2 of 2 people found this helpful
Depending on your exact version of 7.6 (I want to say it was introduced in 188.8.131.52), you can enable sending audit logs to syslog directly within the appliance. This will send to local syslog, but then you can enable forwarding within the rsyslog.conf file for the appliances.
Sending audit logs to syslog
- Go into the Configuration section of the MWG UI
- Expand "Appliances," and for each appliance in the cluster (in case you have more than 1), go into the "Log File Manager" settings
- Scroll down to and expand the section titled "Settings for the Audit Log"
- Check the box for "Write audit log to syslog."
Forwarding to a remote syslog server (e.g. SIEM or any other log handler):
- Go into the Configuration section of the MWG UI (you'll already be there if you just completed the steps above)
- Click the "File Editor" tab
- For each appliance in the cluster (in case you have more than 1), click on "rsyslog.conf"
- Add a line for forwarding to the syslog destination. If you're familiar with rsyslog or want to research ways to customize it, you may come up with a more or less specific way that you wish to forward events, but this simple line would do the trick (where "x.x.x.x" is the IP address or hostname of your SIEM receiver):
For syslog over UDP:
:msg, contains, "WebGateway" @x.x.x.x:514
For syslog over TCP:
:msg, contains, "WebGateway" @@x.x.x.x:514
5 of 5 people found this helpful
I just updated the syslog guide to include steps for sending the audit log info to syslog:
This can be done in two steps:
1. Enable the option for writing audit log to syslog
2. Update the syslog config to send audit log events to the remote SIEM