cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee Web Gateway ver. 7 to be integrated with SIEM tool (Symantec Security Information Manager).

Jump to solution

Hi Experts,

I am trying to integrate the McAfee Web Gateway ver. 7 with the Symantec Security Information Manager (SIEM tool) but not aware of how to successfully integrate it with SSIM.

I have followed with McAfee Support but failed to do the same with their suggestion also neither have much hands on experience on MWG product.

I goal is to capture the access logs of MWG to SSIM using syslog forwarding or if any other way out to integrate the same with SSIM.

Any kind of help on this will be very grateful to all of you guyz.

Message was edited by: shahnawaz.kohati@gmail.com on 9/5/12 9:53:54 AM CDT
0 Kudos
1 Solution

Accepted Solutions
eelsasser
Level 15

Re: McAfee Web Gateway ver. 7 to be integrated with SIEM tool (Symantec Security Information Manager).

Jump to solution

I mis read your original email. I thought you already had the rule in the access log, but that was a previous screen shot.

Go into the Log handler Rule and add a new rule to the end of the access log:

Capture.jpg

Next

Capture2.jpg

Next

Capture3.jpg

Next

Capture4.jpg

Parameters button

Capture5.jpg

Parameter 2

Capture6.jpg

Save.

Then make the changes to rsyslog.conf as described in the previous message.

This will syslog our default access log format to SSIM, however, we have no idea if that format is acceptable to that product and if it will parse properly.

0 Kudos
10 Replies

Re: McAfee Web Gateway ver. 7 to be integrated with SIEM tool (Symantec Security Information Manager).

Jump to solution

Hi,

Can anybody help me in creating this setting in the MWG console. I need detailed step by step information.

(highlighted in blue box).

Setting shud b like this.JPG

0 Kudos
eelsasser
Level 15

Re: McAfee Web Gateway ver. 7 to be integrated with SIEM tool (Symantec Security Information Manager).

Jump to solution

The only thing you are missing is setting rsyslog.conf to forward the traffic to the IP of the syslog server.

Capture.jpg

0 Kudos
eelsasser
Level 15

Re: McAfee Web Gateway ver. 7 to be integrated with SIEM tool (Symantec Security Information Manager).

Jump to solution

I mis read your original email. I thought you already had the rule in the access log, but that was a previous screen shot.

Go into the Log handler Rule and add a new rule to the end of the access log:

Capture.jpg

Next

Capture2.jpg

Next

Capture3.jpg

Next

Capture4.jpg

Parameters button

Capture5.jpg

Parameter 2

Capture6.jpg

Save.

Then make the changes to rsyslog.conf as described in the previous message.

This will syslog our default access log format to SSIM, however, we have no idea if that format is acceptable to that product and if it will parse properly.

0 Kudos

Re: McAfee Web Gateway ver. 7 to be integrated with SIEM tool (Symantec Security Information Manager).

Jump to solution

Dear eelsasser,

Thanks you very much for explaining me in detailed. I am very grateful to you.

This works for me and now we are able to receive the access logs of MWG at SIEM tool.

Its great to have a wonderful friend like you here.

0 Kudos
eelsasser
Level 15

Re: McAfee Web Gateway ver. 7 to be integrated with SIEM tool (Symantec Security Information Manager).

Jump to solution

You are welcome. I am happy to help.

0 Kudos

Re: McAfee Web Gateway ver. 7 to be integrated with SIEM tool (Symantec Security Information Manager).

Jump to solution

Hi Eelsasser,

I need ur help again, Is this MWG version 7 can forward logs to McAfee EPO server. If yes, then can you please let me know the procedure of doing the same in steps.

Waiting for ur update on this thread at the earliest...

0 Kudos
eelsasser
Level 15

Re: McAfee Web Gateway ver. 7 to be integrated with SIEM tool (Symantec Security Information Manager).

Jump to solution

MWG does not send logs directly to ePO. It can send some basic statistics and a few other integrations with ePO, but not the logs directly.

You CAN send the logs to Content Security Reporter. CSR is the successor to Web Reporter.

CSR is a reporting tools that accepts logs, processes them into a database and allows the output to be viewed in ePO.

You need to create a CSR server and load the software, then connect it to ePO to generate dashboards, queries and reports.

0 Kudos

Re: McAfee Web Gateway ver. 7 to be integrated with SIEM tool (Symantec Security Information Manager).

Jump to solution

Dear Eelsasser,

Do we have any document regarding this or any link or product document ....

0 Kudos

Re: McAfee Web Gateway ver. 7 to be integrated with SIEM tool (Symantec Security Information Manager).

Jump to solution

Dear Eelsasser,

Do we have any option here in MWG console to forward the access logs of MWG to epo server OR CSR server.

And do we have DB for this MWG logs so that I can create a user on DB to read the logs of it and the same user can be configured on SIEM tool to capture the logs at SIEM.

Can you please brief me about the EPO component and Conent Security Reporter in MWG...

0 Kudos