Problem with Juniper Firewall logs
222 views
Skip to first unread message
Rabail Naseer
Jun 14, 2021, 4:49:59 AM6/14/21
to Wazuh mailing list
Hi wazuh community,
I am trying to pull logs of juniper firewall into wazuh but unable to see these logs into dashboard. I am using below configuration at ossec.conf file
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<remote>
<connection>syslog</connection>
<port>513</port>
<protocol>tcp</protocol>
<allowed-ips>x.x.x.x</allowed-ips>
</remote>
set the log alert level 0 i.e <log_alert_level>0</log_alert_level>
and log all <logall>yes</logall>
but unable to see the firewall logs into dashboard please help me to resolve this issue.
Yana Zaeva
Jun 14, 2021, 9:11:11 AM6/14/21
to Wazuh mailing list
Hi,
It seems that currently, we do not have rules nor decoders for the Juniper firewall logs. You can check all the available ones here.
However, custom rules and decoders can always be added to the manager. First of all, let see if the logs are arriving at the manager. To do so, let's enable the option <logall_json> in the manager's configuration. It is recommended to enable this option and not the <logall> one as we will be able to see the full_log field and write decoders and rules for it. So, once this option is enabled, restart the Wazuh manager to apply the changes. After this, look for the log in the /var/ossec/logs/archives/archives.json file. You can do it using the command grep, and looking for some words present in this log. I will leave an example of this command in a picture attached to this message.
However, custom rules and decoders can always be added to the manager. First of all, let see if the logs are arriving at the manager. To do so, let's enable the option <logall_json> in the manager's configuration. It is recommended to enable this option and not the <logall> one as we will be able to see the full_log field and write decoders and rules for it. So, once this option is enabled, restart the Wazuh manager to apply the changes. After this, look for the log in the /var/ossec/logs/archives/archives.json file. You can do it using the command grep, and looking for some words present in this log. I will leave an example of this command in a picture attached to this message.
Let me know if you are able to see Juniper firewall logs in the /var/ossec/logs/archives/archives.json file.
Waiting for your reply,
Yana.
Message has been deleted
Rabail Naseer
Jun 15, 2021, 8:34:46 AM6/15/21
to Wazuh mailing list
Hi,
I am trying to pull pfsense firewall logs in wazuh using below config but still can not see any log on dashboard also can not see any log in archives.json . I am not getting it where is the issue. Please help me to solve the issue.
and I think the rules and decoders for pfsense firewall is already defined in wazuh.
<remote>
<connection>syslog</connection>
<port>513</port>
<protocol>udp</protocol>
<allowed-ips>x.x.x.x</allowed-ips>
</remote>
Rabail Naseer
Jun 16, 2021, 6:26:44 AM6/16/21
to Wazuh mailing list
Please reply as soon as possible
using port 514 UDP <remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>x.x.x.x</allowed-ips>
</remote>
Reply all
Reply to author
Forward
0 new messages