watchguard firewall logs
109 views
Skip to first unread message
Maha
Jun 11, 2024, 7:33:20 AM6/11/24
to Wazuh | Mailing List
Hi,
im trying to get watchguard firewall log in wazuh and analyse them.
after some research i found that its not possible now.
any work arounds.
Thanks,
Maha
Maha
Gonzalo Acuña
Jun 11, 2024, 8:46:43 AM6/11/24
to Wazuh | Mailing List
Hi, Maha.
To integrate a network device, you can use Remote Syslog. These are the steps to configure it:
- https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
On your Wazuh manager, locate the file /var/ossec/etc/ossec.conf enter the configuration below:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>ip_network device</allowed-ips>
<local_ip>local_ip_of_manager</local_ip>
</remote>
Configure your network device to forward logs to the Wazuh Manager using the syslog protocol:
- https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
Restart the Wazuh manager using the command
systemctl restart wazuh-manager
It will probably be necessary to create decoders and rules for the logs. I would recommend the https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html, it will help you to create your ruleset.
Also, the wazuh-logtest tool can help with the whole process:
- https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/how-it-works.html
Regards.
To integrate a network device, you can use Remote Syslog. These are the steps to configure it:
- https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
On your Wazuh manager, locate the file /var/ossec/etc/ossec.conf enter the configuration below:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>ip_network device</allowed-ips>
<local_ip>local_ip_of_manager</local_ip>
</remote>
Configure your network device to forward logs to the Wazuh Manager using the syslog protocol:
- https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
Restart the Wazuh manager using the command
systemctl restart wazuh-manager
It will probably be necessary to create decoders and rules for the logs. I would recommend the https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html, it will help you to create your ruleset.
Also, the wazuh-logtest tool can help with the whole process:
- https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/how-it-works.html
Regards.
Gonzalo.
MaP
Jun 12, 2024, 3:36:19 AM6/12/24
to Wazuh | Mailing List
Hi Maha,
so I think someone has already thought about watchguard decoders. Take a look at the following:
Also you may have a look at
which descripes the possible log format.
With the Information form Gonzale it should be possible to get it work.
Have a nice
Marcel
Reply all
Reply to author
Forward
0 new messages