Configure McAfee Web Gateway to send Syslog data

To enable the Splunk Add-on for McAfee Web Gateway to collect data from McAfee Web Gateway, you need to configure McAfee Web Gateway to send the events using Syslog in KV format to the data collection node of your Splunk platform installation.

Configure LogHandler in McAfee Web Gateway

Perform the below steps for importing the Splunk recommended LogHandler. This will send logs in KV Format.

1. Log in to Mcafee Web Gateway console and navigate to policy.
2. Select LogHandler from the lists of Rule Sets.
3. Select the "Default" option from the menu tree.
4. Right-click on the "Default" and select Add and select Rule Set from Library.
5. Select "Import from Library"
6. Import XML file, and it can be found in the add-on build. It can found under the forLogHandler/MWGaccess3_for_MWG.xml

This will create a new log file with the required fields.

Configure Mcafee Web Gateway to send Syslog Data

Perform the following steps to configure Mcafee Web Gateway to send Syslog data to Splunk:

1. Navigate to Policy→log handler.
2. Expand the default node.
3. Select MWGaccess3 and enable log via Syslog rule.
4. To forward the data via Syslog, navigate to the configurations in rsyslog.conf.
5. Add the following lines at the end of the file.
6. Add *.* @@<host>:<port>. Here @@ sends data on TCP port and @ sends data on UDP port.
7. After this, navigate to Configuration → Appliances → Syslog → Log Prefix.
8. Verify that the prefix is mwg
9. If not, change the prefix to mwg and save the Changes.

• Configure rsyslog.conf to send data directly to Splunk using TCP or UDP as described here: https://community.mcafee.com/docs/DOC-5206#Configuring_the_syslog_daemon_rsyslogd.
• Next, configure your data collection node to receive data from McAfee Web Gateway as described in Configure inputs for the Splunk Add-on for McAfee Web Gateway.