- play_arrow Event Collection from Third-party Devices
- play_arrow Introduction to Log Source Management
- Introduction to Log Source Management
- Adding a Log Source
- Adding a Log Source by using the Log Sources Icon
- Adding Bulk Log Sources
- Adding Bulk Log Source by using the Log Sources Icon
- Editing Bulk Log Sources
- Editing Bulk Log Sources by using the Log Sources icon
- Adding a Log Source Parsing Order
- Testing Log Sources
- Log Source Groups
- play_arrow Gateway Log Source
- play_arrow Log Source Extensions
- play_arrow Manage Log Source Extensions
- play_arrow Threat Use Cases by Log Source Type
- play_arrow Troubleshooting DSMs
- play_arrow Protocols
- play_arrow Universal Cloud REST API Protocol
- play_arrow Protocols that Support Certificate Management
- play_arrow 3Com Switch 8800
- play_arrow AhnLab Policy Center
- play_arrow Akamai KONA
- Akamai Kona
- Configure an Akamai Kona Log Source by using the HTTP Receiver Protocol
- Configure an Akamai Kona Log Source by using the Akamai Kona REST API Protocol
- Configuring Akamai Kona to Communicate with JSA
- Creating an Event Map for Akamai Kona Events
- Modifying the Event Map for Akamai Kona
- Akamai Kona Sample Event Messages
- play_arrow Amazon AWS Application Load Balancer Access Logs
- Amazon AWS Application Load Balancer Access Logs
- Amazon AWS Application Load Balancer Access Logs DSM Specifications
- Publishing Flow Logs to an S3 Bucket
- Create an SQS Queue and Configure S3 ObjectCreated Notifications
- Configuring Security Credentials for your AWS User Account
- Amazon AWS S3 REST API Log Source Parameters for Amazon AWS Application Load Balancer Access Logs
- Amazon AWS Application Load Balancer Access Logs Sample Event Message
- play_arrow Amazon AWS CloudTrail
- play_arrow Amazon AWS Elastic Kubernetes Service
- Amazon AWS Elastic Kubernetes Service
- Amazon AWS Elastic Kubernetes Service DSM Specifications
- Configuring Amazon Elastic Kubernetes Service to Communicate with JSA
- Configuring Security Credentials for your AWS User Account
- Amazon Web Services Log Source Parameters for Amazon AWS Elastic Kubernetes Service
- Amazon AWS Elastic Kubernetes Service Sample Event Messages
- play_arrow Amazon AWS Network Firewall
- Amazon AWS Network Firewall
- Amazon AWS Network Firewall DSM Specifications
- Create an SQS Queue and Configure S3 ObjectCreated Notifications
- Configuring Security Credentials for Your AWS User Account
- Amazon AWS S3 REST API Log Source Parameters for Amazon AWS Network Firewall
- AWS Network Firewall Sample Event Messages
- play_arrow Amazon AWS Route 53
- Amazon AWS Route 53
- Amazon AWS Route 53 DSM Specifications
- Configuring an Amazon AWS Route 53 Log Source by using the Amazon Web Services Protocol and CloudWatch Logs
- Configuring an Amazon AWS Route 53 Log Source by using an S3 Bucket with an SQS Queue
- Configuring an Amazon AWS Route 53 Log Source by using an S3 Bucket with a Directory Prefix
- Amazon AWS Route 53 Sample Event Messages
- play_arrow Amazon AWS Security Hub
- play_arrow Amazon AWS WAF
- play_arrow Amazon GuardDuty
- Amazon GuardDuty
- Configuring an Amazon GuardDuty Log Source by using the Amazon Web Services Protocol
- Creating an EventBridge Rule for Sending Events
- Creating an Identity and Access (IAM) User in the AWS Management Console
