Configuring McAfee Web Gateway to communicate with IBM QRadar (log file protocol)

The McAfee Web Gateway appliance gives the option to forward event log files to an interim file server for retrieval by QRadar.

Procedure

  1. From the support website, download the following file:

    log_handlers-1.1.tar.gz

  2. Extract the file.

    This gives you the access handler file that is needed to configure your McAfee Web Gateway appliance.

    access_log_file_loghandler.xml

  3. Log in to your McAfee Web Gateway console.
  4. Using the menu toolbar, click Policy.
    Note: If there is an existing access log configuration in your McAfee Web Gateway appliance, you must delete the existing access log from the Rule Set Library before you add the access_log_file_loghandler.xml.
  5. Click Log Handler.
  6. Using the menu tree, select Default.
  7. From the Add list, select Rule Set from Library.
  8. Click Import from File button.
  9. Navigate to the directory that contains the access_log_file_loghandler.xml file you downloaded and select syslog_loghandler.xml as the file to import.

    When the rule set is imported for access_log_file_loghandler.xml, a conflict can occur stating the Access Log Configuration exists already in the current configuration and a conflict solution is presented.

  10. If the McAfee Web Gateway appliance detects that the Access Log Configuration exists already, select the Conflict Solution: Change name option that is presented to resolve the rule set conflict.

    For more information on resolving conflicts, see your McAfee Web Gateway vendor documentation.

    You must configure your access.log file to be pushed to an interim server on an auto rotation. It does not matter if you push your files to the interim server based on time or size for your access.log file. For more information on auto rotation, see your McAfee Web Gateway vendor documentation.

    Note: Due to the size of access.log files that are generated, it is suggested that you select the option GZIP files after rotation in your McAfee Web Gate appliance.
  11. Click OK.
  12. Click Save Changes.
    Note: By default McAfee Web Gateway is configured to write access logs to the /opt/mwg/log/user-defined-logs/access.log/ directory.

What to do next

You are now ready to configure QRadar to receive access.log files from McAfee Web Gateway. For more information, see Pulling data by using the log file protocol.