All-in-One Watchguard Content Pack

Content Pack

Graylog Content Pack for Watchguard Fireware Logging

ThoZed

free!

Download from Github View on Github 3 16

Published

17 Jul 15:00

Last Push

12 Aug 15:03

Marketplace Rating

Discussion

4 Comments

Readme from Github

Graylog Content Pack for Watchguard

This content pack sturctures and enriches log messages which are generated and shipped by Watchguard Fireware. The logs are parsed to enable all the wonderful features of Graylog. :-)

Fireware log format

The log messages include a message ID which can be extracted by the following expression.

^.*msg_id=\"(\S\S\S\S-\S\S\S\S)\"

The resulting msg_id is used by the extractors to lookup msg_name,msg_area,msg_level and msg_desc fields.

With the help of this information it is easier to read the incoming log messages. Every message provides additional information which can be used for search queries.

The extractor access a lookup table which uses a data adapter to read the csv file.

This file is a list similar to the Fireware log catalog

The msg_id is used as a key to identify the format of the log message. Based on that the extractor rule of the graylog input is setup for each msg_id separately.

Prerequisites

graylog up and running :)
- Installing Graylog
copy csv files to /etc/graylog
configure Fireware to send logs

System Manager -> Setup -> Logging -> - [x] send syslog mess...

-IP-Address:

-Port: 55514(content pack default port)

Import Content Pack

You can import the complete content in one File. Just upload content-pack-graylog-cp-watchguard.json in System/Content Pack Section of Graylog and install. With the parameters for input port and lookup table file path you can customize the content pack to suit your needs.

if you run into trouble while importing or updating it may be helpful to remove every component an start afresh.

Streams

With the help of streams it is possible to narrow your search results to the following areas:

Proxy
Management
Firewall
Networking
Cluster
Security Services
VPN
Mobile Security
INFO
WARNING
ERROR
DEBUG

The streams are also useful to allow user access only for certain messages.

Dashboard

With the integrator panel you are able to see which messages have a missing extractor. The timeline shows incoming and unextracted messages.

With the incident panel you have a quick overview of firewall traffic and counts of different messages types. Its also a good point to start digging the logs, in case of an incident. The fact that graylog also provides an alert engine as well as an plugin for thread intelligence you can turn your Watchguard into an universal adaptable SIEM enabled device.

Contribute

Please help adding extractors to the input to be able to facilitate structured searches of every kind of msg_id.

How to:

find missing extractor for msg_id
figure out how values can be matched
build regex,grok, ... use: https://grokconstructor.appspot.com/do/match or: https://www.debuggex.com/
test
create pull request

cheers:-)

Your Rating

Please sign in to rate this add-on.

Comments

ThoZed about 1 year ago

Latest release 0.6, graylog 3.x ready

ThoZed over 2 years ago

Hello ryan-durbin,
indeed - the link is broken. It's because i had to split the content pack into two parts.
Please use the [latest_release](https://github.com/ThoZed/graylog-cp-watchguard/releases) from github.
Also check the new Readme.md in development branch:-)

If there are any further issues be so kind and open them in github.
Have a nice day
Thomas

ryan-durbin over 2 years ago

Hello, I cannot get this to work. I am pretty new to graylog but when I click the download link on this site I get a 404 error. When I download the files from your github I cannot figure out what file works as content packs or input file. I've had no success at all. Any help would be appreciated. Thank you

ThoZed over 2 years ago

feel free to contribute:-) - 570 message id's still waiting for an extractor.

Please sign in to comment.

Back to listing