- Configuring an Amazon GuardDuty Log Source by using the Amazon AWS S3 REST API Protocol
- Configuring Amazon GuardDuty to Forward Events to an AWS S3 Bucket
- Amazon GuardDuty Sample Event Messages
- play_arrow Ambiron TrustWave IpAngel
- play_arrow Amazon VPC Flow Logs
- play_arrow APC UPS
- play_arrow Apache HTTP Server
- play_arrow Apple Mac OS X
- play_arrow Application Security DbProtect
- play_arrow Arbor Networks
- play_arrow Arpeggio SIFT-IT
- play_arrow Array Networks SSL VPN
- play_arrow Aruba Networks
- play_arrow Avaya VPN Gateway
- play_arrow BalaBit IT Security
- play_arrow Barracuda
- play_arrow BeyondTrust PowerBroker
- play_arrow BlueCat Networks Adonis
- play_arrow Blue Coat SG
- Blue Coat
- Blue Coat SG
- Creating a Custom Event Format for Blue Coat SG
- Creating a Log Facility
- Enabling Access Logging
- Configuring Blue Coat SG for FTP Uploads
- Syslog Log Source Parameters for Blue Coat SG
- Log File Log Source Parameters for Blue Coat SG
- Configuring Blue Coat SG for Syslog
- Creating Extra Custom Format Key-value Pairs
- Blue Coat SG Sample Event Messages
- play_arrow Blue Coat Web Security Service
- play_arrow Box
- play_arrow Bridgewater
- play_arrow Broadcom
- play_arrow Brocade Fabric OS
- play_arrow Carbon Black
- play_arrow Centrify
- Centrify
- Centrify Identity Platform
- Centrify Identity Platform DSM specifications
- Configuring Centrify Identity Platform to communicate with JSA
- Centrify Infrastructure Services
- Configuring WinCollect Agent to Collect Event Logs from Centrify Infrastructure Services
- Configuring Centrify Infrastructure Services on a UNIX or Linux Device to Communicate with JSA
- play_arrow Check Point
- play_arrow Cilasoft QJRN/400
- play_arrow Cisco
- Cisco
- Cisco ACE Firewall
- Configuring Cisco Aironet to Forward Events
- Cisco ACS
- Cisco ASA
- Cisco AMP
- Cisco CallManager
- Cisco CatOS for Catalyst Switches
- Cisco Cloud Web Security
- Cisco CSA
- Cisco Firepower Management Center
- Cisco Firepower Threat Defense
- Cisco FWSM
- Cisco Identity Services Engine
- Cisco IDS/IPS
- Cisco IOS
- Cisco IronPort
- Cisco Meraki
- Cisco NAC
- Cisco Nexus
- Cisco Pix
- Cisco Stealthwatch
- Cisco Umbrella
- Cisco VPN 3000 Concentrator
- Cisco Wireless LAN Controllers
- Cisco Wireless Services Module
- play_arrow Citrix
- play_arrow Cloudera Navigator
- play_arrow Cloudflare Logs
- Cloudflare Logs
- Cloudflare Logs DSM Specifications
- Configure Cloudflare to send Events to JSA when you use the HTTP Receiver Protocol
- Configuring Cloudflare Logs to Send Events to JSA when you use the Amazon S3 REST API Protocol
- Create an SQS Queue and Configure S3 ObjectCreated Notifications
- Configuring Security Credentials for Your AWS User Account
- HTTP Receiver Log Source Parameters for Cloudflare Logs
- Amazon AWS S3 REST API Log Source Parameters for Cloudflare Logs
- Cloudflare Logs Sample Event Messages
- play_arrow CloudPassage Halo
- play_arrow CloudLock Cloud Security Fabric
- play_arrow Correlog Agent for IBM Z/OS
- play_arrow CrowdStrike Falcon
- play_arrow CRYPTOCard CRYPTO-Shield
- play_arrow CyberArk
- play_arrow CyberGuard Firewall/VPN Appliance
- play_arrow Damballa Failsafe
- play_arrow DG Technology MEAS
- play_arrow Digital China Networks (DCN)
- play_arrow Enterprise-IT-Security.com SF-Sherlock
