1 2 Previous Next 11 Replies Latest reply: Jun 17, 2014 10:32 AM by Jon Scholten RSS

    Web Gateway and Nitro SIEM

    ivan.s

      Please help create a ruleset for sending events to Nitro SIEM. My rulset is attached to the post but it does not working But I see that MWG sends events to Nitro IP via Syslog...

        • 1. Re: Web Gateway and Nitro SIEM
          kent.dyer

          I really hope there is an answer for this.  We have the same issue, and one thing I have stated is that if we can't EFFECTIVELY get the events into the ESM, we're going to really consider changing SIEM vendors.  It's frustrating.

           

          I know that McAfee and Nitro are still in their honeymoon phase, although support seems to have already moved overseas, and our account team is committed to helping us with this - but we've been trying to do this for about a year.

          • 2. Re: Web Gateway and Nitro SIEM
            jnemitz

            Hi Ivan,

             

            I'm attaching a rule set that we have used to get this working.  The rule set you used looks mostly correct, but uses an old format that is no longer applicable. 

            Also, the event to send the log line to syslog has been changed to use priority 6 (info) in the one I am attaching instead of 1 (alert) in yours.

             

            This rule set only sends the access log information to syslog.  The next step is to configure syslog to send the events to Nitro.

            This can be done under Configuration > File Editor > rsyslog.conf

             

            First, find the line:

            *.info;mail.none;authpriv.none;cron.none                /var/log/messages

            and change it to:

            *.info;daemon.!=info;mail.none;authpriv.none;cron.none                -/var/log/messages

             

            This prevents the new messages from being written to messages file on the disk.

             

            Next, add a line at the bottom indicating where to send the syslog messages (Nitro's address):

            For example:

            daemon.info    @192.168.1.5

             

            Of course, substitute the correct IP address after the @ symbol.

             

            Note that both of these changes here are dependent on the above-mentioned priority change,i.e.

            Syslog (6, User-Defined.logLine)

            instead of:

            Syslog (1, User-Defined.logLine)

             

            Let me know if that helps or if you have any questions.

             

            Regards,


            John

            • 3. Re: Web Gateway and Nitro SIEM
              ericklans

              Hi John and Ivan!

               

              Did you decide this task? To send log files from MWG to SIEM I need just to do steps that released John? Or need both attachments?

              • 4. Re: Web Gateway and Nitro SIEM
                jnemitz

                Hi ericklans,

                 

                You should be able to get it working with just the rule set that I attached and the changes to the rsyslog.conf file.

                 

                Regards,

                 

                John

                • 5. Re: Web Gateway and Nitro SIEM
                  April Jacobs

                  We've created a new SIEM community here: https://community.mcafee.com/community/business/siem

                  • 6. Re: Web Gateway and Nitro SIEM
                    ericklans

                    Hello, John!

                     

                    Can you say me, please, how to change this rule, for sending just syslog?

                    I don't need to logging who where looked in browsers, just System logs.

                     

                    Thanks

                    • 7. Re: Web Gateway and Nitro SIEM
                      slhkm

                      Has anyone tried this rule set on Web Gateway 7.3.2.2.  I get an import error "Ruleset migration failed. could not detect version".  I have a newly installed McAfee ESM version 9.2.1.

                      • 8. Re: Web Gateway and Nitro SIEM
                        pbrickey

                        Greetings,

                         

                        Nitro expects basically the default access.log configuration:

                         

                        time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client bytes_from_client "user_agent" "virus_name" "block_res" "application_name"

                         

                        If you have that, just add the event to syslog at level 6 to the access.log configuration and make the changes to rsyslog.conf pointed out above.

                         

                        -Patrick.

                        • 9. Re: Web Gateway and Nitro SIEM
                          abenjami

                          Hello,

                           

                          I have tested the ruleset configuration that was posted previously but it seems that it is no longer valid with the newer versions of the Web Gateway.  As Patrick stated, as long as the log is at the "Default" configuration, it will be accepted into the SIEM/Nitro configuration just fine.

                           

                          I have added in some additional screenshots to show how this should be configured;

                           

                          Here is the logging rule configuration for the access.log on the Web Gateway;

                          Logging1.png

                           

                          Here is the configuration of the RSYSLOG.CONF file on the Web Gateway;

                           

                          Logging2.png

                           

                          If you need to check to see if the Web Gateway is sending the information correctly, please log into the Web Gateway using SSH and run a TCPDUMP capture using the following;

                           

                          tcpdump -Xni eth0 port 514 -w syslogcap.trace    (You might need to change the interface depending on your configuration!)

                           

                          When checking the capture, you should see data that looks like the access.log going over UDP port 514.

                          1 2 Previous Next