Configure inputs for the Splunk Add-on for McAfee Web Gateway
There are three ways to capture the Syslog data from McAfee Web Gateway.
- Using Splunk Connect for Syslog.
- If you are using a Syslog aggregator, create a file monitor input to monitor the file or files generated by the aggregator.
- Create a TCP or UDP input to capture the data sent on the port you have configured in McAfee Web Gateway.
Splunk Connect for Syslog
Splunk recommends you use SC4S for data collection. Follow the steps in the doc link below to configure SC4S.
https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/McAfee/wg/
Monitor input
If you are using a Syslog aggregator on the Splunk platform node handling data collection, set up a monitor input to monitor the file or files that are generated and set your source type to mcafee:wg:kv. The CIM mapping is dependent on this source type.
See Monitor files and directories in the Getting Data In manual for information about setting up a monitor input.
TCP/UDP input
In the Splunk platform node handling data collection, configure the TCP/UDP input to match your configurations in McAfee Web Gateway and set your source type to mcafee:wg:kv. The CIM mapping is dependent on this source type.
For information on how to configure a Splunk forwarder or single-instance to receive a Syslog input, see Get data from TCP and UDP ports in the Getting Data In manual.
Validate data collection
Once you have configured the input, run this search to check that you are ingesting the data that you expect.
sourcetype=mcafee:wg:kv
| Configure McAfee Web Gateway to send Syslog data | Troubleshoot the Splunk Add-on for McAfee Web Gateway |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!