Configuring Splunk add-on for McAfee/Skyhigh Web Gateway
SkyHigh Secure Web Gateway (SWG) is a security gateway used by enterprise customers worldwide. As part of operating this service, SWG end users can generate a large amount of logging information, information accessible within SWG, and also data available to stream into the Splunk platform.
The Splunk Add-on for McAfee/SkyHigh Web Gateway (MWG/SWG/MWGCS) takes events from SWG data sources and maps these to types compatible with the Splunk Common Information Model (CIM), as well as tags all events where relevant to specific CIM data models.
SWG traffic, status, and access logs provide a rich source of data for ingesting into the Splunk platform. This information can then be used to enrich other data sources and generate interesting events related to business services and technology operations.
- In 2022, McAfee Web Gateway (MWG) rebranded as SkyHigh Secure Web Gateway (SWG).
- McAfee Web Gateway Cloud Services (MWGCS) is another older name for this product.
- The app and source type maintain the McAfee name to preserve the old app ID of McAfeeWebGateway.
Getting data in
SWG can write logs to the hard disk or send them via Syslog. The Splunk platform can read log files locally, get them via network input (Syslog or raw UDP/TCP steam) or get them from a universal forwarder that is installed on a log server or on MWG itself. All these methods combined produce many possible ways to get MWG logs into the Splunk platform.
| Method / Link to configuration example | Description | Real time |
|---|---|---|
| Local file monitor |
Splunk is installed directly on MWG and monitors the log file folder |
Yes, up to 30 sec delay |
| Local UDP/TCP input | Splunk is installed directly on the MWG and gets log files sent using Syslog | Yes |
| Syslog UDP/TCP | MWG sends logs via UDP/TCP to syslog collector or directly to Splunk | Yes |
| Syslog TCP+TLS | MWG sends logs via TCP, encrypted with TLS, to syslog collector or directly to Splunk | Yes |
| Universal Forwarder | Install UF on SWG to monitor log file folder | Yes, up to 30 sec delay |
| Log pushing from MWG to a log server | Use pushing (FTP/FTPS/SCP/SFTP/HTTP/HTTPS) from MWG to a log server | No |
| Log pulling from MWG | Pulling logs from MWG via API, scp, or rsync | No |
| Log pulling from SSE/WGCS | Pulling logs via SSE/WGCS API | No, up to several minutes delay |
| Splunk Connect for Syslog (SC4S) | MWG sends events via UDP/TCP to SC4S, SC4S forward them to Splunk HEC | Yes |
Installing the universal forwarder directly on SWG and configuring it to forward events to the Splunk indexer is the recommended and most reliable method.
| Source | Add-ons and apps | Guidance | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Default access log
|
Splunk Add-on for McAfee Web Gateway | Splunkbase Add-on for McAfee/SkyHigh Web Gateway (MWG/SWG/MWGCS) | Splunkbase |
The default log format, which has a fixed structure, provides 14 basic fields. You should use it if no SWG modification is possible. |
|||||||||||||||||||||||||||
|
Custom access log
|
Add-on for McAfee/SkyHigh Web Gateway (MWG/SWG/MWGCS) | Splunkbase |
This custom modular log format allows for flexible addition or removal of logging fields as needed. It provides comprehensive Common Information Model (CIM) coverage and deep insights for analytics and rapid troubleshooting. Despite the significantly larger amount of provided information, the log size remains largely unchanged. In fact, this new format achieves up to three times higher information density compared to the default log format. |
|||||||||||||||||||||||||||
|
Audit log
|
Add-on for McAfee/SkyHigh Web Gateway (MWG/SWG/MWGCS) | Splunkbase |
Audit logs ( |
|||||||||||||||||||||||||||
|
MWG-errors log
|
Add-on for McAfee/SkyHigh Web Gateway (MWG/SWG/MWGCS) | Splunkbase |
The folder
|
Next steps
If you need further guidance or support, Computacenter can help. Computacenter is a leading independent technology partner, trusted by large corporate and public sector organizations. We help our customers to source, transform, and manage their IT infrastructure to deliver digital transformation, enabling people and their business.
Computacenter offers a scalable Splunk service that supports the entire project cycle - from strategy, consulting and design to development, integration and lifecycle services and the operation of a Splunk environment. In the Strategy & Consulting division, consultants contribute their comprehensive expertise from various industries such as banking and finance, chemical/pharmacy, automotive and domains such as security, datacenter, software development and cloud, and combine this with special knowledge from the Splunk, SIEM, SOAR, analytics, and Cyber Defence sectors. The Centre of Excellence offers all project components from a single source and ensures success for the customer.
The user- and community-generated information, content, data, text, graphics, images, videos, documents and other materials made available on Splunk Lantern is Community Content as provided in the terms and conditions of the Splunk Website Terms of Use, and it should not be implied that Splunk warrants, recommends, endorses or approves of any of the Community Content, nor is Splunk responsible for the availability or accuracy of such. Splunk specifically disclaims any liability and any actions resulting from your use of any information provided on Splunk Lantern.