RSA Security Analytics McAfee Web Gateway
Vendor
Event Source
Version
Additional file
Collection Method
Network Configuration
Last Modified: Tuesday, 03 June 2014
McAfee
Web Gateway
7.3 nicsftpagent.sh
File Reader
Bidirectional connectivity on TCP and UDP port 22 between McAfee Web gateway and SA VLC
Supporting Tools Putty, WinSCP, notepad
Credentials Secure certificate based trust
This document contains the step by step approach to integrate a McAfee Web Gateway appliance with RSA Security
Analytics to regularly send the logs for central storage and analysis.
In process to integration SIEM administrator and the McAfee Web Gateway administrator have to perform following combined activities to their respective systems
Integration Activities
1.
Customize the nicsftpagent.sh file
2.
Enable auditing of McAfee Web Gateway
3.
Establish the secure certificate based trust between McAfee Web Gateway Appliance and RSA Security Virtual Log
Collector
4.
Register McAfee Web Gateway with RSA Security Analytics as Event Source
1.
Customize the nicsftpagent.sh
Activity Performer: SIEM Administrator
SIEM administrator will customize this file and share with McAfee Gateway Administrator
In process to customize the file, SIEM administrator have to decide and modify the IP address of VLC from where he wants to collect the logs from the target McAfee Web Gateway Appliance
 Copy the provided nicsftpagent.sh file on a convenient location of your computer
 Open this file using notepad
 Change the IP Address which is mentioned against, you have to simply provide the IP address of the native VLC
ENVISION=xxx.xxx.xxx.xxx
 Change the directory name which is mentioned against ENVISION_DIRECTORY=webgateway/ unique name
!! Replace the unique_name with some custom name which should be helpful to identify the integrated McAfee WG; you will have to use the same name while registering with VLC.
!!
 Press control +s to save this file
 Share the modified nicsftpagent.sh file with McAfee Web Gateway Administrator
2.
Enable Auditing of McAfee Web Gateway (Version 7.3)
Activity Performer: McAfee Web Gateway Administrator
 Open a browser and log on to the McAfee Web Gateway appliance with administrative credentials.
 Click the Policy tab.
 Click the Settings tab in the left menu
 Expand Engines > File System Logging
Page 1 of 10

 Click Access Log Configuration
 In the File System Logging Settings window, ensure In the Name of the log field is, typed as: access.log
 If it’s not so the then type access.log into this section
 Select Enable log buffering and Enable header writing.
 In the Log header field, type:
#time_stamp "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client "user_agent" "virus_name" "block_res"
 Click Save Changes.
 From the File System Logging menu, click Found Viruses Log.
 In the File System Logging Settings window, ensure the settings are as follows:
 In the Name of the log field, type:
 foundviruses.log
 Select Enable log buffering and Enable header writing.
 In the Log header field, type:
 Click Save Changes. time_stamp "auth_user" "src_ip" "virus_name" "url"
3.
Establish the secure certificate based trust between McAfee Web Gateway Appliance and
RSA Security Virtual Log Collector
Activity Performer: McAfee Web Gateway Administrator & SIEM Administrator
McAfee Web Gateway Administrator:
 Log on to McAfee Web Gateway Appliance using SSH (putty) with root \ administrative privileges user account
 Change the working directory to /usr/local
 Create a new directory named as nic
 Now change the working directory to /usr/local/nic
 Copy the provided script file (nicsftpagent.sh) into nic directory
 Change the permission of nicsftpagent.sh, using following command chmod 755 nicsftpagent.sh
 You would be able to see the similar output on your screen
 Create a schedule job to run the script to do dump logs into the specified directory
 Run command crontab –e
 You will be prompt into crontab section, edit this section with following line and save it
0,10,20,30,40,50**** /usr/local/nic/nicsftpagent.sh
Page 2 of 10

 You would be able to see the similar screen as mentioned below
 Generate the certificate and key
 Run the following command to generate the RSA key with no passphrase ssh-keygen –b 1024 –t rsa
 You would be able to see similar screen on the successful activity
 Copy and share the key file with SIEM Administrator
 From your windows computer connect the McAfee Web Gateway using WinSCP
Page 3 of 10

 From the right hand side section browse to /root/root/.ssh directory
 Right click on id_rsa.pub and click on copy, copy it to any convenient location of your computer
 Share the id_rsa.pub file with SIEM Administrator
SIEM Administrator:
 Import the shared key into the native VLC
 Log on to RSA Security Analytics web administration console using administrative privileges
 Go To > Administration > Administration > Devices
 Select the native VLC and from the Device menu go to View > and click on Explore
 In the scree from the left hand side browse through > logcollection > file >Right click on
eventsource and click on to the Properties
Page 4 of 10

 From the bottom right hand side window, in the eventsource properties section select keys form the dropdown menu
 Type into the parameter box op=add key =””
 Right click on the provided id_rsa.pub file and press control + a, then press control + c and paste it in between the “” (the pair of inverted commas).
 Click on send button
Page 5 of 10

 On the successful import you will get the successful in Response output section, as mentioned in below
4.
Register the event source with Security Analytics
Activity Performer: McAfee Web Gateway Administrator & SIEM Administrator
 Go to Administration > Administration > Devices
 Select the native VLC > click on Config from the View menu
Page 6 of 10

 Click on Event Sources Tab and from Left hand side select file from the drop down menu
 Click in the + icon and select web gateway from the Available Event Source Type Pop-up menu
Page 7 of 10

Note: If there is already any web gateway configured with the VLC then you may skip the above step and proceed to the next one
 From the left hand side window select webgateway device type and click on the + sign from Right hand side section to add McAfee Web Gateway
 Provide following inputs in Add Source window
File Directory =
IP Address = unique_name
127.0.0.1 McAfee Web Gateway
Expand the Advance section and set Debug = On
!! The file directory name should be the same which you (SIEM Administrator) have provided in the nicsftpagent.sh script file during activity 1.
!!
Page 8 of 10

 Now the collection procedure will start, wait for at least 10 – 15 minutes then confirm the same from the investigation section of RSA SA Web UI. You would be able to see the similar window as mentioned below
Page 9 of 10

Annexure: Troubleshooting
Verify the network connectivity
 Connect the McAfee WG using putty with root credentials
 Telnet form to the native VLC on port 21 & 22
Verify the successful import of security key
 Connect the McAfee WG using putty with root credentials
 Type ssh <IP address of the native VLC> and hit enter
If you got connected without prompted for password, that’s verify the successful established trust between both of the components
You may verify the same by looking into the contents of authorized_keys file on native VLC and the contents of
id_rsa.pub file on the McAfee WG
Path of authorized_keys file on VLC or Path of id_rsa.pub on McAfee WG = /root/.ssh/
See the similarity of both of the files contents in below mentioned screenshot
If these doesn’t look similar then you have redo the activity 3 once again
Page 10 of 10