The McAfee Web Gateway appliance gives the option to forward event log files to an
interim file server for retrieval by QRadar.
Procedure
-
From the support website, download the following file:
-
Extract the file.
This gives you the access handler file that is needed to configure your McAfee Web Gateway
appliance.
access_log_file_loghandler.xml
-
Log in to your McAfee Web Gateway console.
-
Using the menu toolbar, click Policy.
Note: If there is an existing access log configuration in your McAfee Web Gateway appliance, you
must delete the existing access log from the Rule Set Library before you add
the access_log_file_loghandler.xml.
-
Click Log Handler.
-
Using the menu tree, select Default.
-
From the Add list, select Rule Set from
Library.
-
Click Import from File button.
-
Navigate to the directory that contains the access_log_file_loghandler.xml
file you downloaded and select syslog_loghandler.xml as the file to import.
When the rule set is imported for access_log_file_loghandler.xml, a conflict
can occur stating the Access Log Configuration exists already in the current configuration and a
conflict solution is presented.
-
If the McAfee Web Gateway appliance detects that the Access Log Configuration exists already,
select the Conflict Solution: Change name option that
is presented to resolve the rule set conflict.
For more information on resolving conflicts, see your McAfee Web Gateway vendor
documentation.
You must configure your access.log file to be pushed to an interim server on
an auto rotation. It does not matter if you push your files to the interim server based on time or
size for your access.log file. For more information on auto rotation, see your
McAfee Web Gateway vendor documentation.
Note: Due to the size of access.log files that are generated, it is suggested
that you select the option GZIP files after rotation in your McAfee Web Gate
appliance.
-
Click OK.
-
Click Save Changes.
Note: By default McAfee Web Gateway is configured to write access logs to the
/opt/mwg/log/user-defined-logs/access.log/ directory.
What to do next
You are now ready to configure QRadar to receive
access.log files from McAfee Web Gateway. For more information, see Pulling data by using the log file protocol.