4 Replies Latest reply on May 29, 2013 12:20 PM by brinkn

    MWG 7.x & CSR 2.0 & syslog

    brinkn

      Hello!

      Has any one been able to forward logs to Content Security Reporter v2.0 from a MWG 7.x appliance. 

       

      I have configured the gateway to write the standard access log to rsyslog and configured rsyslog to forward to the content security reporter. 

       

       

      mwg11.jpg

       

      csr.jpg

      I have tried a variety of log headers but not found one that will cause the CSR to parse the log line.  Looking at the server.log on the CSR server shows the following lines:

       

      2013-05-29 09:39:09,098 WARN  [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Missing source IP field. Log format line invalid. (line=#null)

      2013-05-29 09:39:09,098 ERROR [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Parser configuration invalid. See server.log for details.

      2013-05-29 09:39:09,114 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to init parser from log source.

      2013-05-29 09:39:09,114 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to create parser WebWasherV1 with config LogParserConfigWebWasher{header='null'}.

      2013-05-29 09:39:40,129 INFO  [com.mcafee.mesa.server.ejb3.helper.reporter.LogSourceHelper] Updating log source 'MWG7-Syslog'.

      2013-05-29 09:39:50,456 WARN  [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Missing source IP field. Log format line invalid. (line=#null)

      2013-05-29 09:39:50,456 ERROR [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Parser configuration invalid. See server.log for details.

      2013-05-29 09:39:50,456 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to init parser from log source.

      2013-05-29 09:39:50,456 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to create parser WebWasherV1 with config LogParserConfigWebWasher{header='null'}.

      2013-05-29 09:39:51,706 WARN  [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Missing source IP field. Log format line invalid. (line=#null)

      2013-05-29 09:39:51,706 ERROR [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Parser configuration invalid. See server.log for details.

      2013-05-29 09:39:51,706 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to init parser from log source.

      2013-05-29 09:39:51,706 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to create parser WebWasherV1 with config LogParserConfigWebWasher{header='null'}.

       

      I am assuming the CSR is not recieving the message in the correct format, but I cannot find any examples of someone using syslog with the CSR successfully to figure out what I am doing wrong.  Any help would be appreciated.

        • 1. Re: MWG 7.x & CSR 2.0 & syslog
          Jon Scholten

          I have had it working.

           

          Your log headers do not match. You should copy and paste the log file header from MWG and paste it into CSR.

           

          For example, you have "auth_user" in MWG, and in CSR you have auth_user without the quotes.

           

          Please also understand that the log body (in MWG) is independent from the log header. Please take a screenshot of the log body rule (see example below):

           

          log_2013-05-29_103748.png

           

          For more information see: Best Practices: Customizing Logs and Log File Management - https://community.mcafee.com/docs/DOC-4812

           

          Best,

          Jon

          • 2. Re: MWG 7.x & CSR 2.0 & syslog
            brinkn

            Jon

            Thanks for the response.  I am using the default logging ruleset that is included with 7.3.  It appears that log header from the the Config page matches the user-defined.logline from the logging event.  I have tried a number of different log headers with and without quotes.  I had dropped the quotes because of one of the things I found in the online help. 

             

            Here is the screenshot you requested. 

             

            logging.jpg

            quotes.jpg

             

            I am assuming my issue is on the CSR side.  Every log I throw at CSR results in errors in the server.log that look like this:

             

            2013-05-29 11:29:03,477 WARN  [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Missing source IP field. Log format line invalid. (line=#null)

            2013-05-29 11:29:03,493 ERROR [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Parser configuration invalid. See server.log for details.

            2013-05-29 11:29:03,493 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to init parser from log source.

            2013-05-29 11:29:03,493 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to create parser WebWasherV1 with config LogParserConfigWebWasher{header='null'}.

            2013-05-29 11:29:05,243 WARN  [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Missing source IP field. Log format line invalid. (line=#null)

            2013-05-29 11:29:05,243 ERROR [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Parser configuration invalid. See server.log for details.

            2013-05-29 11:29:05,243 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to init parser from log source.

            2013-05-29 11:29:05,243 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to create parser WebWasherV1 with config LogParserConfigWebWasher{header='null'}.

            2013-05-29 12:13:00,800 WARN  [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Missing source IP field. Log format line invalid. (line=#null)

            2013-05-29 12:13:00,816 ERROR [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Parser configuration invalid. See server.log for details.

            2013-05-29 12:13:00,816 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to init parser from log source.

            2013-05-29 12:13:00,816 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to create parser WebWasherV1 with config LogParserConfigWebWasher{header='null'}.

            2013-05-29 12:13:02,066 WARN  [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Missing source IP field. Log format line invalid. (line=#null)

            2013-05-29 12:13:02,066 ERROR [com.mcafee.mesa.logparsing.parsers.builtins.ParseWebWasher] Parser configuration invalid. See server.log for details.

            2013-05-29 12:13:02,066 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to init parser from log source.

            2013-05-29 12:13:02,066 ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBufferReader] Unable to create parser WebWasherV1 with config LogParserConfigWebWasher{header='null'}.

             

            If I look at the  file located on the CSR in Program Files\McAfee\Content Security Reporter\reporter\tmp\logparsing\buffered\logsource-12\MWG7-Syslog.WebWasherV1. 20130529T120903.862Z.1871248903635120327.log I have a syslogs that looks like this:

             

            192.168.1.100 <25>May 29 15:10:44 mwg05 mwg: [29/May/2013:15:10:44 +0000] "SMITHJ" 192.168.1.50 304 "GET http://www.purple.com/purple.html HTTP/1.1" "Personal Pages" "Minimal Risk" "" 200 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; InfoPath.2)" "" "0"

             

            I dont understand why the the server.log says header='null', nor do I understand the part about "Missing Source IP field".

             

            Thanks Again.

            1 of 1 people found this helpful
            • 3. Re: MWG 7.x & CSR 2.0 & syslog
              Jon Scholten

              Hi again!

               

              The messages seem to indicate the the line it recieved was invalid, not that your CSR configuration was bad.

               

              Hmmm.... are you not seeing any report data for the entry you mentioned above? It all looks correct, assuming you took the original log header value and put it into CSR.

               

              Are you sending only access log data to CSR? Perhaps there is other syslog garbage being forwarded to CSR, which it is complaining about.

               

              In your configuration you have the following:

              Syslog(1, User-Defined.logline)

               

              Which translates to the following in syslog:

              Daemon.Emergency

               

              What does your syslog configuration look like? Is it like this?

              *.* @SYSLOG-SERVER-IP

               

              I would recommend putting something like:

              Daemon.Info @SYSLOG-SERVER-IP

               

              You'd then need to change the log rule to:

              Syslog(6, User-Defined.logline)

               

              Severity levels correspond as such:

              0 Emergency

              1 Alert

              2 Critical

              3 Error

              4 Warning

              5 Notice

              6 Informational

              7 Debug

               

              See these other discussions regarding general syslog info:

              https://community.mcafee.com/message/244540#244540

               

              Best,

              Jon

              • 4. Re: MWG 7.x & CSR 2.0 & syslog
                brinkn

                Jon, thanks again.

                I think I figured out the issue.  I guess talking it out helps.  The problem seems to be an issue with CSR.  Changing the "Log Header" field of a log source and saving the change does not take immediate affect.  Changes to other fields such as tcp/udp or the port take immediate affect.  I restarted the CSR services and it started parsing messages, including all of the previously sent messages.  I should of figured it out sooner with the header='null' message.  I didnt know what to put in the "Log Header" field initially so I left it blank, resulting in it alwasy being blank until the service was restarted.

                 

                Thanks again.