McAfee Web Gateway

McAfee Web Gateway is a security tool used for web traffic. You can send web proxy logs to InsightIDR through syslog to be alerted on events occurring in McAfee Web Gateway.

To set up McAfee Web Gateway, you’ll need to:

  1. Configure McAfee Web Gateway to send data to your Collector.
  2. Set up the McAfee Web Gateway event source in InsightIDR.
  3. Verify the configuration works.

Configure McAfee Web Gateway to send data to your Collector

To send these logs to InsightIDR, you must configure syslog forwarding in McAfee Web Gateway.

Send logs in CEF format

You must send McAfee Web Gateway logs to InsightIDR in CEF format. For instructions on how to configure syslog forwarding in McAfee Web Gateway, see their documentation: https://community.mcafee.com/t5/Documents/Web-Gateway-Understanding-syslog-send-logs-to-your-SIEM-or-other/ta-p/554145

Set Up McAfee Web Gateway in InsightIDR

  1. From the left menu, go to Data Collection.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Security Data section, click the Web Proxy icon. The Add Event Source panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches with the location of your event source logs.
  6. If you are sending additional events beyond alerts, select the unfiltered logs checkbox.
  7. Configure your default domain and any Advanced Event Source Settings.
  8. Select Listen for Syslog as your Collection Method.
  9. Enter an unused Port number and choose a Protocol.
  10. If you chose TCP as your protocol, optionally select Encrypted to encrypt the event source and download the Rapid7 Certificate.
  11. Click the Save button.

Verify the Configuration

From the left menu, click Log Search to view your raw logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name is the event source name or “McAfee Web Gateway” if you did not name the event source. McAfee Web Gateway logs flow into these Log Sets:

  • Web Proxy
  • Virus Scan

McAfee Web Gateway logs appear in the Virus Scan Log Set if the Virus Name field in the logs is populated.

Logs take a minimum of 7 minutes to appear in Log Search

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source.

Example input logs:

1
<30>Dec 30 08:51:02 r7asset mwg: CEF:0|McAfee|Web Gateway|7.8.2.8.0|0|Proxy-|2|rt=Dec 30 2019 08:51:02 cat=Access Log dst=100.123.245.100 dhost=watson.telemetry.microsoft.com suser=- src=192.168.70.152 requestMethod=POST request=https://watson.telemetry.microsoft.com/Telemetry.Request app=HTTPS cs3=HTTP/2.0 cs3Label=Protocol/Version cs4= cs4Label=URL Categories cs6= cs6Label=Reputation fileType= out=0 requestClientApplication=MSDW cs1= cs1Label=Virus Name cn1=0 cn1Label=Block Reason cs5=Default cs5Label=Policy
1
30>Dec 30 08:46:08 sedzpprox2 mwg: CEF:0|McAfee|Web Gateway|7.8.2.8.0|200|Proxy-Block If Virus was Found|2|rt=Dec 30 2019 08:46:07 cat=Access Log dst=100.123.123.100 dhost=s.evilsite.com suser=- src=10.104.7.40 requestMethod=GET request=https://s.evilsite.com/j/exp/index.js app=HTTPS cs3=HTTP/1.1 cs3Label=Protocol/Version cs4=Web Ads cs4Label=URL Categories cs6=Minimal Risk cs6Label=Reputation fileType=text/javascript out=739 requestClientApplication=Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko cs1=fakeVirusForTest cs1Label=Virus Name cn1=0 cn1Label=Block Reason cs5=Default cs5Label=Policy