cancel
Showing results for 
Search instead for 
Did you mean: 
infosecjeff
Level 7

Web Gateway 7.2 and HP ArcSight access logs

Jump to solution

Has anyone had the pleasure of configuring the log handler for ArcSight?  I'm looking for some guidance on how they need the access logs delimited.

0 Kudos
1 Solution

Accepted Solutions
cnewman
Level 10

Re: Web Gateway 7.2 and HP ArcSight access logs

Jump to solution

That is 100% correct. But I can help a bit more.

The smart connector was created for MWG 6, and last I saw on the arcsight site they hadn't updated the instructions. You could easily make MWG7 produce that format. If you want to use the connector and punch the raw logs over, that is the way to go.

However, if you want to do syslog and get realtime data, you need to go CEF and syslog.

Buyer beware, I would test on a non production setup first, and keep in mind this is extremely chatty. If you generate 500 req/s, that's 500 events/s.

I have a CEF format previously, see link with instructions. You can modify to taste, depending on the arcsight admin I have seen directionality become a discussion point.

Regards,

--CN

0 Kudos
4 Replies
btlyric
Level 12

Re: Web Gateway 7.2 and HP ArcSight access logs

Jump to solution

You have three choices.

There is an ArcSight SmartConnector for MWG. Theoretically, that would handle the default access.log format that ships with the product.

You could send whatever to ArcSight and then use a script on your logging collector to manipulate the data into CEF format.

You could build your CEF line in the MWG log handler.

If you google for arcsight common event format that will bring back a bunch of links, including the ArcSight guide to CEF and how to format log lines.

0 Kudos
cnewman
Level 10

Re: Web Gateway 7.2 and HP ArcSight access logs

Jump to solution

That is 100% correct. But I can help a bit more.

The smart connector was created for MWG 6, and last I saw on the arcsight site they hadn't updated the instructions. You could easily make MWG7 produce that format. If you want to use the connector and punch the raw logs over, that is the way to go.

However, if you want to do syslog and get realtime data, you need to go CEF and syslog.

Buyer beware, I would test on a non production setup first, and keep in mind this is extremely chatty. If you generate 500 req/s, that's 500 events/s.

I have a CEF format previously, see link with instructions. You can modify to taste, depending on the arcsight admin I have seen directionality become a discussion point.

Regards,

--CN

0 Kudos
infosecjeff
Level 7

Re: Web Gateway 7.2 and HP ArcSight access logs

Jump to solution

cnewman,

I would prefer to not send over the user-defined access logs sinse we are sending those to CSR, but I thought I saw someone write a rule to send the Web Gateway's audit log to a SIEM like Arcsight or Nitro.

0 Kudos
McAfee Employee

Re: Web Gateway 7.2 and HP ArcSight access logs

Jump to solution

Hi All,

Do not use the arcsight connector!

It messes with the MWG's ability to rotate and delete its logs!

Syslog is the cleanest, easiest, and most supported route to go.

Best,

Jon

0 Kudos