McAfee Web Gateway
McAfee Web Gateway is a security tool used for web traffic. You can send web proxy logs to InsightIDR through syslog to be alerted on events occurring in McAfee Web Gateway.
To set up McAfee Web Gateway, you’ll need to:
- Configure McAfee Web Gateway to send data to your Collector.
- Set up the McAfee Web Gateway event source in InsightIDR.
- Verify the configuration works.
Configure McAfee Web Gateway to send data to your Collector
To send these logs to InsightIDR, you must configure syslog forwarding in McAfee Web Gateway.
Send logs in CEF format
You must send McAfee Web Gateway logs to InsightIDR in CEF format. For instructions on how to configure syslog forwarding in McAfee Web Gateway, see their documentation: https://community.mcafee.com/t5/Documents/Web-Gateway-Understanding-syslog-send-logs-to-your-SIEM-or-other/ta-p/554145
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for McAfee Web Gateway in the event sources search bar.
- In the Product Type filter, select Web Proxy.
- Select the McAfee Web Gateway event source tile.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches with the location of your event source logs.
- Optionally choose to send unparsed logs.
- Select an attribution source.
- Configure your default domain and any Advanced Event Source Settings.
- Select Listen on Network Port as your Collection Method.
- Enter an unused Port number and choose a Protocol.
- If you chose TCP as your protocol, optionally select Encrypted to encrypt the event source and download the Rapid7 Certificate.
- Click the Save button.
Attribution source options
McAfee Web Gateway product logs can contain information about hosts and accounts. When setting up McAfee Web Gateway as an event source, you will have the ability to specify the following attribution options:
- Use IDR engine if possible; if not, use event log
By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.
- Use event log if possible; if not, use IDR engine
By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.
- Use IDR engine only
By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.
- Use event log only
By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.
Verify the Configuration
From the left menu, click Log Search to view your raw logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name is the event source name or “McAfee Web Gateway” if you did not name the event source. McAfee Web Gateway logs flow into these Log Sets:
- Web Proxy
- Virus Scan
McAfee Web Gateway logs appear in the Virus Scan Log Set if the Virus Name field in the logs is populated.
Logs take a minimum of 7 minutes to appear in Log Search
Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source.
Example input logs:
1<30>Dec 30 08:51:02 r7asset mwg: CEF:0|McAfee|Web Gateway|22.214.171.124.0|0|Proxy-|2|rt=Dec 30 2019 08:51:02 cat=Access Log dst=100.123.245.100 dhost=watson.telemetry.microsoft.com suser=- src=192.168.70.152 requestMethod=POST request=https://watson.telemetry.microsoft.com/Telemetry.Request app=HTTPS cs3=HTTP/2.0 cs3Label=Protocol/Version cs4= cs4Label=URL Categories cs6= cs6Label=Reputation fileType= out=0 requestClientApplication=MSDW cs1= cs1Label=Virus Name cn1=0 cn1Label=Block Reason cs5=Default cs5Label=Policy