Showing results for 
Show  only  | Search instead for 
Did you mean: 

MWG: Only send "virus found" logs to syslog?

I have my correct policy configured to send in the right format to splunk. I have my rsyslog.conf configuration for remote logging to be: @@ipaddress:port I recieve all my correct "virus found" logs. However im recieving some extra junk i dont want to get ingested by splunk. Mostly some systemd stuff, thta still comes through as the same sourcetype "mcafee_foundviruses". For example, "HOSTNAME systemd: Started cleaup up temporary directories". Ive tried adjusting my logging level, but it ends up stoppign my found viruses logs from coming through. Any idea how to get rid of the other stuff and only have my virus logs come through?
2 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: MWG: Only send "virus found" logs to syslog?


your setup sends all messages to Syslog which is mostly the logs generated by the Web Gateway, but there is no filter specific for the Web Gateway, so also other messages matching the facility/priority are sent via Syslog to the remote server.

If there is no way to simply ignore those messages on the receiver you could think about changing the rsyslog.conf to something like this:

if $programname == 'mwg' and $msg contains 'LEEF:1.0|' then @@ipaddress:port

This is for the "LEEF" format, so it is checked if the log line contains a string "LEEF:1.0|". Check if you find a common string which you can use. Alternatively you can change the log file and add one (e.g. make the log line start with FOUND_VIRUS|) , so you can make sure only these specific matching lines are given to the remote server.


Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: MWG: Only send "virus found" logs to syslog?

Let check if this solution is suitable for you:

From UI go to Policy - Rule Sets - Log Handler (at the bottom) - Default - Found Virus Log

Modify an existing "Write Found Viruses Log" rule or add your custom, where you add an Event: Syslog (Number, String).

You can look also into this document - section "Configuring the rules" (but keep in mind, that you want information only about infected files, so Criteria should be "Antimalware.Infected equals true")

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community