Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
3705 Views 8 Replies Latest reply: Aug 15, 2013 4:59 PM by pbrickey RSS
ivan.s Newcomer 18 posts since
Aug 30, 2011
Currently Being Moderated

Jun 22, 2012 7:12 AM

Web Gateway and Nitro SIEM

Please help create a ruleset for sending events to Nitro SIEM. My rulset is attached to the post but it does not working But I see that MWG sends events to Nitro IP via Syslog...

Attachments:
  • kent.dyer Newcomer 19 posts since
    Aug 1, 2011
    Currently Being Moderated
    1. Jun 22, 2012 8:26 AM (in response to ivan.s)
    Re: Web Gateway and Nitro SIEM

    I really hope there is an answer for this.  We have the same issue, and one thing I have stated is that if we can't EFFECTIVELY get the events into the ESM, we're going to really consider changing SIEM vendors.  It's frustrating.

     

    I know that McAfee and Nitro are still in their honeymoon phase, although support seems to have already moved overseas, and our account team is committed to helping us with this - but we've been trying to do this for about a year.

  • jnemitz McAfee SME 5 posts since
    Nov 6, 2009
    Currently Being Moderated
    2. Jun 22, 2012 9:10 AM (in response to ivan.s)
    Re: Web Gateway and Nitro SIEM

    Hi Ivan,

     

    I'm attaching a rule set that we have used to get this working.  The rule set you used looks mostly correct, but uses an old format that is no longer applicable. 

    Also, the event to send the log line to syslog has been changed to use priority 6 (info) in the one I am attaching instead of 1 (alert) in yours.

     

    This rule set only sends the access log information to syslog.  The next step is to configure syslog to send the events to Nitro.

    This can be done under Configuration > File Editor > rsyslog.conf

     

    First, find the line:

    *.info;mail.none;authpriv.none;cron.none                /var/log/messages

    and change it to:

    *.info;daemon.!=info;mail.none;authpriv.none;cron.none                -/var/log/messages

     

    This prevents the new messages from being written to messages file on the disk.

     

    Next, add a line at the bottom indicating where to send the syslog messages (Nitro's address):

    For example:

    daemon.info    @192.168.1.5

     

    Of course, substitute the correct IP address after the @ symbol.

     

    Note that both of these changes here are dependent on the above-mentioned priority change,i.e.

    Syslog (6, User-Defined.logLine)

    instead of:

    Syslog (1, User-Defined.logLine)

     

    Let me know if that helps or if you have any questions.

     

    Regards,


    John

  • ericklans Apprentice 56 posts since
    Nov 17, 2011
    Currently Being Moderated
    3. Jul 9, 2012 11:54 PM (in response to jnemitz)
    Re: Web Gateway and Nitro SIEM

    Hi John and Ivan!

     

    Did you decide this task? To send log files from MWG to SIEM I need just to do steps that released John? Or need both attachments?

  • jnemitz McAfee SME 5 posts since
    Nov 6, 2009
    Currently Being Moderated
    4. Jul 10, 2012 10:37 AM (in response to ericklans)
    Re: Web Gateway and Nitro SIEM

    Hi ericklans,

     

    You should be able to get it working with just the rule set that I attached and the changes to the rsyslog.conf file.

     

    Regards,

     

    John

  • April Jacobs McAfee Employee 1,516 posts since
    Nov 1, 2009
    Currently Being Moderated
    5. Oct 19, 2012 5:19 PM (in response to ivan.s)
    Re: Web Gateway and Nitro SIEM

    We've created a new SIEM community here: https://community.mcafee.com/community/business/siem

  • ericklans Apprentice 56 posts since
    Nov 17, 2011
    Currently Being Moderated
    6. Dec 7, 2012 6:04 AM (in response to jnemitz)
    Re: Web Gateway and Nitro SIEM

    Hello, John!

     

    Can you say me, please, how to change this rule, for sending just syslog?

    I don't need to logging who where looked in browsers, just System logs.

     

    Thanks

  • slhkm Newcomer 1 posts since
    Sep 30, 2011
    Currently Being Moderated
    7. Aug 15, 2013 1:36 PM (in response to jnemitz)
    Re: Web Gateway and Nitro SIEM

    Has anyone tried this rule set on Web Gateway 7.3.2.2.  I get an import error "Ruleset migration failed. could not detect version".  I have a newly installed McAfee ESM version 9.2.1.

  • pbrickey McAfee Employee 79 posts since
    Oct 13, 2011
    Currently Being Moderated
    8. Aug 15, 2013 4:59 PM (in response to slhkm)
    Re: Web Gateway and Nitro SIEM

    Greetings,

     

    Nitro expects basically the default access.log configuration:

     

    time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client bytes_from_client "user_agent" "virus_name" "block_res" "application_name"

     

    If you have that, just add the event to syslog at level 6 to the access.log configuration and make the changes to rsyslog.conf pointed out above.

     

    -Patrick.

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points