Skip to main content
 
 
 
Splunk Lantern

Configuring Splunk add-on for McAfee/Skyhigh Web Gateway

 

SkyHigh Secure Web Gateway (SWG) is a security gateway used by enterprise customers worldwide. As part of operating this service, SWG end users can generate a large amount of logging information, information accessible within SWG, and also data available to stream into the Splunk platform.

The Splunk Add-on for McAfee/SkyHigh Web Gateway (MWG/SWG/MWGCS) takes events from SWG data sources and maps these to types compatible with the Splunk Common Information Model (CIM), as well as tags all events where relevant to specific CIM data models.

SWG traffic, status, and access logs provide a rich source of data for ingesting into the Splunk platform. This information can then be used to enrich other data sources and generate interesting events related to business services and technology operations.

  • In 2022, McAfee Web Gateway (MWG) rebranded as SkyHigh Secure Web Gateway (SWG).
  • McAfee Web Gateway Cloud Services (MWGCS) is another older name for this product.
  • The app and source type maintain the McAfee name to preserve the old app ID of McAfeeWebGateway.

Getting data in

SWG can write logs to the hard disk or send them via Syslog. The Splunk platform can read log files locally, get them via network input (Syslog or raw UDP/TCP steam) or get them from a universal forwarder that is installed on a log server or on MWG itself. All these methods combined produce many possible ways to get MWG logs into the Splunk platform.

Method / Link to configuration example Description Real time
Local file monitor

Splunk is installed directly on MWG and monitors the log file folder

Yes, up to 30 sec delay
Local UDP/TCP input Splunk is installed directly on the MWG and gets log files sent using Syslog Yes
Syslog UDP/TCP MWG sends logs via UDP/TCP to syslog collector or directly to Splunk Yes
Syslog TCP+TLS MWG sends logs via TCP, encrypted with TLS, to syslog collector or directly to Splunk Yes
Universal Forwarder Install UF on SWG to monitor log file folder Yes, up to 30 sec delay
Log pushing from MWG to a log server Use pushing (FTP/FTPS/SCP/SFTP/HTTP/HTTPS) from MWG to a log server No
Log pulling from MWG Pulling logs from MWG via API, scp, or rsync No
Log pulling from SSE/WGCS Pulling logs via SSE/WGCS API No, up to several minutes delay
Splunk Connect for Syslog (SC4S) MWG sends events via UDP/TCP to SC4S, SC4S forward them to Splunk HEC Yes

Installing the universal forwarder directly on SWG and configuring it to forward events to the Splunk indexer is the recommended and most reliable method.

Source Add-ons and apps Guidance

Default access log

mcafee:webgateway:default

Splunk Add-on for McAfee Web Gateway | Splunkbase

Add-on for McAfee/SkyHigh Web Gateway (MWG/SWG/MWGCS) | Splunkbase

The default log format, which has a fixed structure, provides 14 basic fields. You should use it if no SWG modification is possible.

Custom access log

mcafee:webgateway:custom

Add-on for McAfee/SkyHigh Web Gateway (MWG/SWG/MWGCS) | Splunkbase

This custom modular log format allows for flexible addition or removal of logging fields as needed. It provides comprehensive Common Information Model (CIM) coverage and deep insights for analytics and rapid troubleshooting. Despite the significantly larger amount of provided information, the log size remains largely unchanged. In fact, this new format achieves up to three times higher information density compared to the default log format.

Audit log

mcafee:webgateway:audit

Add-on for McAfee/SkyHigh Web Gateway (MWG/SWG/MWGCS) | Splunkbase

Audit logs (/opt/mwg/log/audit/audit.log) contain all changes and activity made by administrators using the UI or REST interface. Audit events can be sent to the Splunk platform using a UF or custom syslog configuration. Almost 70 actions are mapped to Authentication and Change CIM data models.

MWG-errors log

mcafee:webgateway:mwg-errors

Add-on for McAfee/SkyHigh Web Gateway (MWG/SWG/MWGCS) | Splunkbase

The folder /opt/mwg/log/mwg-errors contains various types of logs:

Log name Log type Comment

mwg-core

text, single line

mwg-core logging

mwg-coordinator

text, single line

mwg-coordinator logging

mwg-ui

text, multi line

mwg-ui Tomcat logging

mwg-logmanager

text, single line

mwg-logmanager logging

mwg-uideserialization

text, single line

mwg-ui deserialization logging

mwg-sysconfd

text, single line

mwg-sysconfd logging

mwg-monitor

text, single line

mwg-monitor logging

mwg-saas-connector

text, single line

mwg-saas connector logging

Next steps

If you need further guidance or support, Computacenter can help. Computacenter is a leading independent technology partner, trusted by large corporate and public sector organizations. We help our customers to source, transform, and manage their IT infrastructure to deliver digital transformation, enabling people and their business.

Computacenter offers a scalable Splunk service that supports the entire project cycle - from strategy, consulting and design to development, integration and lifecycle services and the operation of a Splunk environment. In the Strategy & Consulting division, consultants contribute their comprehensive expertise from various industries such as banking and finance, chemical/pharmacy, automotive and domains such as security, datacenter, software development and cloud, and combine this with special knowledge from the Splunk, SIEM, SOAR, analytics, and Cyber Defence sectors. The Centre of Excellence offers all project components from a single source and ensures success for the customer.

The user- and community-generated information, content, data, text, graphics, images, videos, documents and other materials made available on Splunk Lantern is Community Content as provided in the terms and conditions of the Splunk Website Terms of Use, and it should not be implied that Splunk warrants, recommends, endorses or approves of any of the Community Content, nor is Splunk responsible for the availability or accuracy of such. Splunk specifically disclaims any liability and any actions resulting from your use of any information provided on Splunk Lantern.