McAfee Web Gateway

McAfee Web Gateway delivers high-performance web security through an on-premises appliance that can be deployed both as dedicated hardware and a virtual machine.

Integration of McAfee Web Gateway with DNIF Adapter

To forward McAfee Web Gateway access logs to the DNIF Adapter

Log in to McAfee Web Gateway using web interface

Go to Policy, Rule Sets, Log Handler.

Expand the appropriate Log Handler and find the desired logging rule that will also be used to log to syslog.

The default Log Handler is named Access.log and the rule in this Log Handler is named Write access.log.

Select the rule and click Edit.

On the Events section of the rule, click Add, Event.

Select Syslog (Number, String) and then click Parameters.

For parameter 1. Level (Number), enter the number 6 for the value. This indicates an Informational level message.

For parameter 2. Message (String), click the Use Property button and select User-Defined.logLine.

Click OK, then click OK again. In the Events section of the rule, you should now see Syslog 6, User-Defined.logLine.

Click Finish.

To forward McAfee Web Gateway audit logs to the DNIF Adapter

Audit logging is used to track changes made to the Web Gateway’s configuration, it also track’s login’s and logout’s.

To enable this feature check the box for Write audit log to syslog

Go to Configuration > Appliances > Log File Manager > Settings for the Audit Log > Write audit log to syslog.

Now that the access log and audit log data is being recorded to syslog, modify the rsyslog.conf file.

On the Toolbar, click Configuration.

Click the File Editor tab.

Expand the Appliance Files and select the file /etc/rsyslog.conf.

The file editor displays the rsyslog.conf file for editing.

Modify the rsyslog.conf file to include the following information:

#Send MWG Access and Audit events;auth.=info		@DNIF-Adapter-IP:514

#Send all events
*.* 	@DNIF-Adapter-IP:514

Click Save Changes.

McAfee Web Gateway logs are now being streamed to the DNIF-ADAPTER.