To collect all events from McAfee Web Gateway, you must specify IBM
QRadar as the syslog server and
configure the message format.
Procedure
-
Log in to your McAfee Web Gateway console.
-
On the Toolbar, click Configuration.
-
Click the File Editor tab.
-
Expand the Appliance Files and select the file
/etc/rsyslog.conf.
The file editor displays the rsyslog.conf file for editing.
-
Modify the rsyslog.conf file to include the following information:
# send access log to qradar *.info;
daemon.!=info;
mail.none;authpriv.none;
cron.none -/var/log/messages *.info;mail.none;
authpriv.none;
cron.none
@<IP Address>:<Port>
Where:
- <IP Address> is the IP address of QRadar.
- <Port> is the syslog port number, for example 514.
-
Click Save Changes.