Home » McAfee Manuals » Networking » McAfee MAP-3300-SWG » Manual Viewer

McAfee MAP-3300-SWG Product Guide - Page 272

Extended Syslog attributes for Splunk, Table 271

UPC - 731944547008

View all McAfee MAP-3300-SWG manuals

Add to My Manuals
Save this manual to your list of manuals

Page 272 highlights

Overview of System features Logging, Alerting and SNMP Table 271 Email and Web Security Appliance v5.6 Connector Field Mappings (continued) McAfee-Specific Event Definition ArcSight Event Data Field The definition of this field depends on the value of cs1Label the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': 'virus-names' If cs5 is 'AS': 'spam-rules-broken' If cs5 is 'DL': 'dlpfile' If cs5 is 'FF': 'content-rules' If cs5 is 'PX': 'content-rules' The definition of this field depends on the value of cs2 the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': The version of the Anti-Virus engine If cs5 is 'AS': The spam score If cs5 is 'DL': The DLP categories that triggered If cs5 is 'PX': The terms that caused the content filter event The definition of this field depends on the value of cs2Label the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': 'av-engine-version' If cs5 is 'AS': 'spam-score' If cs5 is 'DL': 'dlp-rules' If cs5 is 'PX': 'compliance-terms' The definition of this field depends on the value of cs3 the field 'cs5': If cs5 is 'AS': The threshold the message exceeded The definition of this field depends on the value of cs3Label the field 'cs5': If cs5 is 'AS': 'spam-threshold-score' The attachments of the email (if available) cs4 'email-attachments' cs4Label For a detection event, the scanner which cs5 triggered the event: 'AP' - Anti-Phish 'AS' - Anti-Spam 'AV' - Anti-Virus 'DL' - Data Loss Prevention 'FF' - File Filtering 'MF' - Mail Filtering 'MS' - Mail Size 'PA' - Packer 'PU' - Potentially Unwanted Program 'PX' - Compliancy 'SA' - SiteAdvisor 'UF' - URL Filtering 'master-scan-type' cs5Label The subject of the email cs6 'email-subject' cs6Label Indicates if the action taken is the main action cn1 defined for the event. 1 indicates primary action 'is-primary-action' cn1Label The number of attachments in the email (if cn2 available) 'num-email-attachments' cn2Label The number of recipients of the email cn3 'num-email-recipients' cn3Label Extended Syslog attributes for Splunk Using the extended Syslog functions within the appliance, you can use external, third party software - such as Splunk - to generate Syslog reports. Table 272 Extended Syslog attributes for Splunk Syslog entry Notes Example Time and Appliance Name Dec 30 10:58:10 Appliance1 app Protocol Smtp 272 McAfee Email and Web Security Appliances 5.6.0 Product Guide

