Best practices - Sending access log data to a syslog server

You can configure Web Gateway to send data that is recorded in the access log to a syslog server.

Data about requests for web access that Web Gateway receives from its clients is recorded in the access log. The recording is performed by a rule in a rule set for log handling, which is enabled by default. By adding another rule this data can be made available to a daemon, which sends it to a particular syslog server.

The recorded data includes date and time of a request, the user name of the user who sent the request, the requested URL, and other information. You can modify the configuration to record more or different information about web access.

The data can be sent under different protocols and in different formats. You can also configure a severity level to send, for example, only data about emergencies.

To send the data, you must complete the following:

  • Add a rule that makes access log data available to the syslog daemon.
  • Adapt the rsylog.conf system file to let the daemon send data to a syslog server.

These activities must be completed on every Web Gateway appliance that access log data are to be sent from. In a similar way, you can also configure the sending of other log data.

Protocols for sending data

Data can be sent to a syslog server under the UDP or TCP protocol. Some syslog servers have no TCP listener ports, however. The most common UDP listener port is 514, whereas under TCP the port varies from application to application.

Data formats

Data is sent to syslog servers in different formats, depending on the server type. If in doubt, ask the administrator who is responsible for the syslog server.

  • Default format — The default log handling rule uses this format to record access log data.

    The format and modified versions of it are also accepted by McAfee Content Security Reporter, version 2.0.

  • SIEM (Nitro) format — This format is required if the syslog server is provided by McAfee® Enterprise Security Manager (McAfee ESM) (SIEM, formerly known as Nitro).

    You can import the SIEM Nitro Integration rule set from the online rule set library. This rule set contains a rule that uses the SIEM (Nitro) format to record access log data.

  • CEF format — This format is required if the syslog server is provided by an ArcSight security manager or a similar program.

    You can import the CEF Syslog rule set from the online rule set library. This rule set contains a rule that uses the CEF format to record access log data.

Severity levels

Data with differing severity can be sent to a syslog server. The severity levels are listed in the following. Severity level 6 is recommended.

  • 0: Emergency (emerg) — System unusable

  • 1: Alert (alert) — Action to be taken immediately

  • 2: Critical (critical) — Critical condition

  • 3: Error (error) — Error condition

  • 4: Warning (warning) — Warning condition

  • 5: Notice (notice) — Normal, but significant condition

  • 6: Information (info) — Informational message

  • 7: Debug (debug) — Message for debugging