog sends to SIEM the same first log every time. It seems like the syslog facility local2.notice contains always only the first log line that was created by your script.

Any idea what could be wrong?

Thank you.

Mihai

0 Kudos