For current version support for this product, use the CEF Certified connector available from the vendor. Go to the HP Enterprise Security Technology Alliances site on Protect 724 at https://protect724.hp.com/community/technology-alliances. Locate McAfee under HP Enterprise Security Partners and click Product Documentation for Email & WebSecurity Appliance for the appropriate documentation.

Although there are always reasons for why people would want to consume non-CEF MWG logs (ex. the MWG admins don't want to make the change), seeing as MWG supports CEF, why doesn't the above guide mention this?

McAfee has all the info on their website - https://community.mcafee.com/docs/DOC-5206#jive_content_id_CEF_Format

I'm in the process of integrating MWG in my SIEM and started working with the above SmartConnector but now that I've found the McAfee best practices doc, I am going to setup the integration this way.

Any advice from people that have already gone the CEF route for MWG?

Thanks,

Carl

Mark,

You can configure on MWG syslog forwarding, but have to build own CEF definition for syslog messages.

This require lot of work, but allow to grab more interesting data than standard agent do.

Everywhere where I can I use CEF definition (Apache, Squid, etc)

You can start here: McAfee Web Gateway ver. 7 to be integrated with... | McAfee Communities

K.

Document update requested.

I'm finding a few issues with this McAfee Web Gateway File guide. I'd like to suggest some improvements.  Can you please have someone review the following?

McAfee Web Gateway products 7.2.x are earlier are End of Life.  Can all the 6.x stuff in this guide be removed?

Here is the EOL reference http://www.mcafee.com/us/support/support-eol-software-utilities.aspx

- Page 12. Screen print for Access Log is correct yet text box does not show all of the text of the Log Header. I would like to have the full text in guide so that I may cut and paste.

- Page 12. Screen prints for Virus Found Log is missing and again I would like Log Header line text so that I may cut and paste. Log Header:  time_stamp "auth_user" "src_ip" "virus_name" "url"

Here is a screen capture

- Page 12. Screen prints for Security Log is missing. Security Log Header text is missing.  Sorry, for Security Log I do not have enough knowledge to know if Security Log is still applicable.

- Page 13. Destination Address maps to "server_ip" which is correct. Do you know if the Destination Host Name maps to the Device-Specific Field of "server_name"? It's missing so I don't know.

- Page 13. Device-Specific Field of "Block Reason ID" is not a correct field. I do not know the actual field name.

- Page 13. Device-Specific Field of "block reason" is not a correct field. I believe field name is "block_res".

- Page 13. Device-Specific Field of "the URL that was requested" is a description and not a correct field name. I believe field name is "req_line".

This continues on the following pages where the actual field names are not referenced. Please ask someone familiar to review all.

Thanks,

Mark Ulmer