Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

McAfee Web Gateway

 

You can configure McAfee Web Gateway to integrate with JSA.

Use one of the following methods:

Note

McAfee Web Gateway is formerly known as McAfee WebWasher.

The following table identifies the specifications for the McAfee Web Gateway DSM:

Table 1: McAfee Web Gateway DSM Specifications

Specification

Value

Manufacturer

McAfee

DSM

McAfee Web Gateway

RPM file name

DSM-McAfeeWebGateway-jsaversion-buildnumber.noarch

Supported versions

v6.0.0 and later

Protocol

Syslog, log file protocol

JSA

recorded events

All relevant events

Automatically discovered

Yes

Includes identity

No

More information

McAfee website (http://www.mcafee.com)

McAfee Web Gateway DSM Integration Process

You can integrate McAfee Web Gateway DSM with JSA.

Use the following procedure:

  • Download and install the most recent version of the McAfee Web Gateway DSM RPM on your JSA console.

  • For each instance of McAfee Web Gateway, configure your McAfee Web Gateway VPN system to enable communication with JSA.

  • If JSA does not automatically discover the log source, for each McAfee Web Gateway server you want to integrate, create a log source on the JSA console.

  • If you use McAfee Web Gateway v7.0.0 or later, create an event map.

Related Tasks

Configuring McAfee Web Gateway to communicate with JSA (syslog)To collect all events from McAfee Web Gateway, you must specify JSA as the syslog server and configure the message format.

Configuring McAfee Web Gateway to communicate with JSA (log file protocol)The McAfee Web Gateway appliance gives the option to forward event log files to an interim file server for retrieval by JSA.

Creation of an event map for McAfee Web Gateway eventsEvent mapping is required for all events that are collected from McAfee Web Gateway v7.0.0 and later.

Configuring McAfee Web Gateway to Communicate with JSA (syslog)

To collect all events from McAfee Web Gateway, you must specify JSA as the syslog server and configure the message format.

  1. Log in to your McAfee Web Gateway console.
  2. On the Toolbar, click Configuration.
  3. Click the File Editor tab.
  4. Expand the Appliance Files and select the file /etc/rsyslog.conf.

    The file editor displays the rsyslog.conf file for editing.

  5. Modify the rsyslog.conf file to include the following information:

    Where:

    • <IP Address> is the IP address of JSA.

    • <Port> is the syslog port number, for example 514.

  6. Click Save Changes.

    You are now ready to import a policy for the syslog handler on your McAfee Web Gateway appliance. For more information, see Importing the Syslog Log Handler.

Importing the Syslog Log Handler

To Import a policy rule set for the syslog handler:

  1. From the support website, download the following compressed file:

    log_handlers-1.1.tar.gz

  2. Extract the file.

    The extract file provides XML files that are version dependent to your McAfee Web Gateway appliance.

    Table 2: McAfee Web Gateway Required Log Handler File

    Version

    Required XML file

    McAfee Web Gateway V7.0

    syslog_loghandler_70.xml

    McAfee Web Gateway V7.3

    syslog_loghandler_73.xml

  3. Log in to your McAfee Web Gateway console.
  4. Using the menu toolbar, click Policy.
  5. Click Log Handler.
  6. Using the menu tree, select Default.
  7. From the Add list, select Rule Set from Library.
  8. Click Import from File button.
  9. Navigate to the directory containing the syslog_handler file you downloaded and select syslog_loghandler.xml as the file to import. Note

    If the McAfee Web Gateway appliance detects any conflicts with the rule set, you must resolve the conflict. For more information, see your McAfee Web Gateway documentation.

  10. Click OK.
  11. Click Save Changes.
  12. You are now ready to configure the log source in JSA.

    JSA automatically discovers syslog events from a McAfee Web Gateway appliance.

    If you want to manually configure JSA to receive syslog events, select McAfee Web Gateway from the Log Source Type list.

Configuring McAfee Web Gateway to Communicate with JSA (log File Protocol)

The McAfee Web Gateway appliance gives the option to forward event log files to an interim file server for retrieval by JSA.

  1. From the support website, download the following file:

    log_handlers-1.1.tar.gz

  2. Extract the file.

    This gives you the access handler file that is needed to configure your McAfee Web Gateway appliance.

    access_log_file_loghandler.xml

  3. Log in to your McAfee Web Gateway console.
  4. Using the menu toolbar, click Policy.Note

    If there is an existing access log configuration in your McAfee Web Gateway appliance, you must delete the existing access log from the Rule Set Library before you add the access_log_file_loghandler.xml.

  5. Click Log Handler.
  6. Using the menu tree, select Default.
  7. From the Add list, select Rule Set from Library.
  8. Click Import from File button.
  9. Navigate to the directory that contains the access_log_file_loghandler.xml file you downloaded and select syslog_loghandler.xml as the file to import.

    When the rule set is imported for access_log_file_loghandler.xml, a conflict can occur stating the Access Log Configuration exists already in the current configuration and a conflict solution is presented.

