As a MWG customer who's just implemented Nitro -- one customization that I find enormously useful in our access.log files that the defaults miss out on are the inclusion of remote server IP address and http referrer.
I'm curious how the MWG and Nitro team interacts and where to most effectively suggest the PER that the log grokking migrate in a direction that these get included by default.
When you're chasing down network forensics to see how a host stumbled onto some nastiness, in the days of fast flux dns and botnets using large numbers of fast flux domains, if you're logging what the IP resolved to at the moment the request was made, you're missing stuff. 🙂
The latest and greatest version of the McAfee SIEM/Nitro logging ruleset is available in the Content Security portal:
It was last updated April 4 2014. This thread is very old...
For a full best practice see the link below (but besure to use the ruleset from the online ruleset library):
JonMessage was edited by: jscholte on 6/17/14 10:32:08 AM CDT
I have an issue. I would like to setup MWG to send syslog with only level 3 (Alert) compliant for PCI-DSS. I have just configured as screenshot below but it still receiving many others log info. Anyone have idea for this. Many thanks for your comment.
Its a long shot but hoping someone could help!
I've configured as per the above to log from the MWG to the McAfee SIEM.
Working pretty good except for the fact that the "BytesFromClient" and "BytesTo Client" both record as "0" for all entries.
Anyone came across this before?