How to configure a log source in Content Security Reporter to collect logs from Web Gateway

Artigos técnicos ID: KB77478
Última modificação: 6/20/2021

Ambiente

McAfee Content Security Reporter (CSR) 2.x
McAfee Web Gateway (MWG)

Resumo

Prerequisites

Basic knowledge of an MWG cluster.
The MWG appliance to be used in the log collection must be active and reachable during the configuration of the log source.
CSR collects logs from MWG over the REST interface. Make sure that you have enabled the REST interface on the MWG appliance. For more information about how to enable the REST interface, see the MWG documentation.

For product documents, go to the Enterprise Product Documentation portal.

Configuration

A single MWG log source can collect logs from a single MWG appliance. If you use CSR to collect logs from multiple MWG appliances in a cluster, you must configure one-log source per appliance in the cluster.

To configure an MWG log source in CSR:

Go to Report Server Settings, Log Sources, Actions.
In the Actions menu, click New.
Type a name for the log source.
For the Mode, select Collect log files from, and select McAfee Web Gateway in the drop-down list.
Leave the Log format at McAfee Web Gateway (Webwasher) - Auto Discover.

NOTE: You now see the configuration panel for the log source in the Source tab. You must complete all fields in this section for the log source to be saved.

Device Address
The host name or IP address of the MWG appliance that CSR contacts to collect logs. If you have an MWG cluster, you can collect logs from the other appliances in the cluster using the single Device address, although you must set up one-log source per MWG appliance. McAfee recommends that you use the appliance address that is typically used to access the GUI of MWGs for configuration management. The same rules that apply to the MWG user interface also apply to the REST interface. So, you can have only one node that has a GUI attached in a cluster at any given time.
Port
The port of the REST interface that is enabled on the MWG appliance. At the time this article was written, the REST interface is on the same port as the regular user interface. You see the option Connect Using SSL/TLS follow this field. This option is used to dictate whether CSR tries to communicate to MWG on the port specified over a secure channel.
Logon Name
The logon name of an MWG user that has 'REST-Interface accessible' permissions.
Password
The password of the MWG user with REST permissions.
Appliance Name (UUID)
CSR requires the MWG appliance UUID to collect logs from that appliance. Populate the previous fields and click Browse. Then log on to the MWG appliance that has been specified to return an appliances list and that CSR can collect logs from. Select the appliance and click OK.
Log File Base Name
The default log file base name of the access logs on MWG is 'access.log', but MWG 7.x allows you to rename the access log files if needed.

NOTE: MWG does append a time stamp to the file name when a log has been rotated. CSR still collects log files with the time stamp in the file name as long as the log file base name matches the one specified.
Automatically collect logs from node with active GUI
As previously noted, an MWG cluster can have only one GUI-attached appliance in a cluster at any given time. You can attach multiple GUIs to the one GUI-attached appliance at a time. But it is impossible to access the GUI of another appliance in a cluster when one is already attached somewhere else.

This CSR feature to automatically collect logs from the node with the active GUI is meant to avoid log collection failures. A failure could occur if a log collection attempt is made when a GUI is attached to an appliance in the cluster other than the one specified in Device address. If you select this option and there is a GUI attached somewhere else when logs are collected, CSR takes the information provided by MWG error response to determine where the GUI is attached. CSR then tries to log on to the GUI-attached appliance to collect logs for the appliance specified in Appliance Name (UUID) for that log source. This option is best used as a safety mechanism rather than something used as a daily operational feature.

Also note that CSR does not downgrade log collection security. If you configure your log source to use SSL/TLS and MWG provides a non-secure location for the GUI-attached node, CSR doesn't collect logs through the appliance where the GUI is attached.

To determine whether a log file can be read using the settings specified for this log source, click Test.

NOTE: Test does not test the option to Automatically collect logs from node with active GUI.

Troubleshooting
The CSR server log is the best place to look for issues that might be encountered with MWG log collection. The Test function provides a means for useful feedback in multiple situations, but in general the server log messages contain more detailed information. The following examples show server log entries and what they mean:

2012-12-30 02:16:08,314 ERROR [com.mcafee.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] MWG 7 test failed with HTTP status code 401. Detailed reason: Check user name and password
The message is not generic and actually indicates that there seems to be an issue with the user name and password combination.

2012-12-30 02:12:29,321 ERROR [com.mcafee.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] Login attempt to MWG 7 failed with HTTP status code 401. Detailed reason: User rest1 is already logged in
By default, MWG allows only one logged in session per user account. See the MWG documentation on how to allow multiple logons per user account.

2012-12-30 01:35:28,236 ERROR [com.mcafee.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] The MWG 7 redirect was not followed because it is not a secure redirect and SSL/TLS is enabled for this log source.
This message indicates that the Automatically collect logs from node with active GUI option is selected. It also indicates that somebody was logged on to a node during a log collect that is other than the one specified in the CSR Device address settings. The problem here occurs because the log source has been configured in CSR to collect logs using SSL/TLS and the redirect from the MWG was for an HTTP address. CSR will not downgrade the security option and furthermore has no information about how to reach the secure REST port. The result is that the redirect is not followed and the log collection fails.

2012-12-30 14:54:17,086 ERROR [com.mcafee.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] Login attempt to MWG 7 failed with HTTP status code 403. Detailed reason: user admin has no rights to access the REST-Interface
The user 'admin' in this case has no REST-interface rights and so can’t access the REST interface for log collection. For information about setting up a user account to have REST-interface rights, see the MWG documentation.

Produtos afetados

Configuration
Content Security Reporter 1.x - 2.x
Web Gateway 8.1.x
Web Gateway 8.0.x
Web Gateway 7.8

Idiomas:

Este artigo está disponível nos seguintes idiomas:

English United States
Spanish Spain
French
Italian
Portuguese Brasileiro

Glossário de termos técnicos

Realçar termos do glossário

Reserve alguns momentos para navegar por nosso Glossário de termos técnicos.

Knowledge Center

How to configure a log source in Content Security Reporter to collect logs from Web Gateway

Ambiente

Resumo

Produtos afetados

Idiomas:

Glossário de termos técnicos

Title

Title

Knowledge Center

How to configure a log source in Content Security Reporter to collect logs from Web Gateway

Ambiente

Resumo

Produtos afetados

Idiomas:

Glossário de termos técnicos

Escolha a sua região

Title

Title