This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Configuring McAfee Web Gateway

BrandonGartamak
Beginner
Beginner

‎2016-03-02 04:48 PM

Hi All,

 

I am trying to configure my companies MWG to send Syslog to the Secure Analytics Box but the instructions listed at http://sadocs.emc.com/@api/deki/files/43270/McAfee_WebGateway.pdf dont make sense. Does anyone have a ruleset for the Web Gateway with the proper log format?

 

Thanks,

BG

0 Likes
6 REPLIES 6

DeepanshuSood1
Beginner
Beginner

‎2016-03-03 01:36 AM

Can you integrate via File Reader method?

0 Likes

BrandonGartamak
Beginner
Beginner
In response to DeepanshuSood1

‎2016-03-03 11:17 AM

My manager wants me to set this up via syslog as it should be supported. I tried implementing the header but got nothing. When I talked to McAfee support, they said the header is not what determines the values of the log line. They said we would have to configure a rule to create the proper log line.

 

We tried to figure out what some of the values were supposed to be but the tech got confused by what the documentation meant by event, or server name/server IP. Support mentioned that they had a CEF format but was not sure if that would work or not. Figured I would check to see if anyone has been successful at setting this up in their environments.

0 Likes

BrandonGartamak
Beginner
Beginner

‎2016-03-04 12:08 PM

Anyone?

0 Likes

Anonymous
Not applicable

‎2016-03-04 03:37 PM

We have been having issues with MWG and SA as well.  Worked OK in Envision (file reader), and Z connector, however same format sent via syslog does not parse.  device.type='unknown'

 

I have managed to follow the docs to get a mwg log format to parse ok when sent via syslog, however it is missing a ton of meta data.  Things like alias.host, block codes, URI, user agent are all truncated and useless or missing. this is valuable metadata.

 

msg me if you want at least something at works barebones with syslog.

0 Likes

PaulThornton
Beginner
Beginner
In response to BrandonGartamak

‎2016-04-18 03:14 AM

Hi Brandon,

 

Apologies for the lack of response to your question from anyone here at RSA.

 

Were you able to get this resolved at all?

 

Regards

Paul Thornton

RSA Social Engagement Manager

0 Likes

DavidWaugh1
Employee
Employee

‎2016-04-18 03:23 AM

Hi I have integrated this with a customer successfully.

 

Can you paste any logs that that are not working here. (Please anonymise them first) and I can take a look.

If meta is not displaying it could be because metakeys in your table-map-custom.xml file are set to Transient instead of None so they are not being written.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.