I really hope there is an answer for this. We have the same issue, and one thing I have stated is that if we can't EFFECTIVELY get the events into the ESM, we're going to really consider changing SIEM vendors. It's frustrating.
I know that McAfee and Nitro are still in their honeymoon phase, although support seems to have already moved overseas, and our account team is committed to helping us with this - but we've been trying to do this for about a year.
I'm attaching a rule set that we have used to get this working. The rule set you used looks mostly correct, but uses an old format that is no longer applicable.
Also, the event to send the log line to syslog has been changed to use priority 6 (info) in the one I am attaching instead of 1 (alert) in yours.
This rule set only sends the access log information to syslog. The next step is to configure syslog to send the events to Nitro.
This can be done under Configuration > File Editor > rsyslog.conf
First, find the line:
and change it to:
This prevents the new messages from being written to messages file on the disk.
Next, add a line at the bottom indicating where to send the syslog messages (Nitro's address):
Of course, substitute the correct IP address after the @ symbol.
Note that both of these changes here are dependent on the above-mentioned priority change,i.e.
Syslog (6, User-Defined.logLine)
Syslog (1, User-Defined.logLine)
Let me know if that helps or if you have any questions.
Nitro expects basically the default access.log configuration:
time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client bytes_from_client "user_agent" "virus_name" "block_res" "application_name"
If you have that, just add the event to syslog at level 6 to the access.log configuration and make the changes to rsyslog.conf pointed out above.
I have tested the ruleset configuration that was posted previously but it seems that it is no longer valid with the newer versions of the Web Gateway. As Patrick stated, as long as the log is at the "Default" configuration, it will be accepted into the SIEM/Nitro configuration just fine.
I have added in some additional screenshots to show how this should be configured;
Here is the logging rule configuration for the access.log on the Web Gateway;
Here is the configuration of the RSYSLOG.CONF file on the Web Gateway;
If you need to check to see if the Web Gateway is sending the information correctly, please log into the Web Gateway using SSH and run a TCPDUMP capture using the following;
tcpdump -Xni eth0 port 514 -w syslogcap.trace (You might need to change the interface depending on your configuration!)
When checking the capture, you should see data that looks like the access.log going over UDP port 514.