USM Anywhere™

McAfee Web Gateway

When you configure McAfee Web Gateway to send log data to USM Anywhere, you can use the McAfee Web Gateway plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor McAfee
Device Type Gateway
Connection Type Syslog

Integrating McAfee Web Gateway

Before you configure the McAfee Web Gateway integration, you must have the IP Address of the USM Anywhere Sensor.

To avoid potentially having your changes overwritten, complete this task, using only the McAfee Web Gateway web interface File Editor on a per appliance basis. Do not edit /etc/rsyslog.conf directly.

To configure McAfee Web Gateway to send log data to USM Anywhere

  1. In File Editor, look for rsyslog.conf.
  2. Look for a line similar to the following:

    *.info;mail.none;authpriv.none;cron.none /var/log/messages

  3. Make sure that the syslog daemon does not write any messages coming from the daemon facility (McAfee Web Gateway) with the level "info" to the /var/log/messages file by replacing it with the following line:

    *.info;daemon.!=info;mail.none;authpriv.none;cron.none -/var/log/messages

    Important: This updated line ensures that the syslog daemon does not write any messages from the daemon facility (the McAfee Web Gateway) with info level, to the /var/log/messages file. Capturing and writing "info" level messages generates a high volume of messages, which could overflow the /var partition.

  4. Send the data to a syslog server using UDP by adding a line like the one below to the end of the file: @<USM-Anywhere-Sensor-IP-Address>:514

  5. Enable CEF format, as shown in the following figures.

    Syslog CEF Rule 1

    Syslog CEF Rule 2

Plugin Enablement

The McAfee Web Gateway plugin automatically processes all messages when the raw message contains McAfee Web Gateway.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol

  • bytes_out

  • customfield_0

  • customfield_2

  • customfield_3

  • customfield_4

  • customfield_5

  • customheader_0

  • customheader_2

  • customheader_3

  • customheader_4

  • customheader_5

  • content_category

  • destination_address

  • destination_hostname

  • device_custom_number_1

  • device_custom_number_1_label

  • device_event_category

  • event_name

  • event_receipt_time

  • event_severity

  • malware_variant

  • policy

  • protocol_version

  • rep_device_rule_id

  • rep_device_type

  • rep_device_vendor

  • rep_device_version

  • reputation_score

  • request_method

  • request_url

  • request_user

  • source_address

  • source_username

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation: