2 Replies Latest reply on Sep 26, 2013 4:41 PM by Scott Taschler

    McAfee Web Gateway 7.3 Access and Access Denied logs for Nitro

    infosec_wizard

      My company is in the process of implementing McAfee Web Gateway for our web proxy and we're trying to get the access and access denied logs into Nitro ESM. We have logs being successfully sent from MWG to Nitro, but it appears to be parsing all the logs as "McAfee_Web_Gtwy A web request was allowed" but we know for a fact some of these logs are for sites being blocked.

       

      Is this more likely to be an issue with the McAfee Web Gateway parser in Nitro, or a misconfiguration in McAfee Web Gateway? Is anyone else experiencing similar issues?

        • 2. Re: McAfee Web Gateway 7.3 Access and Access Denied logs for Nitro
          Scott Taschler

          MWG logs are mapped to rule messages based on the Block ID associated with the event.  There are a number of "canned" Block IDs in MWG that should automatically map to explicit messages.  For example, here's a shot of what my lab looks like right now:

           

          mgw block ids.gif

          Here's a sample log for "Blocked due to a virus being found":

           

          <30>Sep 19 19:02:43 mwg01 mwg: [19/Sep/2013:19:02:43 +0000] "" 172.25.109.161 403 "GET http://www.eicar.org/download/eicar.com HTTP/1.1" "Information Security" "Minimal Risk" "" 8524 399 "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" "McAfeeGW: EICAR test file" "80" ""

           

          In this case the block id is "80".  This maps to a signature ID of 326-80 (326 = MWG device ID, 80 = sig ID), which is where the rule message ultimately comes from.

           

          For anything with a block ID of "0", you will see the "A web request was allowed" message.  For anything with an unknown block ID, I believe it will get mapped to an instance of "A web request was blocked".  Unknown block IDs may be ones that your MWG administrators have defined locally, or they may be new types that have been implemented by MWG and have not yet been incorporated into the MWG parser.  For the latter case, I'd encourage you to file a quick PER so that we can ensure the parser is properly dealing with the default events generated by MWG.

           

          https://mcafee.acceptondemand.com/

           

          Any custom block IDs your admins have created  will have a unique signature ID, and you can modify the rule message seen as needed via the Policy Editor (select event, open menu, select "Show Rule 326-xxx").

           

          Scott