The article covers how to configure syslog on the McAfee Web Gateway.
Overview
This topic describes the steps to configure syslog on the McAfee Web Gateway.
Prerequisites
Need to have Administrator login credentials.
Configuring syslog in McAfee Web Gateway
1. Log in to your McAfee Web Gateway console.
2. Add a rule for sending access log data.
- Go to Policy > Rule Sets.
- Click Log Handler at bottom of the left-hand tree pane, expand the Default rule set, and select the nested CEF Syslog rule set. The content of the nested rule set appears on the configuration pane. Rule 2, as seen in the following image, when Enabled (Check mark selected) will send syslog outbound in CEF in all instances.
- Click Save Changes at the upper right-hand corner of the page.
3. Configure Syslog to send Audit log data.
- Click Configuration (dialogue at top of page) > Appliances > Log File Manager > Settings for the Audit Log and select Write audit log to syslog.
4. Need to configure the rsyslog.conf to send the logs to siem.
- Select Configuration > File Editor
- Select rsyslog.conf on the files tree. The file content appears on the configuration pane.
- Edit the file to adapt it for sending access log data.
- Locate the line similar to: *.info;mail.none;authpriv.none;cron.none /var/log/messages and replace with daemon in this line and insert a - (dash) before the path information
*.info;daemon.!=info;mail.none;authpriv.none;cron.none -/var/log/messages
This prevents messages from being written to the /var/log/messages file, which could fill the /var partition.
5. To send log data over syslog to a remote location, add a new line near the bottom of the file to send the info messages to a particular host or IP address along with port.
For syslog over TCP:
- daemon.info;auth.=info @@<Forwarder IP>:11607
For syslog over UDP:
- daemon.info;auth.=info @<Forwarder IP>:11607
Comments
0 comments
Please sign in to leave a comment.