cancel
Showing results for 
Search instead for 
Did you mean: 
eg123
Level 9
Report Inappropriate Content
Message 1 of 5

How to create log handler to monitor file uploadings

Jump to solution

Hi,

I want to monitor file uploadings and write the file name to logs.

For monitoring file uploadings, i think we need to use Command.Name equals PUT/POST,

But how do i get the uploaded file name and write the filename to logs, which property i can use?

 

thanks in advance.

1 Solution

Accepted Solutions
McAfee Employee vkleineh
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: How to create log handler to monitor file uploadings

Jump to solution

Please try :

URL.FileName > Name of a file that can be accessed through a URL

Body.FileName > Name of a file that is embedded in the body of a web object, for example, an archived file

A list of all properties can be found within the reference guide:

https://docs.mcafee.com/bundle/web-gateway-8.1.x-interface-reference-guide/page/GUID-81504B59-67DB-4...

4 Replies
AaronT
Level 9
Report Inappropriate Content
Message 2 of 5

Re: How to create log handler to monitor file uploadings

Jump to solution

Assuming you're talking HTTPS, and you had SSL content inspection, you might be able to get it in url - if it's there.  if it's not there, I'm not sure you can get it.

McAfee Employee vkleineh
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: How to create log handler to monitor file uploadings

Jump to solution

Please try :

URL.FileName > Name of a file that can be accessed through a URL

Body.FileName > Name of a file that is embedded in the body of a web object, for example, an archived file

A list of all properties can be found within the reference guide:

https://docs.mcafee.com/bundle/web-gateway-8.1.x-interface-reference-guide/page/GUID-81504B59-67DB-4...

Highlighted
eg123
Level 9
Report Inappropriate Content
Message 4 of 5

Re: How to create log handler to monitor file uploadings

Jump to solution

Thanks all for your information.

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: How to create log handler to monitor file uploadings

Jump to solution

Hi ,

 

Hope you are doing well.

 

I was able to get a rule set configured in order to get name of the files uploaded with some testing. Content-Disposition is the field which contains name of the files uploaded in majority of the cases.

 

I did testing with few websites like https://dlptest.com/ ,  https://files.fm/ ,  https://uploadfiles.io/  etc and was successfully to see the name of the files uploaded in access.log.

 

NOTE:- Make sure you have SSL Scanner enabled in order to inspect HTTPS traffic and enable composite opener rule enabled as well.

 

 

Please do the following modification in the rule mentioned in below:

 

Step1: Please enable the rule called " Enable composite opener".

 

Step 2: Please create a new rule called " test"  under the enable composite opener rule.

 

Step3: In the new rule " Test " the criteria we need to add should be mentioned in below:

 

Body.HasMimeHeader(String) -> equals -> true.

 

NOTE: Parameter value that needs to add in property "Body.HasMIMEHeader"  should be mentioned in below:

Body.HasMimeHeader(String) -> parameters -> parameter value -> Content-Disposition

 

AND

 

Body.HasMimeHeaderParameter (String,String) ->  true

 

NOTE: Parameter value that needs to add in property "Body.HasMimeHeaderParameter"  should be mentioned in below:

Body.HasMimeHeaderParameter (String,String) -> Parameters -> Parameter value -> Name(string)

-> Content-Disposition. and MIME Parameter name -> filename.

 

NOTE: I have shared a snapshot of the rule along with this email.

 

 

Step4: In same test rule inside the event tab we need to write those parameter values for that we have configured the below:

 

Test rule -> Event -> Add -> User-defined.log -> Body.HasMimeHeaderParameter (String,String) -> Parameters -> Parameter value -> Name (string)  -> Content-Disposition. and

MIME Parameter name -> filename.

 

NOTE: Please find the ruleset snapshot attached along with this email

 

Step5: Policy --> Ruleset --> LogHandler --> Access.log --> Write.access.log --> Edit --> Events --> Edit -->

Add --> Parameter Property -->  User-defined.log (We are calling this property which has configured ) --> Add

--> Parameter value --> " (add this symbol).

 

 

Step 6:- Go to Policy->Settings-> File System Logging-> Access Log configuration-> Log Header-> at end add filename.

 

 

NOTE: Please re-arrange the properties as defined in the snapshot attached along with this email.

 

 

Please refer attached screenshots. Above steps can be taken as a reference point.

 

 

Regards

Alok Sarda

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community