Up
Previous Next

Sheriff CSMâ„¢

McAfeeWeb Gateway

When you configure McAfeeWeb Gateway to send log data to Sheriff CSM, you can use the McAfeeWeb Gateway (mwg) plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

DeviceDetails
Vendor McAfee
Device Type Gateway
Connection Type Syslog
Data Source Name mcafee-mwg
Data Source ID 1699

Integrating McAfeeWeb Gateway

Before you configure the McAfeeWeb Gateway integration, you must have the IP Address of the Sheriff CSM Deputy.

To avoid potentially having your changes overwritten, complete this task, using only the McAfeeWeb Gateway web interface File Editor on a per appliance basis. Do not edit /etc/rsyslog.conf directly.

To configure McAfeeWeb Gateway to send log data to Sheriff CSM
  1. In File Editor, look for rsyslog.conf.
  2. Look for a line similar to the following:

    *.info;mail.none;authpriv.none;cron.none /var/log/messages
  3. Make sure that the syslog daemon does not write any messages coming from the daemon facility (McAfeeWeb Gateway) with the level "info" to the /var/log/messages file by replacing it with the following line:

    *.info;daemon.!=info;mail.none;authpriv.none;cron.none -/var/log/messages

    Important: This updated line ensures that the syslog daemon does not write any messages from the daemon facility (the McAfeeWeb Gateway) with info level, to the /var/log/messages file. Capturing and writing "info" level messages generates a high volume of messages, which could overflow the /var partition.

  4. Send the data to a syslog server using UDP by adding a line like the one below to the end of the file:

    daemon.info @<Sheriiff-CSM-Sensor-IP-Address>:514
  5. Enable CEF format, as shown in the following figures.

    Syslog CEF Rule 1

    Syslog CEF Rule 2

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

https://community.mcafee.com/docs/DOC-5206

For troubleshooting, refer to the vendor documentation:

https://kc.mcafee.com/corporate/index?page=content&id=KB73869
Topic revision: r9 - 29 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.