Re: Sending McAfee Web Gateway 7.6 audit log to SIEM
Depending on your exact version of 7.6 (I want to say it was introduced in 18.104.22.168), you can enable sending audit logs to syslog directly within the appliance. This will send to local syslog, but then you can enable forwarding within the rsyslog.conf file for the appliances.
Sending audit logs to syslog
Go into the Configuration section of the MWG UI
Expand "Appliances," and for each appliance in the cluster (in case you have more than 1), go into the "Log File Manager" settings
Scroll down to and expand the section titled "Settings for the Audit Log"
Check the box for "Write audit log to syslog."
Forwarding to a remote syslog server (e.g. SIEM or any other log handler):
Go into the Configuration section of the MWG UI (you'll already be there if you just completed the steps above)
Click the "File Editor" tab
For each appliance in the cluster (in case you have more than 1), click on "rsyslog.conf"
Add a line for forwarding to the syslog destination. If you're familiar with rsyslog or want to research ways to customize it, you may come up with a more or less specific way that you wish to forward events, but this simple line would do the trick (where "x.x.x.x" is the IP address or hostname of your SIEM receiver):