5 Replies Latest reply on Nov 27, 2013 8:33 AM by sroering

    MWR and CEF logging

    elisowash

      I want Web Reporter to pick up the access.log file on my appliances, and I'd also like to push a CEF vi rsyslog.

       

      I'm getting

       

      2013-11-26 08:15:23,566 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (WebGatewayGetter) Begin retrieving log files from Web Gateway 7 server 'hostname.domain.net:8443' into log parsing.

      2013-11-26 08:15:24,942 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (WebGatewayGetter) Successfully retrieved log file 'access1311261255.log' into log parsing.

      2013-11-26 08:15:24,958 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (WebGatewayGetter) End copying log files from Web Gateway 7 server 'hostname.domain.net:8443' into log parsing

      2013-11-26 08:15:24,973 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) Begin processing file 'access1311261255.log20131126-081524832.dat'.

      2013-11-26 08:15:24,973 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) Finish counting: [0 seconds to complete]  File='C:\Program Files\McAfee\Web Reporter (64-bit)\reporter\jboss\bin\..\..\tmp\logparsing\processing\access1311261255.lo g20131126-081524832.dat' contains 56 lines and 15667 bytes.

      2013-11-26 08:15:25,020 ERROR [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) Invalid parser, parser initialization failed, id='WebWasherV1'

      2013-11-26 08:15:25,020 ERROR [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) access1311261255.log20131126-081524832.dat: processing failed:Unable to determine log format due to invalid parser ID.

      2013-11-26 08:15:25,083 INFO  [securecomputing.smartfilter.logparsing.LogAudit] (LogAudit[1003]) Aborted processing file 'access1311261255.log20131126-081524832.dat': 0 lines processed with 0 errors.

       

      in my MWR logs, and I have a feeling it's because I imported the CEF rules. My CEF logs are making it over to my syslog listener just fine, but I'd like MWR to consume them too.

       

      I've checked all my Policy and Settings related to logging, and everything looks appropriate, but if I'm honest, I don't remember what the defaults were. I'm kind of stuck - what else should I look for?

        • 1. Re: MWR and CEF logging
          sroering

          I'm not sure what CEF is, or where you are trying to push it, but Web Reporter only processes access logs.

           

          Regarding your error, there is a problem with the log header. Possibly a missing space, or missing quote, or missing colum that is required (ex: "req_line").  Can you post the log header and a screenshot of the logging rule

          • 2. Re: MWR and CEF logging
            elisowash

            CEF: Common Event Format, https://community.mcafee.com/docs/DOC-4703

             

            I'm pushing to Splunk, not Arcsight, but they do essentially the same job.

             

             

            As far as my access.log goes, I'm not writing a header (which is a problem?):

            access-settings.png

             

            Here's my policy:

            access.png

             

            Message was edited by: elisowash on 11/26/13 10:32:34 AM CST
            • 3. Re: MWR and CEF logging
              sroering

              Yes, that would be a problem.  Try this for a log header.

               

              #time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client "user_agent" "virus_name" "block_res"

              • 4. Re: MWR and CEF logging
                elisowash

                No joy....I guess I don't understand the purpose and function of the log header. The product guide is super helpful: "Specifies a header for all log files." That clears things right up.

                 

                Can you point me towards a good resource for this?

                • 5. Re: MWR and CEF logging
                  sroering

                  Never hire this guy to write documentation. :-)   Web Reporter needs the log header to understand the log format. That is how the "auto-discover" works.  It will only apply to new access logs, so old ones will still fail.  If jobs fail, it is because Web Reporter couldn't find a valid header.  So even if the header is valid, but doesn't match the body, the job would still show successful, but with 100% errors.

                   

                  So I need to know if the jobs are successful or still failing, that is the big clue.  If possible, take one of the new access logs and post the first few lines, including the header.  You can xxx out any sensitive values, just don't change the structure of the lines.

                  CaptainobviousChooseOption.jpg