  10. If the McAfee Web Gateway appliance detects that the Access Log Configuration exists already, select the Conflict Solution: Change name option that is presented to resolve the rule set conflict.

    For more information on resolving conflicts, see your McAfee Web Gateway vendor documentation.

    You must configure your access.log file to be pushed to an interim server on an auto rotation. It does not matter if you push your files to the interim server based on time or size for your access.log file. For more information on auto rotation, see your McAfee Web Gateway vendor documentation.

    Note

    Due to the size of access.log files that are generated, it is suggested that you select the option GZIP files after rotation in your McAfee Web Gate appliance.

  11. Click OK.
  12. Click Save Changes.Note

    By default McAfee Web Gateway is configured to write access logs to the /opt/mwg/log/user-defined-logs/access.log/ directory.

You are now ready to configure JSA to receive access.log files from McAfee Web Gateway. For more information, see Pulling data by using the log file protocolA log file protocol source allows JSA to retrieve archived log files from a remote host. The McAfee Web Gateway DSM supports the bulk loading of access.log files by using the log file protocol source. The default directory for the McAfee Web Gateway access logs is the /opt/mwg/log/user-defined-logs/access.log/ directory..

Pulling Data by Using the Log File Protocol

A log file protocol source allows JSA to retrieve archived log files from a remote host. The McAfee Web Gateway DSM supports the bulk loading of access.log files by using the log file protocol source. The default directory for the McAfee Web Gateway access logs is the /opt/mwg/log/user-defined-logs/access.log/ directory.

You can now configure the log source and protocol in JSA.

  1. To configure JSA to receive events from a McAfee Web Gateway appliance, select McAfee Web Gateway from the Log Source Type list.
  2. To configure the protocol, you must select the Log File option from the Protocol Configuration list.
  3. To configure the File Pattern parameter, you must type a regex string for the access.log file, such as access[0-9]+\.log. Note

    If you selected to GZIP your access.log files, you must type access[0-9]+\.log\.gz for the FIle Pattern field and from the Processor list, select GZIP.

Creation Of an Event Map for McAfee Web Gateway Events

Event mapping is required for all events that are collected from McAfee Web Gateway v7.0.0 and later.

You can individually map each event for your device to an event category in JSA. Mapping events allows JSA to identify, coalesce, and track recurring events from your network devices. Until you map an event, some events that are displayed in the Log Activity tab for McAfee Web Gateway are categorized as Unknown, and some events might be already assigned to an existing QID map. Unknown events are easily identified as the Event Name column and Low Level Category columns display Unknown.

Discovering Unknown Events

This procedure ensures that you map all event types and that you do not miss events that are not generated frequently, repeat this procedure several times over a period.

  1. Log in to JSA.
  2. Click the Log Activity tab.
  3. Click Add Filter.
  4. From the first list, select Log Source.
  5. From the Log Source Group list, select the log source group or Other.

    Log sources that are not assigned to a group are categorized as Other.

  6. From the Log Source list, select your McAfee Web Gateway log source.
  7. Click Add Filter.

    The Log Activity tab is displayed with a filter for your log source.

  8. From the View list, select Last Hour.

    Any events that are generated by the McAfee Web Gateway DSM in the last hour are displayed. Events that are displayed as Unknown in the Event Name column or Low Level Category column require event mapping.

    Note

    You can save your existing search filter by clicking Save Criteria.

    You are now ready to modify the event map.

Modifying the Event Map

Modify an event map to manually categorize events to a JSA Identifier (QID) map.

Any event that is categorized to a log source can be remapped to a new JSA Identifier (QID).

Note

Events that do not have a defined log source cannot be mapped to an event. Events without a log source display SIM Generic Log in the Log Source column.

  1. On the Event Name column, double-click an unknown event for McAfee Web Gateway.

    The detailed event information is displayed.

  2. Click Map Event.
  3. From the Browse for JSA Identifier pane, select any of the following search options to narrow the event categories for a JSA Identifier (QID):
    • From the High-Level Category list, select a high-level event categorization.

    • From the Low-Level Category list, select a low-level event categorization.

    • From the Log Source Type list, select a log source type.

    The Log Source Type list gives the option to search for QIDs from other log sources. Searching for QIDs by log source is useful when events are similar to another existing network device. For example, McAfee Web Gateway provides policy events, you might select another product that likely captures similar events.

    To search for a QID by name, type a name in the QID/Name field.

    The QID/Name field gives the option to filter the full list of QIDs for a specific word, for example, policy.

  4. Click Search.

    A list of QIDs are displayed.

  5. Select the QID that you want to associate to your unknown event.
  6. Click OK.

    JSA maps any additional events that are forwarded from your device with the same QID that matches the event payload. The event count increases each time that the event is identified by JSA.

    If you update an event with a new JSA Identifier (QID) map, past events that are stored in JSA are not updated. Only new events are categorized with the new QID.