cancel
Showing results for 
Search instead for 
Did you mean: 
elisowash
Level 7

MWR and CEF logging

I want Web Reporter to pick up the access.log file on my appliances, and I'd also like to push a CEF vi rsyslog.

I'm getting

2013-11-26 08:15:23,566 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (WebGatewayGetter) Begin retrieving log files from Web Gateway 7 server 'hostname.domain.net:8443' into log parsing.

2013-11-26 08:15:24,942 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (WebGatewayGetter) Successfully retrieved log file 'access1311261255.log' into log parsing.

2013-11-26 08:15:24,958 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (WebGatewayGetter) End copying log files from Web Gateway 7 server 'hostname.domain.net:8443' into log parsing

2013-11-26 08:15:24,973 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) Begin processing file 'access1311261255.log20131126-081524832.dat'.

2013-11-26 08:15:24,973 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) Finish counting: [0 seconds to complete]  File='C:\Program Files\McAfee\Web Reporter (64-bit)\reporter\jboss\bin\..\..\tmp\logparsing\processing\access1311261255.log20131126-081524832.dat' contains 56 lines and 15667 bytes.

2013-11-26 08:15:25,020 ERROR [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) Invalid parser, parser initialization failed, id='WebWasherV1'

2013-11-26 08:15:25,020 ERROR [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) access1311261255.log20131126-081524832.dat: processing failed:Unable to determine log format due to invalid parser ID.

2013-11-26 08:15:25,083 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) Aborted processing file 'access1311261255.log20131126-081524832.dat': 0 lines processed with 0 errors.

in my MWR logs, and I have a feeling it's because I imported the CEF rules. My CEF logs are making it over to my syslog listener just fine, but I'd like MWR to consume them too.

I've checked all my Policy and Settings related to logging, and everything looks appropriate, but if I'm honest, I don't remember what the defaults were. I'm kind of stuck - what else should I look for?

0 Kudos
5 Replies
sroering
Level 13

Re: MWR and CEF logging

I'm not sure what CEF is, or where you are trying to push it, but Web Reporter only processes access logs.

Regarding your error, there is a problem with the log header. Possibly a missing space, or missing quote, or missing colum that is required (ex: "req_line").  Can you post the log header and a screenshot of the logging rule

0 Kudos
elisowash
Level 7

Re: MWR and CEF logging

CEF: Common Event Format, https://community.mcafee.com/docs/DOC-4703

I'm pushing to Splunk, not Arcsight, but they do essentially the same job.

As far as my access.log goes, I'm not writing a header (which is a problem?):

access-settings.png

Here's my policy:

access.png

Message was edited by: elisowash on 11/26/13 10:32:34 AM CST
0 Kudos
sroering
Level 13

Re: MWR and CEF logging

Yes, that would be a problem.  Try this for a log header.

#time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client "user_agent" "virus_name" "block_res"

0 Kudos
elisowash
Level 7

Re: MWR and CEF logging

No joy....I guess I don't understand the purpose and function of the log header. The product guide is super helpful: "Specifies a header for all log files." That clears things right up.

Can you point me towards a good resource for this?

0 Kudos
sroering
Level 13

Re: MWR and CEF logging

Never hire this guy to write documentation. :-)   Web Reporter needs the log header to understand the log format. That is how the "auto-discover" works.  It will only apply to new access logs, so old ones will still fail.  If jobs fail, it is because Web Reporter couldn't find a valid header.  So even if the header is valid, but doesn't match the body, the job would still show successful, but with 100% errors.

So I need to know if the jobs are successful or still failing, that is the big clue.  If possible, take one of the new access logs and post the first few lines, including the header.  You can xxx out any sensitive values, just don't change the structure of the lines.

CaptainobviousChooseOption.jpg

0 Kudos