- play_arrow Epic SIEM
- play_arrow ESET Remote Administrator
- play_arrow Exabeam
- play_arrow Extreme
- Extreme
- Extreme 800-Series Switch
- Extreme Dragon
- Extreme HiGuard Wireless IPS
- Extreme HiPath Wireless Controller
- Extreme Matrix Router
- Extreme Matrix K/N/S Series Switch
- Extreme NetSight Automatic Security Manager
- Extreme NAC
- Configuring Extreme Stackable and Stand-alone Switches
- Extreme Networks ExtremeWare
- Extreme XSR Security Router
- play_arrow F5 Networks
- play_arrow Fair Warning
- play_arrow Fasoo Enterprise DRM
- play_arrow Fidelis XPS
- play_arrow FireEye
- play_arrow Forcepoint
- play_arrow ForeScout CounterACT
- play_arrow Fortinet FortiGate
- Fortinet FortiGate Security Gateway
- Configuring a Syslog Destination on Your Fortinet FortiGate Security Gateway Device
- Configuring a Syslog Destination on Your Fortinet FortiAnalyzer Device
- Fortinet FortiGate Security Gateway Sample Event Messages
- Configuring JSA to Categorize App Ctrl Events for Fortinet Fortigate Security Gateway
- play_arrow Foundry FastIron
- play_arrow FreeRADIUS
- play_arrow Generic
- play_arrow Google Cloud Audit Logs
- play_arrow Genua Genugate
- play_arrow Google Cloud Platform Firewall
- play_arrow Google G Suite Activity Reports
- Google G Suite Activity Reports
- Google G Suite Activity Reports DSM Specifications
- Configuring Google G Suite Activity Reports to Communicate with JSA
- Assigning a Role to a User
- Creating a Service Account with Viewer Access
- Granting API Client Access to a Service Account
- Google G Suite Activity Reports Log Source Parameters
- Google G Suite Activity Reports Sample Event Messages
- Troubleshooting Google G Suite Activity Reports
- play_arrow Great Bay Beacon
- play_arrow H3C Technologies
- play_arrow HBGary Active Defense
- play_arrow HCL BigFix (formerly known as IBM BigFix)
- play_arrow Honeycomb Lexicon File Integrity Monitor (FIM)
- play_arrow Hewlett Packard Enterprise
- play_arrow Huawei
- play_arrow HyTrust CloudControl
- play_arrow IBM
- IBM
- IBM AIX DSMs
- IBMi
- IBM DB2
- IBM BigFix Detect
- IBM Cloud Platform (formerly known as IBM Bluemix Platform)
- IBM CICS
- IBM DataPower
- IBM DLC Metrics
- IBM Federated Directory Server
- IBM MaaS360 Security
- IBM Guardium
- IBM IMS
- IBM Informix Audit
- IBM Lotus Domino
- IBM Privileged Session Recorder
- IBM Proventia
- IBM RACF
- IBM SAN Volume Controller
- IBM Security Directory Server
- IBM Security Identity Governance
- IBM Security Network IPS (GX)
- IBM Network Security (XGS)
- IBM Security Trusteer
- IBM Security Trusteer Apex Advanced Malware Protection
- IBM Security Trusteer Apex Local Event Aggregator
- IBM Sense
- IBM SmartCloud Orchestrator
- IBM Tivoli Access Manager for E-business
- IBM Web Sphere Application Server
- IBM WebSphere DataPower
- IBM Z/OS
- IBM zSecure Alert
- play_arrow ISC BIND
- play_arrow Illumio Adaptive Security Platform
- play_arrow Imperva Incapsula
- play_arrow Imperva SecureSphere
- play_arrow Infoblox NIOS
- play_arrow IT-CUBE AgileSI
- play_arrow Itron Smart Meter
- play_arrow Juniper Networks
- Juniper Networks
- Juniper Networks AVT
- Juniper Networks DDoS Secure
- Juniper Networks DX Application Acceleration Platform
- Juniper Networks EX Series Ethernet Switch
- Juniper Networks IDP
- Juniper Networks Infranet Controller
