cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 4

Sending logs to the SIEM server (EMS)

Jump to solution

Hello friends,

I come to ask for help.

I configured the Web Gateway to send logs to SIEM.

I followed the link:

https://community.mcafee.com/t5/Enterprise-Documents/Web-Gateway-Understanding-syslog-send-logs-to-y...

The first action was to change the rsyslog.conf

siem1.PNG===============================================

siem2.PNG

The second action was to import the rules for sending logs.

siem3.PNG

That rule is in the article.

Finally, I enabled the following option in the settings.

siem4.PNG

Are the settings correct?

Is there any configuration missing?

Thank You

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Sending logs to the SIEM server (EMS)

Jump to solution

Hi,

 

From the screenshot provided I see send to syslog present but in disabled state, just to confirm did you enable it and check?  Enable it  and once this rule triggers  it should send access.log in Nitro format to configured destination server.

 

You can take a packet capture on port 514 to see if MWG is sending or not. Also you have configured Syslog  to  send data using UDP

 

 

Regards

Alok Sarda

View solution in original post

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Sending logs to the SIEM server (EMS)

Jump to solution

Hi,

 

Hope you are doing well.

 

One quick thing here  Send to Syslog  rule should be enabled in your log handler rule or else in the rule syslog event should be called.

 

Below is an example:-

 

Name: Send to syslog
Criteria: Always
Action: Continue
Event: Syslog (6, User-Defined.logLine)

 
 
Information for this is present in below link:-
 
 
 
 
 
Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
 
 
Regards
Alok Sarda
Highlighted
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Sending logs to the SIEM server (EMS)

Jump to solution

It includes the rule and I was not successful.

Any tips?

Thank You.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Sending logs to the SIEM server (EMS)

Jump to solution

Hi,

 

From the screenshot provided I see send to syslog present but in disabled state, just to confirm did you enable it and check?  Enable it  and once this rule triggers  it should send access.log in Nitro format to configured destination server.

 

You can take a packet capture on port 514 to see if MWG is sending or not. Also you have configured Syslog  to  send data using UDP

 

 

Regards

Alok Sarda

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community