5 Replies Latest reply on Oct 21, 2015 10:17 AM by thyvarin

    Additional fields in Log Forwarding


      I configured the NGFW log server to forward logs to our SIEM with the format "McAfee ESM". Even though i configured our SMC to log the additional payload information to get the HTTP URI as well as the User information via MLC (all of which I see in the SMC logs), this information is not included in the logs forwarded.


      Is there a way to add more fields in the log forwarded ?

        • 1. Re: Additional fields in Log Forwarding



          Additional fields are possible at least with CSV and XML export, but I'm not sure about SIEM (ESM) format:

          https://kc.mcafee.com/corporate/index?page=content&id=KB83391&actp=null&viewloca le=en_US&showDraft=false&platinum_status=false&locale=en_US




          • 2. Re: Additional fields in Log Forwarding

            The problem is this:


            (taken from that KB)

            Other log export formats (LEEF, CEF, Netflow v9, IPFIX) only offer a fixed log field selection that cannot be edited.

            And the McAfee SIEM log source for the NGFW only allows for two formats: SEF and MEF, which means that I can't forward logs in the XSV or XML format.

            • 3. Re: Additional fields in Log Forwarding

              Yes, I just tested that this looks to only affect CSV and XML like article says. I was hoping that McAfee ESM format is also included since article was written before McAfee ESM format was added and does not mention ESM format, but with quick test this does look to affect only CSV (and XML) format. I tested this by creating duplicate of <smc_home>/data/fields/syslog_templates/default_syslog_conf.xml file, and removing source (Sport) and destination (Dport) fields from it. Then configured Log Server to use custom file, and restarted the Log Server. With tcpdump on Log Server I can see that McAfee ESM export still includes source and destination port fields, while if I switch to CSV format, then those fields are no longer included.


              Since these instructions do not apply to McAfee ESM format, my suggestion would be that you open Service Request (https://support.mcafee.com) for this as further comments probably needs to be requested from dev.




              • 4. Re: Additional fields in Log Forwarding

                It looks like I can modify the <smc_home>/data/fields/syslog_templates/esm_syslog_conf.xml  file and add the field that I want. 

                I added   <fieldref> APPLICATION_DETAIL </fieldref>  to the list of fields and my ESM now received the additional payload information.



                • 5. Re: Additional fields in Log Forwarding

                  Awesome! I didn't notice that file so good that you did. Indeed I have the file also in lab SMC:


                  # ls -l /var/smc/data/fields/syslog_templates/

                  total 48

                  -rw-rw-r--. 1 sgadmin sgadmin   617 Oct 15 07:51 bradford_syslog_conf.xml

                  -rw-r--r--. 1 sgadmin sgadmin  1986 Oct 19 10:37 default_syslog_conf_tero.xml

                  -rw-rw-r--. 1 sgadmin sgadmin  2050 Oct 15 07:51 default_syslog_conf.xml

                  -rw-rw-r--. 1 sgadmin sgadmin  1533 Oct 15 07:51 esm_syslog_conf.xml

                  -rw-rw-r--. 1 sgadmin sgadmin 21820 Oct 15 07:51 nfx_osp_ips_syslog_conf.xml

                  -rw-rw-r--. 1 sgadmin sgadmin  1540 Oct 15 07:51 RSAenvision_syslog_conf.xml

                  -rw-rw-r--. 1 sgadmin sgadmin  1922 Oct 15 07:51 tivoli_syslog_conf.xml