Configuring the MEG gateway to send logs to QRadar

Configure the MEG gateway to send logs to the QRadar® host IP address or port number that is defined in the log4j.xml file.

Procedure

  1. From the computer that is running MEG, go to C:\ProgramData\MaaS360\Cloud Extender\logs directory and locate the MobileGatewaylog4j.xml file.
  2. Uncomment the following section in the MobileGatewaylog4j.xml to replace the HOST_IP_ADDRESS with the QRadar host IP address.
    <!--
    Uncomment the following section to use the SyslogAppender to send
    MEGAuth and MEGWebAuth logs to Qradar. Replace the HOST_IP_ADDRESS
    With QRadar IP address.
     -->
    <!--
        <appender class="ch.qos.logback.classic.net.SyslogAppender" name="SYSLOG">
            <syslogHost>HOST_IP_ADDRESS</syslogHost>
            <port>514</port>
            <facility>AUTH</facility>
            <suffixPattern>%msg</suffixPattern>
        </appender>
    -->
  3. Uncomment the syslog appender for the AuthenticationLogger and the WebResourceAuthLogger.
    <!-- Authentication Log Logger -->
    <logger name="AuthenticationLogger">
        <level value="info"/>
        <appender-ref ref="AuthenticationLogsASyncAppender"/>
        <!-- Uncomment the following section to add the SyslogAppender -->
        <!-- <appender-ref ref="SYSLOG"/> -->
    </logger>
    <!-- Web Resource Authentication Log Logger -->
    <logger name="WebResourceAuthLogger">
        <level value="info"/>
        <appender-ref ref="WebResourceAuthLogsASyncAppender"/>
        <!-- Uncomment the following section to add the SyslogAppender -->
        <!-- <appender-ref ref="SYSLOG"/> -->
    </logger>
  4. Restart MEG.
  5. For firewalls that are running on MEG, create outbound rules for port 514.

What to do next

Configure QRadar to receive logs from MEG.