- Juniper Networks Firewall and VPN
- Juniper Networks Junos OS
- Juniper Networks Network and Security Manager
- Juniper Networks Secure Access
- Juniper Networks Security Binary Log Collector
- Juniper Networks Steel-Belted Radius
- Juniper Networks VGW Virtual Gateway
- Juniper Networks Junos OS WebApp Secure
- Juniper Networks WLC Series Wireless LAN Controller
- play_arrow Kaspersky
- play_arrow Kisco Information Systems SafeNet/i
- play_arrow Kubernetes Auditing
- play_arrow Lastline Enterprise
- play_arrow Lieberman Random Password Manager
- play_arrow LightCyber Magna
- play_arrow Linux
- play_arrow LOGbinder
- play_arrow MetaInfo MetaIP
- play_arrow Microsoft
- Microsoft
- Microsoft 365 Defender
- Microsoft Azure Active Directory
- Microsoft Azure Platform
- Microsoft Azure Security Center
- Microsoft DHCP Server
- Microsoft DNS Debug
- Microsoft Endpoint Protection
- Microsoft Exchange Server
- Microsoft Hyper-V
- Microsoft IAS Server
- Microsoft IIS Server
- Microsoft ISA
- Microsoft Office 365
- Microsoft Office 365 Message Trace
- JDBC Log Source Parameters for Microsoft Operations Manager
- Microsoft SharePoint
- Microsoft SQL Server
- JDBC Log Source Parameters for Microsoft System Center Operations Manager
- Microsoft Windows Security Event Log
- play_arrow Motorola Symbol AP
- play_arrow Name Value Pair
- play_arrow NCC Group DDoS Secure
- play_arrow NetApp Data ONTAP
- play_arrow Netgate pfSense
- play_arrow Netskope Active
- play_arrow NGINX HTTP Server
- play_arrow Niksun
- play_arrow Nokia Firewall
- play_arrow Nominum Vantio
- play_arrow Nortel Networks
- Nortel Networks
- Nortel Multiprotocol Router
- Nortel Application Switch
- Nortel Contivity
- Nortel Ethernet Routing Switch 2500/4500/5500
- Nortel Ethernet Routing Switch 8300/8600
- Nortel Secure Router
- Nortel Secure Network Access Switch
- Nortel Switched Firewall 5100
- Nortel Switched Firewall 6000
- Nortel Threat Protection System (TPS)
- Nortel VPN Gateway
- play_arrow Novell EDirectory
- play_arrow Observe IT JDBC
- play_arrow Okta
- play_arrow Onapsis Security Platform
- play_arrow OpenBSD
- play_arrow Open LDAP
- play_arrow Open Source SNORT
- play_arrow OpenStack
- play_arrow Oracle
- play_arrow OSSEC
- play_arrow Palo Alto Networks
- play_arrow Pirean Access: One
- play_arrow PostFix Mail Transfer Agent
- play_arrow ProFTPd
- play_arrow Proofpoint Enterprise Protection and Enterprise Privacy
- play_arrow Pulse Secure
- play_arrow Pulse Secure Infranet Controller
- play_arrow Pulse Secure Pulse Connect Secure
- play_arrow Radware
- play_arrow Raz-Lee ISecurity
- play_arrow Redback ASE
- play_arrow Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes DSM Specifications
- Configuring Red Hat Advanced Cluster Security for Kubernetes to Communicate with JSA
- HTTP Receiver Log Source Parameters for Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes Sample Event Messages
- play_arrow Resolution1 CyberSecurity
- play_arrow Riverbed
- play_arrow RSA Authentication Manager
- play_arrow SafeNet DataSecure
- play_arrow Salesforce
- play_arrow Samhain Labs
- play_arrow SAP Enterprise Threat Detection
- SAP Enterprise Threat Detection
- SAP Enterprise Threat Detection DSM Specifications
- SAP Enterprise Threat Detection Alert API Log Source Parameters for SAP Enterprise Threat Detection