Section	Page
Contents	3
Preface	7
About this guide	7
Audience	7
Conventions	7
Finding product documentation	8
Contact information	8
Optional components and related products	8
Working with your McAfee Email and Web Security Appliances	9
The interface	10
Common tasks within the interface	12
Enabling each feature	12
Making changes to the appliance's configuration	12
Using lists	13
Making and viewing lists	13
Adding information to a list	13
Removing single items from a list	13
Removing many items from a list	13
Changing information in a list	14
Viewing information in a long list	14
Ordering information in a list	14
Ordering information alphabetically in a list	15
Importing and exporting information	15
Importing prepared information	15
Exporting prepared information	15
Ports used by Email and Web Security Appliances	16
Resources	17
Overview of Dashboard features	21
Dashboard	21
Edit Preferences	25
Graphs Edit Preferences	27
Overview of Reports features	29
Types of reports	29
Scheduled Reports	30
Email Reports overview	33
Interactive Reporting — Total view	37
Interactive Reporting — Time view	38
Interactive Reporting — Itemized view	38
Interactive Reporting — Detail view	39
Selection — Favorites	40
Selection — Filter	40
Web Reports overview	43
Interactive Reporting — Total view	46
Interactive Reporting — Time view	47
Interactive Reporting — Itemized view	47
Interactive Reporting — Detail view	48
Selection — Favorites	49
Selection — Filter	49
System Reports	52
Interactive Reporting — Detail view	54
Selection — Favorites	54
Selection — Filter	55
Overview of Email features	59
Life of an email message	59
Message Search	62
Email Overview	70
Email Configuration	71
Protocol Configuration	72
Connection Settings (SMTP)	72
Basic SMTP settings	72
Message rate warning thresholds	73
Timeouts	73
Protocol Settings (SMTP)	74
Data command options	75
Denial of service protection	75
Message processing	76
Transparency options (router and bridge mode only)	78
Address parsing options	79
Address Masquerading (SMTP)	79
Sender address masquerading	80
Recipient address aliasing	81
Transport Layer Security (SMTP)	81
TLS Connections	82
Certificate management	82
TLS options (advanced)	84
Connection and Protocol Settings (POP3)	84
Basic POP3 settings	85
Timeouts	85
POP3 protocol settings	86
Receiving Email	86
Permit and Deny Lists	86
Anti-Relay Settings	89
Recipient Authentication	93
Bounce Address Tag Validation	96
Sending Email	97
Email Policies	101
Introduction to policies	101
SMTP policies	102
POP3 policies	102
Email Scanning Policies menu	103
Settings for scanning viruses and similar threats	104
Anti-virus features	105
What is a potentially unwanted program (PUP)?	106
Types of anti-virus scanning	106
Customized anti-virus settings	107
Detection of new and unknown viruses	107
Special actions against packers and PUPs	108
Problems with alerts for mass mailers	108
McAfee Global Threat Intelligence	109
About Protocol Presets	109
Email Scanning Policies	109
Scanning Policies - Add Policy...	114
Anti-Virus Settings — Basic options	116
Anti-Virus Settings — McAfee Anti-Spyware	117
Anti-Virus Settings — Packers	117
Anti-Virus Settings — Custom Malware Options	118
Anti-Spam Settings — Basic Options	119
Anti-Spam Settings — Advanced Options	120
Anti-Spam Settings — Blacklists and Whitelists	120
Anti-Spam Settings — Rules	121
Anti-Phish Settings	121
Sender Authentication Settings — Message reputation	123
Sender Authentication Settings — RBL Configuration	123
Sender Authentication Settings — SPF, Sender ID and DKIM	124
Sender Authentication Settings — Cumulative Score and Other Options	125
File Filtering Settings	125
About file filtering	126
Data Loss Prevention Settings	127
Mail Size Filtering Settings — Message Size	129
Mail Size Filtering Settings — Attachment Size	129
Mail Size Filtering Settings — Attachment Count	130
Compliance Settings	130
Rule Creation Wizard	133
Rule Creation Wizard	134
Scanner Limits	135
Content Handling Settings — Email Options — Basic Options	136
Content Handling Settings — Email Options — Advanced Options	137
Content Handling Settings — Email Options — Missing/Empty Headers	137
Content Handling Settings — Email Options — Text and binary MIME types	138
About MIME formats	138
Content Handling Settings — Email Options — Character sets	139
Content Handling Settings — HTML Options	139
Content Handling Settings — Corrupt or Unreadable Content — Corrupt content	140
Content Handling Settings — Corrupt or Unreadable Content — Encrypted content	140
Content Handling Settings — Corrupt or Unreadable Content — Protected files	141
Content Handling Settings — Corrupt or Unreadable Content — Partial/external messages	141
Content Handling Settings — Corrupt or Unreadable Content — Signed messages	142
Alert Settings	142
Notification and Routing Settings — Notification Emails	143
Notification and Routing Settings — Audit Copies	144
Notification and Routing Settings — Routing	144
