Configuring McAfee Web Gateway to communicate with QRadar (syslog)

To collect all events from McAfee Web Gateway, you must specify IBM QRadar as the syslog server and configure the message format.

Procedure

  1. Log in to your McAfee Web Gateway console.
  2. On the Toolbar, click Configuration.
  3. Click the File Editor tab.
  4. Expand the Appliance Files and select the file /etc/rsyslog.conf.

    The file editor displays the rsyslog.conf file for editing.

  5. Modify the rsyslog.conf file to include the following information:
    # send access log to qradar *.info;
    daemon.!=info;
    mail.none;authpriv.none;
    cron.none -/var/log/messages *.info;mail.none;
    authpriv.none;
    cron.none 
    @<IP Address>:<Port> 

    Where:

    • <IP Address> is the IP address of QRadar.
    • <Port> is the syslog port number, for example 514.
  6. Click Save Changes.

    You are now ready to import a policy for the syslog handler on your McAfee Web Gateway appliance. For more information, see Importing the Syslog Log Handler.