2 Replies Latest reply on Apr 12, 2017 8:25 AM by jacek

    Email Notification for rule set changes in Web Gateway

    Prasanth Pavan

      Hi,

       

      I have a McAfee Web Gateway running with 7.6.2.10.0 I want to trigger email notification to few users when ever an administrator is doing any changes on the rule sets.

       

      Is this possible? Please help.

       

      Regards,

      PRASANTH.

        • 1. Re: Email Notification for rule set changes in Web Gateway
          Jon Scholten

          Hi Prasanth,

           

          It is possible to notify when someone hits save changes, but we cannot distinguish between a ruleset change and a configuration change.

           

          If you follow this guide it will help you setup a general notifications ruleset in the Error Handler:

          Best Practice: Incident Notifications and Dashboard Alerts

           

          The incident ID for saving changes is 1710, a failed save changes is 1711.

           

          Let me know if that helps.

           

          Best Regards,

          Jon

          • 2. Re: Email Notification for rule set changes in Web Gateway
            jacek

            I wrote a shell script which is run by cron before midnight.

            All audit actions are in file: /opt/mwg/log/audit/audit.log

             

            /bin/awk 'BEGIN{ACTION="";CONTENT=""}{if ($0 ~ /^__/) {if(ACTION!="") print CONTENT; ACTION=""; CONTENT=""}; if($1=="Action" && $3 ~ /^(ADDED|DELETED|MODIFIED|MOVED)_/){ACTION=$3}; CONTENT=CONTENT "\n" $0}' /opt/mwg/log/audit/audit.log

             

            What this command does?

            Looks for lines starting with __ (it is a separator of audit log entry).

            It also looks for lines contains at the beginning: Action and as third argument ADDED_, DELETED_, MODIFIED_ or MOVED_ substring - if found, save it to ACTION variable.

            All content (between __ lines) is temporarily saved to CONTENT variable.

            If ACTION matches and entry separator __ is matched, CONTENT is printed to console.

             

            Result can be saved to file, send with syslog, send by email (I use netcat to do this).