Splunk® Supported Add-ons

Splunk Add-on for McAfee Web Gateway

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Configure McAfee Web Gateway to send Syslog data

To enable the Splunk Add-on for McAfee Web Gateway to collect data from McAfee Web Gateway, you need to configure McAfee Web Gateway to send the events using Syslog in KV format to the data collection node of your Splunk platform installation.

Configure LogHandler in McAfee Web Gateway

Perform the below steps for importing the Splunk recommended LogHandler. This will send logs in KV Format.

  1. Log in to Mcafee Web Gateway console and navigate to policy.
  2. Select LogHandler from the lists of Rule Sets.
  3. Select the "Default" option from the menu tree.
  4. Right-click on the "Default" and select Add and select Rule Set from Library.
  5. Select "Import from Library"
  6. Import XML file, and it can be found in the add-on build. It can found under the forLogHandler/MWGaccess3_for_MWG.xml

This will create a new log file with the required fields.

Configure Mcafee Web Gateway to send Syslog Data

Perform the following steps to configure Mcafee Web Gateway to send Syslog data to Splunk:

  1. Navigate to Policy→log handler.
  2. Expand the default node.
  3. Select MWGaccess3 and enable log via Syslog rule.
  4. To forward the data via Syslog, navigate to the configurations in rsyslog.conf.
  5. Add the following lines at the end of the file.
  6. Add *.* @@<host>:<port>. Here @@ sends data on TCP port and @ sends data on UDP port.
  7. After this, navigate to Configuration → Appliances → Syslog → Log Prefix.
  8. Verify that the prefix is mwg
  9. If not, change the prefix to mwg and save the Changes.
Last modified on 08 February, 2022
Upgrade the Log Handler for Splunk Add-on for McAfee Web Gateway
Configure inputs for the Splunk Add-on for McAfee Web Gateway

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters