Anyone have any experience feeding webgateway logs into Splunk? Another team is bringing in Splunk for a POC and looking for other potential users. I'm hoping it might help me with daily troubleshooting activities that are currently done with a lot of rsh, grep, rcp commands. We currently have 8 devices, adding a couple 5500s in the next couple weeks.
For starters, does the Splunk plugin run on the MWG or will I have to push the logs to our log server more often than the current once per day?
Splunk is a syslog server, so you should just be able to configure MWG to send its logs to a syslog server (two steps).
Here is one example using our SIEM software (nitro): https://community.mcafee.com/message/244540#244540
Also, there is another for the CEF format: https://community.mcafee.com/docs/DOC-4703
I would not advise (nor would it be supported) to install a splunk agent on MWG.
I have done this with good results on my enterprise installation.
Similar to what Jon said you can point your MWG using the web interface to point syslog data to your Splunk server.
There's no need to mess around with the universal forwarder in this case.
Make sure you can ping between the machines and there are no firewall controls blocking UDP514. On the Splunk side make sure you've enabled receiving on UDP 514 to the syslog sourcetype.
The setting is is Configuration / File Editor under rsyslog.conf
Try modifying the line in this file:
You can also send MWG incidents, such as CPU overload, license problem, domain membership problems using this manner. Look into Incident Mappings for info and rules.