- Creating a Pattern Filter on the SAP Server
- Troubleshooting the SAP Enterprise Threat Detection Alert API
- SAP Enterprise Threat Detection Sample Event Message
- play_arrow Seculert
- play_arrow Sentrigo Hedgehog
- play_arrow SolarWinds Orion
- play_arrow SonicWALL
- play_arrow Sophos
- play_arrow Sourcefire Intrusion Sensor
- play_arrow Splunk
- play_arrow Squid Web Proxy
- play_arrow SSH CryptoAuditor
- play_arrow Starent Networks
- play_arrow STEALTHbits
- play_arrow Sun
- play_arrow Suricata
- play_arrow Sybase ASE
- play_arrow Symantec
- play_arrow SysFlow
- play_arrow ThreatGRID Malware Threat Intelligence Platform
- play_arrow TippingPoint
- play_arrow Top Layer IPS
- play_arrow Townsend Security LogAgent
- play_arrow Trend Micro
- play_arrow Tripwire
- play_arrow Tropos Control
- play_arrow Universal CEF
- play_arrow Universal LEEF
- play_arrow Vectra Networks Vectra
- play_arrow Venustech Venusense
- play_arrow Verdasys Digital Guardian
- play_arrow Vericept Content 360 DSM
- play_arrow VMware
- play_arrow Vormetric Data Security
- play_arrow WatchGuard Fireware OS
- play_arrow Websense
- play_arrow Zscaler Nanolog Streaming Service
- play_arrow Zscaler Private Access
- play_arrow JSA Supported DSMs
McAfee Web Gateway
You can configure McAfee Web Gateway to integrate with JSA.
Use one of the following methods:
Configuring McAfee Web Gateway to Communicate with JSA (syslog)
Configuring McAfee Web Gateway to Communicate with JSA (log File Protocol)
McAfee Web Gateway is formerly known as McAfee WebWasher.
The following table identifies the specifications for the McAfee Web Gateway DSM:
Specification | Value |
|---|---|
Manufacturer | McAfee |
DSM | McAfee Web Gateway |
RPM file name | DSM-McAfeeWebGateway-jsaversion-buildnumber.noarch |
Supported versions | v6.0.0 and later |
Protocol | Syslog, log file protocol |
JSA recorded events | All relevant events |
Automatically discovered | Yes |
Includes identity | No |
More information | McAfee website (http://www.mcafee.com) |
McAfee Web Gateway DSM Integration Process
You can integrate McAfee Web Gateway DSM with JSA.
Use the following procedure:
Download and install the most recent version of the McAfee Web Gateway DSM RPM from the Juniper Downloads onto your JSA console.
For each instance of McAfee Web Gateway, configure your McAfee Web Gateway VPN system to enable communication with JSA.
If JSA does not automatically discover the log source, for each McAfee Web Gateway server you want to integrate, create a log source on the JSA console.
If you use McAfee Web Gateway v7.0.0 or later, create an event map.
Configuring McAfee Web Gateway to Communicate with JSA (syslog)
To collect all events from McAfee Web Gateway, you must specify JSA as the syslog server and configure the message format.
Log in to your McAfee Web Gateway console.
On the Toolbar, click Configuration.
Click the File Editor tab.
Expand the Appliance Files and select the file /etc/rsyslog.conf.
The file editor displays the rsyslog.conf file for editing.
Modify the rsyslog.conf file to include the following information:
content_copy zoom_out_map# send access log to qradar *.info; daemon.!=info; mail.none;authpriv.none; cron.none -/var/log/messages *.info;mail.none; authpriv.none; cron.none @<IP Address>:<Port>
Where:
<IP Address> is the IP address of JSA.
