cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

MR 5.2 Log Source with MWG 7.1

Jump to solution

Hi all,

I have configured MWG to push all log (Access,Audit,Update) to MR, in MR i have configured Log Source to "Accept incoming logs"  and log format "Web Gateway - Auto Discover" but when rotate/push logs the Jobs Failed.

If i try to change Log format to "Web Reporter 5.0 +" all jobs goes Successful but i have 100% error.

I believe that there is a log header problem but i use only standard header (time_stamp "auth_user"  src_ip, ecc) , i checked the P.G. and U.G. of both MWG and MR but i didn't find any help...

There is something more i can read/check that can help me?

Thanks

1 Solution

Accepted Solutions
Highlighted
Level 13
Report Inappropriate Content
Message 4 of 10

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

After only pushing access logs, did the errors stop?  As Jon said, most likely the high errors was caused by non-access logs.

That header looks fine except for two "block_res" columns, assuming your log lines match the header.  I'm not sure if double block_res would cause an error, but should be corrected.  If the errors are still happening, copy the first 5 lines of one of your access logs so that we can check that the header matches the data.

View solution in original post

9 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

Hello Aless,

Only push the access logs to Web Reporter, and leave the format as Web Gateway auto-discover.

The failed jobs are most likley teh audit or update log.

Please post a screenshot of your access log handler if you think there may be a problem with the format. Have you modified it from the default?

~Jon

Highlighted

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

Log Header:   time_stamp "auth_user"  "user_group" src_ip dest_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client "user_agent" "virus_name" "block_res" "block_res"

Highlighted
Level 13
Report Inappropriate Content
Message 4 of 10

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

After only pushing access logs, did the errors stop?  As Jon said, most likely the high errors was caused by non-access logs.

That header looks fine except for two "block_res" columns, assuming your log lines match the header.  I'm not sure if double block_res would cause an error, but should be corrected.  If the errors are still happening, copy the first 5 lines of one of your access logs so that we can check that the header matches the data.

View solution in original post

Highlighted

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

Now i modify with "block_res" "block_res2" and seems it works... may be Reporter have some problems with double block_res....  now i continue with some other tests...

Thank you for help

PS: while testing i have activate the License of my MR 5.2 ( at the same time i modify double block_res), can also the activation  solve the situation? There are limitation with Premium Evaluation Licence before Activating?

Highlighted
Level 13
Report Inappropriate Content
Message 6 of 10

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

alessandrodp wrote:

PS: while testing i have activate the License of my MR 5.2 ( at the same time i modify double block_res), can also the activation  solve the situation? There are limitation with Premium Evaluation Licence before Activating?


Nope. Completely unrelated.  double block_res was likely the problem since it is a recognized header.

Highlighted

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

Now how i can config the MR to recognize the "dest_ip" header?

Highlighted
Level 13
Report Inappropriate Content
Message 8 of 10

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

dest_ip isn't one of the headers used by the auto format, so you would need to put that in a user-defined column.

Highlighted

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

Ok Access Log are working fine now.

Now i have to work with Audit Log...

I try to set up an IIS Http Server on WIn 2008 but when MWG try to push the Log:

mwg-logmanager.errors1109281826.log

"Error output is '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>

<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>"

Someone try something like this or use other http server that easily works with MWG 7.1 ( ONLY accept and store log) ?

PS: and no, i cannot use FTP server, sorry

Highlighted
Level 13
Report Inappropriate Content
Message 10 of 10

Re: MR 5.2 Log Source with MWG 7.1

Jump to solution

seems that the authentication is failing. I've never tried this and I'm not sure how the authentication is performed.  I'd recommend opening that question as a new thread with a correct title and you're more likely to attract the right people to answer it.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community