How to configure a log source in Content Security Reporter to collect logs from Web Gateway

Technical Articles ID: KB77478
Last Modified: 3/28/2022

Environment

Content Security Reporter (CSR) 2.x
Web Gateway (WG)

Summary

Prerequisites

Basic knowledge of a WG cluster.
The WG appliance to be used in the log collection must be active and reachable during the configuration of the log source.
CSR collects logs from WG over the REST interface. Make sure that you enable the REST interface on the WG appliance. For more information about how to enable the REST interface, see the WG documentation.

For product documents, go to the Product Documentation portal.

Configuration

A single WG log source can collect logs from a single WG appliance. If you use CSR to collect logs from multiple WG appliances in a cluster, you must configure one log source per appliance in the cluster.

To configure a WG log source in CSR:

Go to Report Server Settings, Log Sources, Actions.
In the Actions menu, click New.
Type a name for the log source.
For the Mode, select Collect log files from, and select McAfee Web Gateway in the drop-down list.
Leave the Log format at McAfee Web Gateway (Webwasher) - Auto Discover.

NOTE: You now see the configuration panel for the log source in the Source tab. You must complete all fields in this section for the log source to be saved.

Device Address
This address represents the host name or IP address of the WG appliance that CSR contacts to collect logs. If you have a WG cluster, you can collect logs from the other appliances in the cluster using the single Device address, although you must set up one log source per WG appliance. We recommend that you use the appliance address that's typically used to access the GUI of WGs for configuration management. The same rules that apply to the WG user interface also apply to the REST interface. So, you can have only one node that has a GUI attached in a cluster at any given time.
Port
This port represents the port of the REST interface that's enabled on the WG appliance. At the time this article was written, the REST interface was on the same port as that of the regular user interface. You see the option Connect Using SSL/TLS follow this field. This option is used to dictate whether CSR tries to communicate to WG on the port specified over a secure channel.
Logon Name
The logon name of a WG user that has 'REST-Interface accessible' permissions.
Password
The password of the WG user with REST permissions.
Appliance Name (UUID)
CSR requires the WG appliance UUID to collect logs from that appliance. Populate the previous fields and click Browse. Then, log on to the WG appliance that has been specified to return an appliance list and that CSR can collect logs from. Select the appliance and click OK.
Log File Base Name
The default log file base name of the access logs on WG is 'access.log', but WG 7.x allows you to rename the access log files if needed.

NOTE: WG appends a time stamp to the file name when a log has been rotated. CSR still collects log files with the time stamp in the file name as long as the log file base name matches the one specified.
Automatically collect logs from a node with an active GUI
As previously noted, a WG cluster can have only one GUI-attached appliance at any given time. You can attach multiple GUIs to the GUI-attached appliance at a time. But, it's impossible to access the GUI of another appliance in a cluster when one is already attached somewhere else.

This CSR feature to automatically collect logs from the node with the active GUI is meant to avoid log collection failures. A failure can occur if a log collection attempt is made when a GUI is attached to an appliance in the cluster other than the one specified in Device address. If you select this option and there's a GUI attached somewhere else when logs are collected, CSR takes the information provided by the WG error response to determine where the GUI is attached. CSR then tries to log on to the GUI-attached appliance to collect logs for the appliance specified in Appliance Name (UUID) for that log source. This option is best used as a safety mechanism rather than something used as a daily operational feature.

Also, note that CSR doesn't downgrade log collection security. If you configure your log source to use SSL/TLS and WG provides a non-secure location for the GUI-attached node, CSR doesn't collect logs through the appliance where the GUI is attached.

To determine whether a log file can be read using the settings specified for this log source, click Test.

NOTE: Test doesn't test the option to Automatically collect logs from node with active GUI.

Troubleshooting
The CSR server log is the best place to look for issues that might be encountered with WG log collection. The Test function provides a means for useful feedback in multiple situations, but in general, the server log messages contain more detailed information. The following examples show server log entries and what they mean:

2012-12-30 02:16:08,314 ERROR [com.mcafee.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] MWG 7 test failed with HTTP status code 401. Detailed reason: Check user name and password
The message isn't generic and actually indicates that there seems to be an issue with the username and password combination.

2012-12-30 02:12:29,321 ERROR [com.mcafee.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] Login attempt to MWG 7 failed with HTTP status code 401. Detailed reason: User rest1 is already logged in
By default, WG allows only one logged-in session per user account. See the WG documentation on how to allow multiple logons per user account.

2012-12-30 01:35:28,236 ERROR [com.mcafee.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] The MWG 7 redirect was not followed because it is not a secure redirect and SSL/TLS is enabled for this log source.
This message indicates that the Automatically collect logs from node with active GUI option is selected. It also indicates that somebody is logged on to a node during a log collect that's other than the one specified in the CSR Device address settings. The problem here occurs because the log source is configured in CSR to collect logs using SSL/TLS and the redirect from WG is for an HTTP address. CSR doesn't downgrade the security option and has no information about how to reach the secure REST port. The result is that the redirect isn't followed and the log collection fails.

2012-12-30 14:54:17,086 ERROR [com.mcafee.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] Login attempt to MWG 7 failed with HTTP status code 403. Detailed reason: user admin has no rights to access the REST-Interface
The user 'admin' in this case has no REST-interface rights and can’t access the REST interface for log collection. For information about setting up a user account to have REST-interface rights, see the WG documentation.

Affected Products

Configuration
Content Security Reporter 1.x - 2.x
Web Gateway 9.2.x
Web Gateway 9.1.x
Web Gateway 9.0.x
Web Gateway 8.2.x
Web Gateway 7.8
Web Gateway 11.x
Web Gateway 10.2.x
Web Gateway 10.1.x
Web Gateway 10.0.x

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Portuguese Brasileiro

Knowledge Center

How to configure a log source in Content Security Reporter to collect logs from Web Gateway

Environment

Summary

Affected Products

Languages:

Title

Title

Knowledge Center

How to configure a log source in Content Security Reporter to collect logs from Web Gateway

Environment

Summary

Affected Products

Languages:

Choose your region

Title

Title