2016-03-02 04:48 PM
Hi All,
I am trying to configure my companies MWG to send Syslog to the Secure Analytics Box but the instructions listed at http://sadocs.emc.com/@api/deki/files/43270/McAfee_WebGateway.pdf dont make sense. Does anyone have a ruleset for the Web Gateway with the proper log format?
Thanks,
BG
2016-03-03 01:36 AM
Can you integrate via File Reader method?
2016-03-03 11:17 AM
My manager wants me to set this up via syslog as it should be supported. I tried implementing the header but got nothing. When I talked to McAfee support, they said the header is not what determines the values of the log line. They said we would have to configure a rule to create the proper log line.
We tried to figure out what some of the values were supposed to be but the tech got confused by what the documentation meant by event, or server name/server IP. Support mentioned that they had a CEF format but was not sure if that would work or not. Figured I would check to see if anyone has been successful at setting this up in their environments.
2016-03-04 12:08 PM
Anyone?
2016-03-04 03:37 PM
We have been having issues with MWG and SA as well. Worked OK in Envision (file reader), and Z connector, however same format sent via syslog does not parse. device.type='unknown'
I have managed to follow the docs to get a mwg log format to parse ok when sent via syslog, however it is missing a ton of meta data. Things like alias.host, block codes, URI, user agent are all truncated and useless or missing. this is valuable metadata.
msg me if you want at least something at works barebones with syslog.
2016-04-18 03:14 AM
Hi Brandon,
Apologies for the lack of response to your question from anyone here at RSA.
Were you able to get this resolved at all?
Regards
Paul Thornton
RSA Social Engagement Manager
2016-04-18 03:23 AM
Hi I have integrated this with a customer successfully.
Can you paste any logs that that are not working here. (Please anonymise them first) and I can take a look.
If meta is not displaying it could be because metakeys in your table-map-custom.xml file are set to Transient instead of None so they are not being written.