McAfee Web Gateway
You can configure McAfee Web Gateway to integrate with JSA.
Use one of the following methods:
-
Configuring McAfee Web Gateway to Communicate with JSA (syslog)
-
Configuring McAfee Web Gateway to Communicate with JSA (log File Protocol)
McAfee Web Gateway is formerly known as McAfee WebWasher.
The following table identifies the specifications for the McAfee Web Gateway DSM:
Specification |
Value |
---|---|
Manufacturer |
McAfee |
DSM |
McAfee Web Gateway |
RPM file name |
DSM-McAfeeWebGateway-jsaversion-buildnumber.noarch |
Supported versions |
v6.0.0 and later |
Protocol |
Syslog, log file protocol |
JSA recorded events |
All relevant events |
Automatically discovered |
Yes |
Includes identity |
No |
More information |
McAfee website (http://www.mcafee.com) |
McAfee Web Gateway DSM Integration Process
You can integrate McAfee Web Gateway DSM with JSA.
Use the following procedure:
-
Download and install the most recent version of the McAfee Web Gateway DSM RPM from the Juniper Downloads onto your JSA console.
-
For each instance of McAfee Web Gateway, configure your McAfee Web Gateway VPN system to enable communication with JSA.
-
If JSA does not automatically discover the log source, for each McAfee Web Gateway server you want to integrate, create a log source on the JSA console.
-
If you use McAfee Web Gateway v7.0.0 or later, create an event map.
Configuring McAfee Web Gateway to Communicate with JSA (syslog)
To collect all events from McAfee Web Gateway, you must specify JSA as the syslog server and configure the message format.
-
Log in to your McAfee Web Gateway console.
-
On the Toolbar, click Configuration.
-
Click the File Editor tab.
-
Expand the Appliance Files and select the file /etc/rsyslog.conf.
The file editor displays the rsyslog.conf file for editing.
-
Modify the rsyslog.conf file to include the following information:
# send access log to qradar *.info; daemon.!=info; mail.none;authpriv.none; cron.none -/var/log/messages *.info;mail.none; authpriv.none; cron.none @<IP Address>:<Port>
Where:
-
<IP Address> is the IP address of JSA.
-
<Port> is the syslog port number, for example 514.
-
-
Click Save Changes.
You are now ready to import a policy for the syslog handler on your McAfee Web Gateway appliance. For more information, see Importing the Syslog Log Handler.
Importing the Syslog Log Handler
To Import a policy rule set for the syslog handler:
-
From the support website, download the following compressed file:
log_handlers-1.1.tar.gz
-
Extract the file.
The extract file provides XML files that are version dependent to your McAfee Web Gateway appliance.
Table 2: McAfee Web Gateway Required Log Handler File Version
Required XML file
McAfee Web Gateway V7.0
syslog_loghandler_70.xml
McAfee Web Gateway V7.3
syslog_loghandler_73.xml
-
Log in to your McAfee Web Gateway console.
-
Using the menu toolbar, click Policy.
-
Click Log Handler.
-
Using the menu tree, select Default.
-
From the Add list, select Rule Set from Library.
-
Click Import from File button.
-
Navigate to the directory containing the syslog_handler file you downloaded and select syslog_loghandler.xml as the file to import.
Note:If the McAfee Web Gateway appliance detects any conflicts with the rule set, you must resolve the conflict. For more information, see your McAfee Web Gateway documentation.
-
Click OK.
-
Click Save Changes.
-
You are now ready to configure the log source in JSA.
JSA automatically discovers syslog events from a McAfee Web Gateway appliance.
If you want to manually configure JSA to receive syslog events, select McAfee Web Gateway from the Log Source Type list.
Configuring McAfee Web Gateway to Communicate with JSA (log File Protocol)
The McAfee Web Gateway appliance gives the option to forward event log files to an interim file server for retrieval by JSA.
-
From the support website, download the following file:
log_handlers-1.1.tar.gz
-
Extract the file.
This gives you the access handler file that is needed to configure your McAfee Web Gateway appliance.
access_log_file_loghandler.xml
-
Log in to your McAfee Web Gateway console.
-
Using the menu toolbar, click Policy.
Note:If there is an existing access log configuration in your McAfee Web Gateway appliance, you must delete the existing access log from the Rule Set Library before you add the access_log_file_loghandler.xml.
-
Click Log Handler.
-
Using the menu tree, select Default.
-
From the Add list, select Rule Set from Library.
-
Click Import from File button.
-
Navigate to the directory that contains the access_log_file_loghandler.xml file you downloaded and select syslog_loghandler.xml as the file to import.
When the rule set is imported for access_log_file_loghandler.xml, a conflict can occur stating the Access Log Configuration exists already in the current configuration and a conflict solution is presented.
-
If the McAfee Web Gateway appliance detects that the Access Log Configuration exists already, select the Conflict Solution: Change name option that is presented to resolve the rule set conflict.
For more information on resolving conflicts, see your McAfee Web Gateway vendor documentation.
