Scribd Logo
Upload

Welcome to Scribd!

  • Documentation

    Uploaded by

    Bagas Septiadi
    7 views3 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views3 pages

    Documentation

    Uploaded by

    Bagas Septiadi

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    CEF Syslog – for use with FireEye

    Disclaimer

    This rule set along with all its associated files and documents is provided on an as-is basis. McAfee will not take
    any responsibilities for problems, outages or any other issues resulting from using this rule set, or any of the files
    associated.

    Please be careful when importing the rule set into your existing policy. Make sure you understood what the rule
    set is supposed to do and verified it does not interfere with any other rules that currently exist within your
    configuration.

    Many values used within the rules are example values and will most likely not fit your environment. Always make
    sure that you have changed examples to real-life values.

    Overview

    This document will explain how to configure McAfee Web Gateway to send log lines via Syslog to FireEye.

    Setup Syslog

    To start the following steps are required:

    • Login to McAfee Web Gateway


    • Switch to “Configuration” tab
    • Switch to “File Editor”
    • Expand the items for the MWG instance you would like to modify
    • NOTE: These steps must be done for each MWG instance in a cluster!
    • Select “rsyslog.conf”. The content of this file appears on the right
    • IMPORTANT: Create a backup of the current “rsyslog.conf”, for example by simply storing the
    current content into a text file on your computer.
    • Modify the “rsyslog.conf” as shown in the next chapter
    • Save changes

    Sample “rsyslog.conf”

    Below you will find an example “rsyslog.conf” file. Please note that you will have to modify the sample and at
    least add the correct IP address of the server receiving the syslog events. The location where the IP address
    needs to be adjusted is marked as [IP_OF_EVENT_RECEIVER].

    # default parameters
    $DirCreateMode 0755
    $FileCreateMode 0640
    $FileGroup adm
    $umask 0026

    # Include config files in /etc/rsyslog.d

    $IncludeConfig /etc/rsyslog.d/*.conf

    # Log all kernel messages to the console.

    6220 America Center Drive McAfee and the McAfee logo, ePolicy Orchestrator, and McAfee ePO are trademarks or registered
    San Jose, CA 95002 trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands
    888.847.8766 may be claimed as the property of others. Copyright © 2021 McAfee, LLC. 0921 SEPTEMBER 2021.
    www.mcafee.com
    # Logging much else clutters up the screen.
    # kern.* /dev/console

    # Log anything (except mail) of level info or higher.


    # Don't log private authentication messages!

    # The below will direct all daemon.info messages to the


    # remote syslog server at [IP_OF_EVENT_RECEIVER]
    # add @@ for TCP syslog
    daemon.info @[IP_OF_EVENT_RECEIVER]
    *.info;daemon.!=info;mail.none;authpriv.none;cron.none -/var/log/messages

    # The authpriv file has restricted access.


    authpriv.* /var/log/secure

    # Log all the mail messages in one place.


    mail.* -/var/log/maillog

    # Log cron stuff


    cron.* /var/log/cron

    # Everybody gets emergency messages


    *.emerg *

    # Save news errors of level crit and higher in a special file.


    uucp,news.crit /var/log/spooler

    # Save boot messages also to boot.log


    local7.* /var/log/boot.log

    $ActionQueueFileName fwdRule1 # unique name prefix for spool files


    $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
    $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    $ActionQueueType LinkedList # run asynchronously
    $ActionResumeRetryCount -1 # infinite retries if host is down
    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    *.* @10.x.x.x:512

    Import Rule Set


    After you altered the “rsyslog.conf” file and applied the changes you should import the attached rule set into
    McAfee Web Gateway, which causes the syslog messages to be sent to your syslog server. To do so please
    follow these steps:

    • Login to McAfee Web Gateway


    • Switch to “Policy” tab
    • Choose the “Log Handler”

    6220 America Center Drive McAfee and the McAfee logo, ePolicy Orchestrator, and McAfee ePO are trademarks or registered
    San Jose, CA 95002 trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands
    888.847.8766 may be claimed as the property of others. Copyright © 2021 McAfee, LLC. 0921 SEPTEMBER 2021.
    www.mcafee.com
    • Pick the “Default” Log Handler
    • Select “Add” -> “Rule Set From Library”
    • Pick “Import from File”
    • Refer to the rule set which comes with this documentation
    • Choose “Refer to existing objects” when solving conflicts after the import

    Help
    In case of any questions/problems with the rule set or setting up “rsyslog” in general please refer to the McAfee
    Web Gateway Communities at https://community.mcafee.com/community/business/email_web/webgateway
    Please note that there is no official support for this rule set.

    6220 America Center Drive McAfee and the McAfee logo, ePolicy Orchestrator, and McAfee ePO are trademarks or registered
    San Jose, CA 95002 trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands
    888.847.8766 may be claimed as the property of others. Copyright © 2021 McAfee, LLC. 0921 SEPTEMBER 2021.
    www.mcafee.com

    You might also like