Notification and Routing Settings — SMTP Relays	145
Notification and Routing Settings — Email Recipients	145
McAfee Global Threat Intelligence (GTI) Feedback Settings	145
Dictionaries	146
Add Dictionary Details	154
New Condition	154
Registered Documents	155
Quarantine Configuration	159
Quarantine Options	159
Quarantine Digest Options	160
Digest Message Content	161
Overview of Web features	163
Web Configuration	163
HTTP Connection Settings	163
HTTP Protocol Settings	165
ICAP Connection Settings	169
ICAP Authentication	171
ICAP Protocol Settings	172
FTP Connection Settings	174
FTP Protocol Settings	175
Web Policies	178
Introduction to policies	178
FTP policies	178
ICAP policies	178
HTTP policies	179
Web Scanning Policies	179
Scanning Policies - Add Policy...	183
Anti-Virus Settings — Basic options	184
Anti-Virus Settings — McAfee Anti-Spyware	185
Anti-Virus Settings — Packers	186
Anti-Virus Settings — Custom Malware Options	187
HTTPS Web Categorization Settings	187
HTTPS Web Categorization - McAfee GTI Web Categorization	188
URL Blacklisting and Whitelisting	188
SiteAdvisor Web Reputation	189
Web Categorization	190
User Categorized URLs	190
Alerts and Settings	191
Compliance Settings	191
Streaming Media	194
Instant Messaging	194
Scanner Limits	194
Content Handling Settings — HTML Options	195
Content Handling Settings — Corrupt or Unreadable Content — Corrupt content	196
Content Handling Settings — Corrupt or Unreadable Content — Protected files	196
HTTP Scanning	197
Dictionaries	197
Add Dictionary Details	205
New Condition	205
Overview of System features	207
Appliance Management	207
General	207
Network Interfaces Wizard	208
DNS and Routing	212
Time and Date	214
Appliance Management — Remote Access	215
UPS Settings	219
Add UPS Device	221
Database Maintenance	222
Retention Limits	222
Event Options	223
External Access	224
Maintenance	225
Appliance Management — System Administration	225
System Commands	226
Manage Internal Rescue Image	227
Benefits of using the internal rescue image	231
Manage Internal Rescue Image option definitions	231
Default Server Settings	232
Cluster Management	233
Backup and Restore Configuration	233
Configuration Push	235
Load Balancing	236
Network Interfaces Wizard — Cluster Management	238
Resilient Mode	239
Users, Groups and Services	240
Directory Services	240
Web User Authentication	240
Policy Groups	241
Role-Based User Accounts	241
Add Login Service	243
Configuring Kerberos authentication using Active Directory 2003	246
Virtual Hosting	250
Virtual Hosts	250
Add Virtual Host	253
Virtual Networks	255
Edit Virtual Network	255
Certificate Management	256
Certificates	256
CA certificates	256
TLS certificates and keys	257
Appliance HTTPS certificate	259
Certificate Revocation lists (CRLs)	259
Installed CRLs	260
CRL updates	260
Logging, Alerting and SNMP	261
Email Alerting	261
Alert tokens for Email alert messages	262
SNMP Alert Settings	268
SNMP Monitor Settings	268
System Log Settings	269
Extended Syslog attributes for ArcSight	270
Extended Syslog attributes for Splunk	272
WebReporter	275
Logging Configuration	275
Component Management	276
Update Status	276
Specify the server settings for downloading the update via HTTP	279
Specify the server settings for downloading the update via FTP	280
Time to schedule update for	280
Specify the server settings for downloading spam updates	281
Configure Web Categorization Updates	281
Configure Automatic Package Updates	282
Package Installer	282
ePO	283
Setup Wizard	284
Welcome	285
Transparent Bridge Mode	285
Transparent Router mode	286
Explicit Proxy mode	287
Standard Setup	287
Traffic — Standard setup	288
Basic Settings - Standard setup	288
Summary — Standard setup	290
Custom Setup	290
Traffic — Custom setup	291
Basic Settings - Custom setup	292
Network Settings	292
Cluster Management	293
DNS and Routing	294
Time Settings	295
Password	296
Summary — Custom setup	296
Restore from a file Setup	297
Import Configuration	297
Values to Restore	298
Traffic — Custom setup	298
Basic Settings - Custom setup	299
Cluster Management	299
DNS and Routing	301
Time Settings	302
Password	302
Summary — Custom setup	303
ePO Managed Setup	303
Settings for ePO Management	304
Basic Settings -- ePO Managed Setup	305
Network Settings	305
Cluster Management	306
DNS and Routing	307
Time Settings	307
Password	308
Summary — ePO Managed Setup	308
Overview of Troubleshoot features	311
Troubleshooting Tools	311
Ping and Trace Route	312
System Load	312
Route Information	313
Disk Space	314
Troubleshooting Reports	314
Minimum Escalation Report	314
Capture Network Traffic	315
Save Quarantine	316
Log Files	316
Error Reporting Tool	318
Tests	318
System Tests	318
How appliances work with ePolicy Orchestrator	321
Configuring your appliance for ePolicy Orchestrator management	323
Managing your appliances from within ePolicy Orchestrator	325
Index	327
A	327
B	327
C	327
D	328
E	328
F	328
G	329
H	329
I	329
K	329
L	329
M	329
N	330
O	330
P	330
Q	330
R	330
S	331
T	331
U	332
V	332