You must configure your access.log file to be pushed to an interim server on an auto rotation. It does not matter if you push your files to the interim server based on time or size for your access.log file. For more information on auto rotation, see your McAfee Web Gateway vendor documentation.
Note:Due to the size of access.log files that are generated, it is suggested that you select the option GZIP files after rotation in your McAfee Web Gate appliance.
-
Click OK.
-
Click Save Changes.
Note:By default McAfee Web Gateway is configured to write access logs to the /opt/mwg/log/user-defined-logs/access.log/ directory.
You are now ready to configure JSA to receive access.log files from McAfee Web Gateway. For more information, see Pulling Data by Using the Log File Protocol.
Pulling Data by Using the Log File Protocol
A log file protocol source allows JSA to retrieve archived log files from a remote host. The McAfee Web Gateway DSM supports the bulk loading of access.log files by using the log file protocol source. The default directory for the McAfee Web Gateway access logs is the /opt/mwg/log/user-defined-logs/access.log/ directory.
You can now configure the log source and protocol in JSA.
-
To configure JSA to receive events from a McAfee Web Gateway appliance, select McAfee Web Gateway from the Log Source Type list.
-
To configure the protocol, you must select the Log File option from the Protocol Configuration list.
-
To configure the File Pattern parameter, you must type a regex string for the access.log file, such as access[0-9]+\.log.
Note:If you selected to GZIP your access.log files, you must type access[0-9]+\.log\.gz for the FIle Pattern field and from the Processor list, select GZIP.
Creation Of an Event Map for McAfee Web Gateway Events
Event mapping is required for all events that are collected from McAfee Web Gateway v7.0.0 and later.
You can individually map each event for your device to an event category in
JSA. Mapping events allows JSA to identify, coalesce, and
track recurring events from your network devices. Until you map an event, some
events that are displayed in the Log Activity tab for McAfee
Web Gateway are categorized as Unknown
, and some events might be
already assigned to an existing QID map. Unknown events are easily identified as the
Event Name column and Low Level
Category columns display Unknown
.
Discovering Unknown Events
This procedure ensures that you map all event types and that you do not miss events that are not generated frequently, repeat this procedure several times over a period.
-
Log in to JSA.
-
Click the Log Activity tab.
-
Click Add Filter.
-
From the first list, select Log Source.
-
From the Log Source Group list, select the log source group or Other.
Log sources that are not assigned to a group are categorized as Other.
-
From the Log Source list, select your McAfee Web Gateway log source.
-
Click Add Filter.
The Log Activity tab is displayed with a filter for your log source.
-
From the View list, select Last Hour.
Any events that are generated by the McAfee Web Gateway DSM in the last hour are displayed. Events that are displayed as
Unknown
in the Event Name column or Low Level Category column require event mapping.Note:You can save your existing search filter by clicking Save Criteria.
You are now ready to modify the event map.
Modifying the Event Map
Modify an event map to manually categorize events to a JSA Identifier (QID) map.
Any event that is categorized to a log source can be remapped to a new JSA Identifier (QID).
Events that do not have a defined log source cannot be mapped to an event. Events
without a log source display SIM Generic Log
in the
Log Source column.
-
On the Event Name column, double-click an unknown event for McAfee Web Gateway.
The detailed event information is displayed.
-
Click Map Event.
-
From the Browse for JSA Identifier pane, select any of the following search options to narrow the event categories for a JSA Identifier (QID):
-
From the High-Level Category list, select a high-level event categorization.
-
From the Low-Level Category list, select a low-level event categorization.
-
From the Log Source Type list, select a log source type.
The Log Source Type list gives the option to search for QIDs from other log sources. Searching for QIDs by log source is useful when events are similar to another existing network device. For example, McAfee Web Gateway provides policy events, you might select another product that likely captures similar events.
To search for a QID by name, type a name in the QID/Name field.
The QID/Name field gives the option to filter the full list of QIDs for a specific word, for example, policy.
-
-
Click Search.
A list of QIDs are displayed.
-
Select the QID that you want to associate to your unknown event.
-
Click OK.
JSA maps any additional events that are forwarded from your device with the same QID that matches the event payload. The event count increases each time that the event is identified by JSA.
If you update an event with a new JSA Identifier (QID) map, past events that are stored in JSA are not updated. Only new events are categorized with the new QID.
McAfee Web Gateway Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
McAfee Web Gateway Sample Message when you use the Syslog Protocol
The following sample event message shows that web access is verified.
<30>Oct 13 15:59:02 WebGatewayHost mwg: LEEF:1.0|McAfee|Web Gateway|8.2.9|0|devTime=1602597542000| src=10.10.10.10|usrName=user1|httpStatus=204|dst=10.20.10.20|urlCategories=Messaging|blockReason=| url=https://www.example.com/rt-pub/node/hub/negotiate? appId=180&sId=4A87EE607A615896&cId=8B1D&dev=Personal %20computer&br=Chrome&os=Windows&cc=IT&rc=RM&v=0.1
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
0 |
Event Category |
This DSM doesn't have a category field to key from for the device in the payloads. JSA provides the value as a static category. |
Source IP |
src |
Destination IP |
dst |
Username |
usrName |