cancel
Showing results for 
Search instead for 
Did you mean: 
alessandrodp
Level 8

MR 5.2 Log Source with MWG 7.1

Jump to solution

Hi all,

I have configured MWG to push all log (Access,Audit,Update) to MR, in MR i have configured Log Source to "Accept incoming logs"  and log format "Web Gateway - Auto Discover" but when rotate/push logs the Jobs Failed.

If i try to change Log format to "Web Reporter 5.0 +" all jobs goes Successful but i have 100% error.

I believe that there is a log header problem but i use only standard header (time_stamp "auth_user"  src_ip, ecc) , i checked the P.G. and U.G. of both MWG and MR but i didn't find any help...

There is something more i can read/check that can help me?

Thanks

0 Kudos
1 Solution

Accepted Solutions
sroering
Level 13

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

After only pushing access logs, did the errors stop?  As Jon said, most likely the high errors was caused by non-access logs.

That header looks fine except for two "block_res" columns, assuming your log lines match the header.  I'm not sure if double block_res would cause an error, but should be corrected.  If the errors are still happening, copy the first 5 lines of one of your access logs so that we can check that the header matches the data.

0 Kudos
9 Replies
McAfee Employee

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

Hello Aless,

Only push the access logs to Web Reporter, and leave the format as Web Gateway auto-discover.

The failed jobs are most likley teh audit or update log.

Please post a screenshot of your access log handler if you think there may be a problem with the format. Have you modified it from the default?

~Jon

0 Kudos
alessandrodp
Level 8

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

Log Header:   time_stamp "auth_user"  "user_group" src_ip dest_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client "user_agent" "virus_name" "block_res" "block_res"

0 Kudos
sroering
Level 13

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

After only pushing access logs, did the errors stop?  As Jon said, most likely the high errors was caused by non-access logs.

That header looks fine except for two "block_res" columns, assuming your log lines match the header.  I'm not sure if double block_res would cause an error, but should be corrected.  If the errors are still happening, copy the first 5 lines of one of your access logs so that we can check that the header matches the data.

0 Kudos
alessandrodp
Level 8

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

Now i modify with "block_res" "block_res2" and seems it works... may be Reporter have some problems with double block_res....  now i continue with some other tests...

Thank you for help

PS: while testing i have activate the License of my MR 5.2 ( at the same time i modify double block_res), can also the activation  solve the situation? There are limitation with Premium Evaluation Licence before Activating?

0 Kudos
sroering
Level 13

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

alessandrodp wrote:

PS: while testing i have activate the License of my MR 5.2 ( at the same time i modify double block_res), can also the activation  solve the situation? There are limitation with Premium Evaluation Licence before Activating?


Nope. Completely unrelated.  double block_res was likely the problem since it is a recognized header.

0 Kudos
alessandrodp
Level 8

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

Now how i can config the MR to recognize the "dest_ip" header?

0 Kudos
sroering
Level 13

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

dest_ip isn't one of the headers used by the auto format, so you would need to put that in a user-defined column.

0 Kudos
alessandrodp
Level 8

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

Ok Access Log are working fine now.

Now i have to work with Audit Log...

I try to set up an IIS Http Server on WIn 2008 but when MWG try to push the Log:

mwg-logmanager.errors1109281826.log

"Error output is '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>

<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>"

Someone try something like this or use other http server that easily works with MWG 7.1 ( ONLY accept and store log) ?

PS: and no, i cannot use FTP server, sorry

0 Kudos
sroering
Level 13

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

seems that the authentication is failing. I've never tried this and I'm not sure how the authentication is performed.  I'd recommend opening that question as a new thread with a correct title and you're more likely to attract the right people to answer it.

0 Kudos