WatchGuard Firewall Decoder

[Ali Holmes]

Hello everyone,

I have set up log forwarding to Wazuh through the WatchGuard firewall, but I am unable to write a decoder. I have tried a few pre-written decoders, but none of them worked. I would be grateful if anyone could assist me with this issue.

Best regards.

[Olamilekan Abdullateef Ajani]

Hello Ali,

I see you have completed the integration which is good. I would be able to provide more assistance if you can share a sample log from the archives.json file.

If you havent already done that, You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
  <global>
    ----  
    <logall>yes</logall>
    <logall_json>yes</logall_json>
  </global>
</ossec_config>
Then restart the Wazuh-manager.
systemctl restart wazuh-manager

cat /var/ossec/logs/archives/archives.json | grep -i -E "part of your log"
Verify that you have the logs, then disable archiving by setting the values to no.

That being said, I found a github community link which has pre-written decoders and rules that you can leverage on, it should work or need little tweaking. Please see reference below:

https://github.com/wazuh/wazuh/pull/10122/files

Please let me know what you find if you require additional support, please let me know.

Additional documentation reference:

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html