cancel
Showing results for 
Search instead for 
Did you mean: 

Sending McAfee Web Gateway 7.6 audit log to SIEM

How we can send audit log of McAfee Web Gateway 7.6 to SIEM with syslog, currently syslog sending only access log to SIEM.

0 Kudos
3 Replies
catdaddy
Level 20

Re: Sending McAfee Web Gateway 7.6 audit log to SIEM

Moved from Community Support to Web Gateway > Discussions

For better exposure and assistance...

By

Moderator

Cliff
McAfee Volunteer
0 Kudos

Re: Sending McAfee Web Gateway 7.6 audit log to SIEM

Hi ​,

Depending on your exact version of 7.6 (I want to say it was introduced in 7.6.2.0), you can enable sending audit logs to syslog directly within the appliance. This will send to local syslog, but then you can enable forwarding within the rsyslog.conf file for the appliances.

Sending audit logs to syslog

  1. Go into the Configuration section of the MWG UI
  2. Expand "Appliances," and for each appliance in the cluster (in case you have more than 1), go into the "Log File Manager" settings
  3. Scroll down to and expand the section titled "Settings for the Audit Log"
  4. Check the box for "Write audit log to syslog."

Forwarding to a remote syslog server (e.g. SIEM or any other log handler):

  1. Go into the Configuration section of the MWG UI (you'll already be there if you just completed the steps above)
  2. Click the "File Editor" tab
  3. For each appliance in the cluster (in case you have more than 1), click on "rsyslog.conf"
  4. Add a line for forwarding to the syslog destination. If you're familiar with rsyslog or want to research ways to customize it, you may come up with a more or less specific way that you wish to forward events, but this simple line would do the trick (where "x.x.x.x" is the IP address or hostname of your SIEM receiver):

For syslog over UDP:

:msg, contains, "WebGateway"    @x.x.x.x:514

For syslog over TCP:

:msg, contains, "WebGateway"    @@x.x.x.x:514

McAfee Employee

Re: Sending McAfee Web Gateway 7.6 audit log to SIEM

Hi!

I just updated the syslog guide to include steps for sending the audit log info to syslog:

This can be done in two steps:

1. Enable the option for writing audit log to syslog

2. Update the syslog config to send audit log events to the remote SIEM

Best Regards,

Jon