All-in-One Watchguard Content Pack

Content Pack

Graylog Content Pack for Watchguard Fireware Logging

ThoZed

free!

Download from Github View on Github 2 4

Published

21 Jun 13:00

Last Push

01 Jul 17:15

Marketplace Rating

Discussion

4 Comments

Readme from Github

Graylog Content Pack for Watchguard

This Content Pack enables you to parse the logs which are generated and shipped by Watchguard Fireware. The Logs are parsed to enable dashboards, streams and structured search queries.

Fireware log format

The logs messages include a message ID which could be extracted by using following Expression.

^.*msg_id=\"(\S\S\S\S-\S\S\S\S)\"

The resulting msg_id is used by the extractors to lookup msg_name,msg_area,msg_level and msg_desc fields.

With the help of this information it is more easy to read the incoming log messages. Every message provides additional information which could be used for search queries.

The extractor calls a lookup table which uses a data adapter to read the csv file.

This file is a list similar to the Fireware log catalog

Prerequisites

graylog up and running :)
- Installing Graylog
copy csv files to /etc/graylog
configure Fireware to send logs

System Manager -> Setup -> Logging -> - [x] send syslog mess...

-IP-Address:

-Port: 55514

Import Content Pack

Because you have to import the content in order the content pack consists following files:

content_pack_lookuptables.json
content_pack_input.json
content_pack_dashboard.json

please apply the lookuptables first.

if you run into trouble while importing or updating it may be helpful to remove every component an start fresh.

Extractors

Dashboard

with the integrator panel you are able to see which messages have a missing extractor. The timeline shows incoming and unextracted messages.

Your Rating

Please sign in to rate this add-on.

Comments

ThoZed 2 months ago

Latest release 0.6, graylog 3.x ready

ThoZed about 1 year ago

Hello ryan-durbin,
indeed - the link is broken. It's because i had to split the content pack into two parts.
Please use the [latest_release](https://github.com/ThoZed/graylog-cp-watchguard/releases) from github.
Also check the new Readme.md in development branch:-)

If there are any further issues be so kind and open them in github.
Have a nice day
Thomas

ryan-durbin over 1 year ago

Hello, I cannot get this to work. I am pretty new to graylog but when I click the download link on this site I get a 404 error. When I download the files from your github I cannot figure out what file works as content packs or input file. I've had no success at all. Any help would be appreciated. Thank you

ThoZed over 1 year ago

feel free to contribute:-) - 570 message id's still waiting for an extractor.

Please sign in to comment.

Back to listing