5 Replies Latest reply on Jun 6, 2014 1:12 PM by kdienst

    Log Verbose Changes to Policy?

    kdienst

      We have a pretty large deployment and we're in the middle of transitioning the ownership of the proxy services over to another team.

       

      I know we have incident IDs for when a change is successful or fails and I have that logging to syslog and emailing certain groups already. However what I was unable to find so far reading the user guide and searching the forums is if I can see exactly what was changed within the policy/rulesets?

       

      Even if I can gain a little more verbosity such as "The Authentication Ruleset has been changed by XX" It would be very helpful.

       

      Thank you for your time.

        • 1. Re: Log Verbose Changes to Policy?
          vern96

          I believe the "audit.log" has that information?

          • 2. Re: Log Verbose Changes to Policy?
            kdienst

            The audit log does have some info I'm looking for..Formatted as such..

             

            Timestamp:

            User: baduser

            Action: MODIFIED_RULE_GROUP

            Source ID: 1789

            Source Path: GatwayRules/RuleGroups/My special rule

            Appliance: gateway1

            Details:

                 Old Enabled: True

                 New Enabled: False

             

            Great info, now to find a way to reference these entries via the Log Handler or via some other script/parser. Will add more info as I figure it out.

            • 3. Re: Log Verbose Changes to Policy?
              kdienst

              https://community.mcafee.com/message/276209#276209

               

              Has some info about changing the multiline output to single line via tab delimination and then creating a cronjob to parse out details before posting to SIEM.

               

              Still digging...

              • 4. Re: Log Verbose Changes to Policy?
                btlyric

                I looked at this earlier and this is a very preliminary attempt that does not handle multiple commas or the comma created at the beginning of each line or some random whitespace issues.

                 

                perl -pe 'BEGIN { $| = 1 } chomp; s/^(_____)/\n$1/; s/_{80}//; s/(Timestamp|User|Action|Details|Appliance|Role)(\ {0,8}):\ {0,8}// ; s/Source (Type|Name|ID|Path)(\ {0,8}):\ {1,8}//; s/\r/,/ ' /opt/mwg/log/audit/audit.log

                • 5. Re: Log Verbose Changes to Policy?
                  kdienst

                  Thanks btlyric! I knew based off the other post on this I'd have to do some perl wrangling to format the log, at this point I wasn't sure how to actually run that perl script against the logs exactly. I've got to do some digging into how rsyslog works and how that relates to the audit.log (if at all) so I can make sure I'm gathering the data out of the audit.log and then pushing via syslog to our SIEM solution.

                   

                  At this point I think this is mostly "RTFM" for me so I'll go do my research and update the post if need be. Appreciate all your help guys!