Skip to content

McAfee Web Gateway

McAfee Web Gateway

About

McAfee Web Gateway delivers comprehensive security for all aspects of web traffic in one high-performance appliance software architecture. For user-initiated web requests, McAfee Web Gateway first enforces an organization's internet use policy.

Product Details

Vendor URL: McAfee Web Gateway

Product Type: Proxy

Product Tier: Tier II

Integration Method: Syslog

Integration URL: McAfee Integration Guide

Log Guide: n/a

Parser Details

Log Format: Syslog with KV and CSV filter

Expected Normalization Rate: 80-100%

Data Label: MCAFEE_WEBPROXY

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field UDM Event Type
src principal.ip Principal
usrName principal.user.userid Principal
dst target.ip Target
blockReason metadata.product_event_type Metadata
urlCategories security_result.category_details Security_Result
ALLOW/BLOCK security_result.action Security_Result
url target.url Target
NETWORK_CONNECTION/GENERIC_EVENT metadata.event_type Metadata
vendor metadata.vendor_name Metadata
product metadata.product_name Metadata
version metadata.product_version Metadata
httpStatus/HTTP response code description metadata.description Metadata
observer observer.hostname Observer
observer observer.ip Observer

Product Event Types

Description metadata.event_type security_result.action
Allow Traffic NULL ALLOW
Block Traffic Block Reason BLOCK

Log Sample

<30>Jun 16 23:58:40 sysloghost mwg: CEF:0|McAfee|Web Gateway|9.2.7|0|devTime=1623887920000|src=10.1.1.1|usrName=bartsimpson|httpStatus=200|dst=10.2.2.2|urlCategories=Shareware/Freeware|blockReason=|url=url

Sample Parsing

metadata.event_timestamp: "2021-06-18T12:10:02.747536Z"
metadata.event_type: "NETWORK_CONNECTION"
metadata.vendor_name: "McAfee"
metadata.product_name: "Web Gateway"
metadata.product_version: "9.2.7"
metadata.description:"HTTP Status: 200 - OK - Standard response for successful HTTP requests. "
metadata.ingested_timestamp: "2021-06-18T12:10:02.747536Z"
principal.ip[0]: "10.1.1.1"
target.ip[0]: "10.2.2.2"
target.url: "url"
observer.hostname: "sysloghost"
security_result[0].category_details[0]: "Shareware/Freeware"
security_result[0].action[0]: "ALLOW"
network.http.response_code: 200

Parser Alerting

This product currently does not have any Parser-based Alerting