Experience and testing is a wonderful but arduous process. Through use of the script at a large customer desiring XML format, several challenges required many changes and enhancements to the script that can now be leveraged for general use.

Challenges and discoveries:

• Query times
  • Queries for CSV accept type are much much faster than queries for XML type
  • Queries for large amounts of data are much faster if the timestamp filters are used and the time span is recent and not longer than a day or two
• Timeouts
  • Network timeouts can occur, keep-alive is not implemented in the API, if a network timeout occurs curl will error and no file will be saved
  • Query timeouts can occur, if the query takes more than 5 minutes, it will time out and return a file with no data
• Record limits
  • There is an available record limit filter that can be used to help with handling timeouts
  • If the record limit is hit there is no guarantee that all the records for a particular timestamp have been received as part of the query. 
• Record transit time PoP to central log storage
  • It can take up to several minutes for logs to arrive in the central database
  • The backset variable was and still is used to account for this. Default is 10 minutes now, but 5 minutes should still be OK
  • There are plans to add the ability to filter based on database arrival time but this is not yet available in production. This should eliminate the need to use the backset and it should be possible to retrieve all logs that arrived in the database on or before the time specified in the query filter. 
• XML format 
  • It generates much larger files that take longer to download
  • The query itself takes much longer on the backend which can lead to query or network timeouts
  • There was a limit of 1000 records when retrieving XML, the limit for CSV is 10 million records
• Converting CSV to XML 
  • Proper conversion process is relatively simple but CPU intensive
  • Doing it in bash is highly inefficient and error prone
  • Python and Perl are much more efficient, but there are still things to watch out for
    • Certain fields need to have characters escaped to deliver XML compliant output
    • Any fields that are anonymized in WGCS will need to be escaped adding significant processing time
    • The field names delivered by the API when querying for CSV (field names in the header) are not exactly the same as the field names delivered when querying for XML
    • CSV currently adds two blank lines at the end of the file
• Multiiple instances running
  • Never run multiple instances of the script from the same folder at the same time. Bad things will likely happen. See below about lock file to protect against this potential issue.

The above challenges and issues resulted in a new script, with new variables that will update an existing logpull.conf file appropriately, however I recommend looking at your existing conf file and copying the lastSuccessEpoch and customerID and any other variables you may have modified to the new script then deleting the conf file and letting the script build a new one.

The new script has a companion python script that will convert CSV format to XML format so that the query will always be CSV format for best performance. If acceptType is specified in the conf file as XML the script will call the python script to convert the log file to XML format. The script could be further modified to actually format and send syslog direct to a SIEM.

The new script also implements a lock file (logpull.lck) that is created and deleted automatically by the script as long as the script is not interrupted. This ensures that no more than one instance of the script runs at a time. All kinds of unintended consequences and issues would likely arise if two instances of the script were running in the same directory at the same time. Be very careful about manually deleting the lock file, only delete it if you are absolutely sure the script is not currently running.

Version 3 of the log pull example bash script is attached to this reply.

In addition to fixing a few bugs with versions 2 and 1, this version takes advantage of the newly available (8/29/19) createdTimestamp filters to allow pull of the most current database records without the risk of missing records that may arrive in the database as many as a few minutes after the actual request.

As always this is unsupported public example code that is not supported by McAfee although the API is fully supported per available documentation. Feel free to "fold, spindle and mutilate" as you see fit. But please contribute back to the community if you have suggestions for improvement, if you find bugs, or if you actually code improvements. 

When using an override conf file (can be any name) you can override request and created start and end times:

startTime=                  #request from

startCTime=                #created from

endTime=                    # request to

endCTime=                 # created to

On Oct 10 at 2PM US MST the API will change what data is delivered based on the request timestamp filters. Currently it delivers  request timestamps => from and <= to. The change will deliver request timestamps >= from and < to. The previous scripts avoided duplicate records in scheduled pulls by adding 1 sec to the previous success (previous pull to) and using that for the current from. This needs to change to no longer add the second. This also impacted the code for when maxTime determines more than one pull is required. The script below is modified to account for the change, but will result in duplicate records if used before Oct 10 2PM US MST. The old script will result in missed records if it is still used after the change.

Usual caveats apply. Example only, no support, yada, yada, yada 

Trying to use the script I get an curl error message...

curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

Solve this changing /usr/share/crypto-policies/DEFAULT/opensslcnf.txt

from CipherString = @SECLEVEL=2:...

to CipherString = @SECLEVEL=1:...

True. For those who want Powershell script, it can be found here: https://community.mcafee.com/t5/Documents/Web-Gateway-Cloud-Service-Cloud-Log-Puller-for-Windows/ta-... Originally the bash script was simple code that essentially did the same as the Powershell version but for customers that wanted something that would run native on Linux in some cases on one of their web gateways. Since then it has been greatly enhanced with features not currently available in the Powershell script.

I continued to modify this one, because I wrote the original version and had a large customer wanting to run on Linux that needed the additional features of using the created timestamp filter, using the max record filter, recovering from errors and timeouts, preventing duplicates and missing records, hiding the credentials, breaking a large query into smaller ones and merging the results, preventing multiple instances from running at the same time, pulling in CSV and converting to XML, etc etc. If I had the time and knew Powershell better, the Powershell version could probably be improved significantly with similar features.

There is also a simple python script that pretty much mimics the features of the older Powershell script, written by another engineer, that I can make available if anyone needs or wants it.

We also generate large log files (about 1 GB every 5 minutes).  We use CSR in a high-performance server and database environment to get the logs on premise and process them.  We also switched over from using a UNIX-based log collection for SIEM to the McAfee Logger tool.  There was a fix we needed, but it appears to be running great now. 

With the McAfee Logger tool (Windows only), you can send the data directly to a server over syslog port, or you can save the logs and have your SIEM server get the files directly.