McAfee Web Gateway

This article describes the steps to configure McAfee Web Gateway

  1. Configure the syslog daemon.
    1. In File Editor, open the syslog daemon configuration file.
    2. Locate the line similar to: *.info;mail.none;authpriv.none;cron.none /var/log/messages and replace it with *.info;daemon.!=info;mail.none;authpriv.none;cron.none -/var/log/messages. This prevents messages from being written to the /var/log/messages file, which could fill the /var partition.
    3. At the end of the file, add a line: daemon.info;auth.=info @<syslog server IP address>:514.
  2. Create a rule to send all access log data to the syslog server.
  3. Create a rule to send the logline to syslog.
  4. Download and install the McAfee SIEM (Nitro) logging ruleset and the CEF syslog format ruleset.
  5. If you want to send audit logs to syslog, click Configuration > Alloiances > Log File Manager > Settings for the Audit Log and select Write audit log to syslog.

Audit events are sent using the auth facility at the informational severity (6). So your rsyslog configuration would specify auth.=info.