For current version support for this product, use the CEF Certified connector available from the vendor. Go to the HP Enterprise Security Technology Alliances site on Protect 724 at https://protect724.hp.com/community/technology-alliances. Locate McAfee under HP Enterprise Security Partners and click Product Documentation for Email & WebSecurity Appliance for the appropriate documentation.
Although there are always reasons for why people would want to consume non-CEF MWG logs (ex. the MWG admins don't want to make the change), seeing as MWG supports CEF, why doesn't the above guide mention this?
I'm in the process of integrating MWG in my SIEM and started working with the above SmartConnector but now that I've found the McAfee best practices doc, I am going to setup the integration this way.
Any advice from people that have already gone the CEF route for MWG?
I'm finding a few issues with this McAfee Web Gateway File guide. I'd like to suggest some improvements. Can you please have someone review the following?
McAfee Web Gateway products 7.2.x are earlier are End of Life. Can all the 6.x stuff in this guide be removed?
- Page 12. Screen print for Access Log is correct yet text box does not show all of the text of the Log Header. I would like to have the full text in guide so that I may cut and paste.
- Page 12. Screen prints for Virus Found Log is missing and again I would like Log Header line text so that I may cut and paste. Log Header: time_stamp "auth_user" "src_ip" "virus_name" "url"
Here is a screen capture
- Page 12. Screen prints for Security Log is missing. Security Log Header text is missing. Sorry, for Security Log I do not have enough knowledge to know if Security Log is still applicable.
- Page 13. Destination Address maps to "server_ip" which is correct. Do you know if the Destination Host Name maps to the Device-Specific Field of "server_name"? It's missing so I don't know.
- Page 13. Device-Specific Field of "Block Reason ID" is not a correct field. I do not know the actual field name.
- Page 13. Device-Specific Field of "block reason" is not a correct field. I believe field name is "block_res".
- Page 13. Device-Specific Field of "the URL that was requested" is a description and not a correct field name. I believe field name is "req_line".
This continues on the following pages where the actual field names are not referenced. Please ask someone familiar to review all.