<Port> is the syslog port number, for example 514.
Click Save Changes.
You are now ready to import a policy for the syslog handler on your McAfee Web Gateway appliance. For more information, see Importing the Syslog Log Handler.
Importing the Syslog Log Handler
To Import a policy rule set for the syslog handler:
From the support website, download the following compressed file:
log_handlers-1.1.tar.gz
Extract the file.
The extract file provides XML files that are version dependent to your McAfee Web Gateway appliance.
Table 2: McAfee Web Gateway Required Log Handler File Version
Required XML file
McAfee Web Gateway V7.0
syslog_loghandler_70.xml
McAfee Web Gateway V7.3
syslog_loghandler_73.xml
Log in to your McAfee Web Gateway console.
Using the menu toolbar, click Policy.
Click Log Handler.
Using the menu tree, select Default.
From the Add list, select Rule Set from Library.
Click Import from File button.
Navigate to the directory containing the syslog_handler file you downloaded and select syslog_loghandler.xml as the file to import.
Note:If the McAfee Web Gateway appliance detects any conflicts with the rule set, you must resolve the conflict. For more information, see your McAfee Web Gateway documentation.
Click OK.
Click Save Changes.
You are now ready to configure the log source in JSA.
JSA automatically discovers syslog events from a McAfee Web Gateway appliance.
If you want to manually configure JSA to receive syslog events, select McAfee Web Gateway from the Log Source Type list.
Configuring McAfee Web Gateway to Communicate with JSA (log File Protocol)
The McAfee Web Gateway appliance gives the option to forward event log files to an interim file server for retrieval by JSA.
From the support website, download the following file:
log_handlers-1.1.tar.gz
Extract the file.
This gives you the access handler file that is needed to configure your McAfee Web Gateway appliance.
access_log_file_loghandler.xml
Log in to your McAfee Web Gateway console.
Using the menu toolbar, click Policy.
Note:If there is an existing access log configuration in your McAfee Web Gateway appliance, you must delete the existing access log from the Rule Set Library before you add the access_log_file_loghandler.xml.
Click Log Handler.
Using the menu tree, select Default.
From the Add list, select Rule Set from Library.
Click Import from File button.
Navigate to the directory that contains the access_log_file_loghandler.xml file you downloaded and select syslog_loghandler.xml as the file to import.
When the rule set is imported for access_log_file_loghandler.xml, a conflict can occur stating the Access Log Configuration exists already in the current configuration and a conflict solution is presented.
If the McAfee Web Gateway appliance detects that the Access Log Configuration exists already, select the Conflict Solution: Change name option that is presented to resolve the rule set conflict.
For more information on resolving conflicts, see your McAfee Web Gateway vendor documentation.
You must configure your access.log file to be pushed to an interim server on an auto rotation. It does not matter if you push your files to the interim server based on time or size for your access.log file. For more information on auto rotation, see your McAfee Web Gateway vendor documentation.
Note:Due to the size of access.log files that are generated, it is suggested that you select the option GZIP files after rotation in your McAfee Web Gate appliance.
Click OK.
Click Save Changes.
Note:By default McAfee Web Gateway is configured to write access logs to the /opt/mwg/log/user-defined-logs/access.log/ directory.
You are now ready to configure JSA to receive access.log files from McAfee Web Gateway. For more information, see Pulling Data by Using the Log File Protocol.
Pulling Data by Using the Log File Protocol
A log file protocol source allows JSA to retrieve archived log files from a remote host. The McAfee Web Gateway DSM supports the bulk loading of access.log files by using the log file protocol source. The default directory for the McAfee Web Gateway access logs is the /opt/mwg/log/user-defined-logs/access.log/ directory.
You can now configure the log source and protocol in JSA.
To configure JSA to receive events from a McAfee Web Gateway appliance, select McAfee Web Gateway from the Log Source Type list.
To configure the protocol, you must select the Log File option from the Protocol Configuration list.
To configure the File Pattern parameter, you must type a regex string for the access.log file, such as access[0-9]+\.log.
Note:If you selected to GZIP your access.log files, you must type access[0-9]+\.log\.gz for the FIle Pattern field and from the Processor list, select GZIP.
Creation Of an Event Map for McAfee Web Gateway Events
Event mapping is required for all events that are collected from McAfee Web Gateway v7.0.0 and later.
You can individually map each event for your device to an event category in
JSA. Mapping events allows JSA to identify, coalesce, and
track recurring events from your network devices. Until you map an event, some
events that are displayed in the Log Activity tab for McAfee
Web Gateway are categorized as Unknown, and some events might be
already assigned to an existing QID map. Unknown events are easily identified as the
Event Name column and Low Level
Category columns display Unknown.
Discovering Unknown Events
This procedure ensures that you map all event types and that you do not miss events that are not generated frequently, repeat this procedure several times over a period.
Log in to JSA.
Click the Log Activity tab.
Click Add Filter.
From the first list, select Log Source.
From the Log Source Group list, select the log source group or Other.
Log sources that are not assigned to a group are categorized as Other.
From the Log Source list, select your McAfee Web Gateway log source.
Click Add Filter.
The Log Activity tab is displayed with a filter for your log source.
From the View list, select Last Hour.
Any events that are generated by the McAfee Web Gateway DSM in the last hour are displayed. Events that are displayed as
Unknownin the Event Name column or Low Level Category column require event mapping.Note:You can save your existing search filter by clicking Save Criteria.
You are now ready to modify the event map.
Modifying the Event Map
Modify an event map to manually categorize events to a JSA Identifier (QID) map.
Any event that is categorized to a log source can be remapped to a new JSA Identifier (QID).
Events that do not have a defined log source cannot be mapped to an event. Events
without a log source display SIM Generic Log in the
Log Source column.
On the Event Name column, double-click an unknown event for McAfee Web Gateway.
The detailed event information is displayed.
Click Map Event.
From the Browse for JSA Identifier pane, select any of the following search options to narrow the event categories for a JSA Identifier (QID):
From the High-Level Category list, select a high-level event categorization.
From the Low-Level Category list, select a low-level event categorization.
From the Log Source Type list, select a log source type.
The Log Source Type list gives the option to search for QIDs from other log sources. Searching for QIDs by log source is useful when events are similar to another existing network device. For example, McAfee Web Gateway provides policy events, you might select another product that likely captures similar events.
To search for a QID by name, type a name in the QID/Name field.
The QID/Name field gives the option to filter the full list of QIDs for a specific word, for example, policy.
Click Search.
A list of QIDs are displayed.
Select the QID that you want to associate to your unknown event.
Click OK.
JSA maps any additional events that are forwarded from your device with the same QID that matches the event payload. The event count increases each time that the event is identified by JSA.
If you update an event with a new JSA Identifier (QID) map, past events that are stored in JSA are not updated. Only new events are categorized with the new QID.
McAfee Web Gateway Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
McAfee Web Gateway Sample Message when you use the Syslog Protocol
The following sample event message shows that web access is verified.
<30>Oct 13 15:59:02 WebGatewayHost mwg: LEEF:1.0|McAfee|Web Gateway|8.2.9|0|devTime=1602597542000| src=10.10.10.10|usrName=user1|httpStatus=204|dst=10.20.10.20|urlCategories=Messaging|blockReason=| url=https://www.example.com/rt-pub/node/hub/negotiate? appId=180&sId=4A87EE607A615896&cId=8B1D&dev=Personal %20computer&br=Chrome&os=Windows&cc=IT&rc=RM&v=0.1
JSA field name | Highlighted values in the event payload |
|---|---|
Event ID | 0 |
Event Category | This DSM doesn't have a category field to key from for the device in the payloads. JSA provides the value as a static category. |
Source IP | src |
Destination IP | dst |
Username | usrName |
