Please help create a ruleset for sending events to Nitro SIEM. My rulset is attached to the post but it does not working But I see that MWG sends events to Nitro IP via Syslog...
I really hope there is an answer for this. We have the same issue, and one thing I have stated is that if we can't EFFECTIVELY get the events into the ESM, we're going to really consider changing SIEM vendors. It's frustrating.
I know that McAfee and Nitro are still in their honeymoon phase, although support seems to have already moved overseas, and our account team is committed to helping us with this - but we've been trying to do this for about a year.
I'm attaching a rule set that we have used to get this working. The rule set you used looks mostly correct, but uses an old format that is no longer applicable.
Also, the event to send the log line to syslog has been changed to use priority 6 (info) in the one I am attaching instead of 1 (alert) in yours.
This rule set only sends the access log information to syslog. The next step is to configure syslog to send the events to Nitro.
This can be done under Configuration > File Editor > rsyslog.conf
First, find the line:
and change it to:
This prevents the new messages from being written to messages file on the disk.
Next, add a line at the bottom indicating where to send the syslog messages (Nitro's address):
Of course, substitute the correct IP address after the @ symbol.
Note that both of these changes here are dependent on the above-mentioned priority change,i.e.
Syslog (6, User-Defined.logLine)
Syslog (1, User-Defined.logLine)
Let me know if that helps or if you have any questions.
Has anyone tried this rule set on Web Gateway 126.96.36.199. I get an import error "Ruleset migration failed. could not detect version". I have a newly installed McAfee ESM version 9.2.1.
Nitro expects basically the default access.log configuration:
time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client bytes_from_client "user_agent" "virus_name" "block_res" "application_name"
If you have that, just add the event to syslog at level 6 to the access.log configuration and make the changes to rsyslog.conf pointed out above.