Match case Limit results 1 per page

Table 271

Email and Web Security Appliance v5.6 Connector Field Mappings

(continued)

McAfee-Specific Event Definition

ArcSight Event Data Field

The definition of this field depends on the value of

the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU':

'virus-names' If cs5 is 'AS': 'spam-rules-broken'

If cs5 is 'DL': 'dlpfile' If cs5 is 'FF': 'content-rules'

If cs5 is 'PX': 'content-rules'

cs1Label

The definition of this field depends on the value of

the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': The

version of the Anti-Virus engine If cs5 is 'AS': The

spam score If cs5 is 'DL': The DLP categories that

triggered If cs5 is 'PX': The terms that caused the

content filter event

cs2

The definition of this field depends on the value of

the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU':

'av-engine-version' If cs5 is 'AS': 'spam-score' If

cs5 is 'DL': 'dlp-rules' If cs5 is 'PX':

'compliance-terms'

cs2Label

The definition of this field depends on the value of

the field 'cs5': If cs5 is 'AS': The threshold the

message exceeded

cs3

The definition of this field depends on the value of

the field 'cs5': If cs5 is 'AS': 'spam-threshold-score'

cs3Label

The attachments of the email (if available)

cs4

'email-attachments'

cs4Label

For a detection event, the scanner which

triggered the event: 'AP' - Anti-Phish 'AS' -

Anti-Spam 'AV' - Anti-Virus 'DL' - Data Loss

Prevention 'FF' - File Filtering 'MF' - Mail Filtering

'MS' - Mail Size 'PA' - Packer 'PU' - Potentially

Unwanted Program 'PX' - Compliancy 'SA' -

SiteAdvisor 'UF' - URL Filtering

cs5

'master-scan-type'

cs5Label

The subject of the email

cs6

'email-subject'

cs6Label

Indicates if the action taken is the main action

defined for the event. 1 indicates primary action

cn1

'is-primary-action'

cn1Label

The number of attachments in the email (if

available)

cn2

'num-email-attachments'

cn2Label

The number of recipients of the email

cn3

'num-email-recipients'

cn3Label

Extended Syslog attributes for Splunk

Using the extended Syslog functions within the appliance, you can use external, third party software

— such as Splunk — to generate Syslog reports.

Table 272

Extended Syslog attributes for Splunk

Syslog entry

Notes

Example

Time and Appliance Name

Dec 30 10:58:10 Appliance1

app

Protocol

Smtp

Overview of System features

Logging, Alerting and SNMP

272

McAfee Email and Web Security Appliances 5.6.0 Product Guide