Hi,
your setup sends all daemon.info messages to Syslog which is mostly the logs generated by the Web Gateway, but there is no filter specific for the Web Gateway, so also other messages matching the facility/priority are sent via Syslog to the remote server.
If there is no way to simply ignore those messages on the receiver you could think about changing the rsyslog.conf to something like this:
if $programname == 'mwg' and $msg contains 'LEEF:1.0|' then @@ipaddress:port
This is for the "LEEF" format, so it is checked if the log line contains a string "LEEF:1.0|". Check if you find a common string which you can use. Alternatively you can change the log file and add one (e.g. make the log line start with FOUND_VIRUS|) , so you can make sure only these specific matching lines are given to the remote server.
Andre
Let check if this solution is suitable for you:
From UI go to Policy - Rule Sets - Log Handler (at the bottom) - Default - Found Virus Log
Modify an existing "Write Found Viruses Log" rule or add your custom, where you add an Event: Syslog (Number, String).
You can look also into this document https://community.mcafee.com/t5/Web-Gateway-Documents/Web-Gateway-Understanding-syslog-send-logs-to-... - section "Configuring the rules" (but keep in mind, that you want information only about infected files, so Criteria should be "Antimalware.Infected equals true")
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA