4 Replies Latest reply on Sep 4, 2012 10:38 AM by Jon Scholten

    Configure syslog on MWG 7.0.2


      Hi Guys,


      I need send MWG's logs to a syslog server but i don't know how do it. Can you help me with this?. I opened a case in McAfee Support and the engineer told me that the MWG 7.0.x don't support syslog.





        • 1. Re: Configure syslog on MWG 7.0.2

          Yes, you can syslog. The only exeption is some of the error and audit logs cannot be syslogged because they are not managed by the rule sets. But anything that can be generated by the Log Handler can be syslogged, such as access_denied, or foundVirus, or some other custom criteria.


          The Error handler rules have many examples of using the Syslog event.

          Basiclly, the steps are:

          Create the logLine string that you want to send.

          Use the Syslog() event to send it.

          Edit the rsyslog.conf file to specify what server to send it to.


          Message was edited by: eelsasser on 8/17/12 9:49:27 AM EDT
          • 2. Re: Configure syslog on MWG 7.0.2
            Jon Scholten

            I second Erik's post.


            Here is screenshots for reference:


            syslogconfig.png syslogrule.png


            Pay close attention to the syntax in the syslog configuration file, EVERY character matters some times (i.e. -/var/log/messages vs /var/log/messages).


            What was the SR # so I can follow up?



            • 3. Re: Configure syslog on MWG 7.0.2

              Is there a way to choose a different facility for "access logs" ? For example "local2"


              I guess that using daemon.info cannot guarantee that there will be only access logs. Some other programs may use this facility also. Unless the appliance has no other programs logging to daemon facility??

              • 4. Re: Configure syslog on MWG 7.0.2
                Jon Scholten

                Web Gateway = Daemon.


                So if you ensure that no other item is logged with a severity of Info, you can ensure that it is just the access log data.


                Let me know if this helps.