cancel
Showing results for 
Search instead for 
Did you mean: 

MWR and CEF logging

I want Web Reporter to pick up the access.log file on my appliances, and I'd also like to push a CEF vi rsyslog.

I'm getting

2013-11-26 08:15:23,566 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (WebGatewayGetter) Begin retrieving log files from Web Gateway 7 server 'hostname.domain.net:8443' into log parsing.

2013-11-26 08:15:24,942 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (WebGatewayGetter) Successfully retrieved log file 'access1311261255.log' into log parsing.

2013-11-26 08:15:24,958 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (WebGatewayGetter) End copying log files from Web Gateway 7 server 'hostname.domain.net:8443' into log parsing

2013-11-26 08:15:24,973 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) Begin processing file 'access1311261255.log20131126-081524832.dat'.

2013-11-26 08:15:24,973 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) Finish counting: [0 seconds to complete]  File='C:\Program Files\McAfee\Web Reporter (64-bit)\reporter\jboss\bin\..\..\tmp\logparsing\processing\access1311261255.log20131126-081524832.dat' contains 56 lines and 15667 bytes.

2013-11-26 08:15:25,020 ERROR [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) Invalid parser, parser initialization failed, id='WebWasherV1'

2013-11-26 08:15:25,020 ERROR [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) access1311261255.log20131126-081524832.dat: processing failed:Unable to determine log format due to invalid parser ID.

2013-11-26 08:15:25,083 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) Aborted processing file 'access1311261255.log20131126-081524832.dat': 0 lines processed with 0 errors.

in my MWR logs, and I have a feeling it's because I imported the CEF rules. My CEF logs are making it over to my syslog listener just fine, but I'd like MWR to consume them too.

I've checked all my Policy and Settings related to logging, and everything looks appropriate, but if I'm honest, I don't remember what the defaults were. I'm kind of stuck - what else should I look for?

5 Replies

Re: MWR and CEF logging

I'm not sure what CEF is, or where you are trying to push it, but Web Reporter only processes access logs.

Regarding your error, there is a problem with the log header. Possibly a missing space, or missing quote, or missing colum that is required (ex: "req_line").  Can you post the log header and a screenshot of the logging rule

Re: MWR and CEF logging

CEF: Common Event Format, https://community.mcafee.com/docs/DOC-4703

I'm pushing to Splunk, not Arcsight, but they do essentially the same job.

As far as my access.log goes, I'm not writing a header (which is a problem?):

access-settings.png

Here's my policy:

access.png

Message was edited by: elisowash on 11/26/13 10:32:34 AM CST

Re: MWR and CEF logging

Yes, that would be a problem.  Try this for a log header.

#time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client "user_agent" "virus_name" "block_res"

Re: MWR and CEF logging

No joy....I guess I don't understand the purpose and function of the log header. The product guide is super helpful: "Specifies a header for all log files." That clears things right up.

Can you point me towards a good resource for this?

Re: MWR and CEF logging

Never hire this guy to write documentation. 🙂   Web Reporter needs the log header to understand the log format. That is how the "auto-discover" works.  It will only apply to new access logs, so old ones will still fail.  If jobs fail, it is because Web Reporter couldn't find a valid header.  So even if the header is valid, but doesn't match the body, the job would still show successful, but with 100% errors.

So I need to know if the jobs are successful or still failing, that is the big clue.  If possible, take one of the new access logs and post the first few lines, including the header.  You can xxx out any sensitive values, just don't change the structure of the lines.

CaptainobviousChooseOption.jpg

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community