4 Replies Latest reply: Jan 15, 2015 11:05 AM by mihai.olteanu RSS

    Audit Log via syslog

    prajoshgeorge

      Hello,

      How can I sent the audit log via syslog to a SIEM. I am currently using MWG 7.3.0.2.

      I saw the below discussion for rsyslogd.conf

      https://community.mcafee.com/message/261146#261146

      I used the example to get the audit logs

       

      I get the audit log entries but I get a single audit log entry in multiple lines. Is there any way to consolidate it into a single line or tag all the lines of the log entry with a unique ID so that the SIEM can identify them?

       

      Thanks

       

      Message was edited by: prajoshgeorge on 20/02/13 09:01:32 CST
        • 1. Re: Audit Log via syslog
          Jon Scholten

          I'm not to sure how this could be done from the Web Gateway's syslog module, this would most likley have to be done on the other side (syslog server).

           

          Perhaps look for a string of lines with the _______________________________ representing a new audit log entry?

           

          Other than that I dont there isnt away that I know of to control how the audit log writes its entries.

           

          Best,

          Jon

          • 2. Re: Audit Log via syslog
            prajoshgeorge

            Searching through multiple audit files to check all the changes made to a rule over a period by an administrator would be tedious I guess.

            • 3. Re: Audit Log via syslog
              prajoshgeorge

              Hi, I managed to send the audit.log entries to the SIEM

               

               

              I needed to do this

               

              1. Make the multiline entries into a single line
              2. Remove the '_____________________' at the beginning of each entry
              3. Remove the return character and replace the same with a tab
              4. configure the rsyslog

               

               

              Here is what I made

               

              tail -f /opt/mwg/log/audit/audit.log | perl -pe 'BEGIN { $| = 1 } chomp; s/^(_____)/\n$1/; s/_{80}//; s/\r/\t/' | logger -p local2.notice

               

              I put the above command in cronjob. In the rsyslog.conf, I put the entry

               

              local2.notice                              @"IP of SIEM"

               

              This seems to work fine.

               

              EDIT: There is a problem when receiving events larger than 1KB, it gets split into 1KB entries on the SIEM.  Maybe the limitation of the rsyslog version on MWG 7.3. Not sure.

               

              Message was edited by: prajoshgeorge on 9/24/13 4:10:44 PM AST
              • 4. Re: Audit Log via syslog
                mihai.olteanu

                Hi,

                 

                I'm trying to configure my MWG (version 7.4.2.6) with your settings and it seems there is a problem. After the script starts the first log is sent to SIEM correctly but after that, for each new log line syslog sends to SIEM the same first log every time. It seems like the syslog facility local2.notice contains always only the first log line that was created by your script.

                Any idea what could be wrong?

                 

                Thank you.

                Mihai