Graylog Content Pack for Watchguard
This Content Pack enables you to parse the logs which are generated and shipped by Watchguard Fireware. The Logs are parsed to enable dashboards, streams and structured search queries.
Fireware log format
The logs messages include a message ID which could be extracted by using following Expression.
The resulting msg_id is used by the extractors to lookup msg_name,msg_area,msg_level and msg_desc fields.
With the help of this information it is more easy to read the incoming log messages. Every message provides additional information which could be used for search queries.
The extractor calls a lookup table which uses a data adapter to read the csv file.
This file is a list similar to the Fireware log catalog
Import Content Pack
graylog up and running :)
copy csv files to
configure Fireware to send logs
System Manager -> Setup -> Logging -> - [x] send syslog mess...
Because you have to import the content in order the content pack consists following files:
please apply the lookuptables first.
if you run into trouble while importing or updating it may be helpful to remove every component an start fresh.
with the integrator panel you are able to see which messages have a missing extractor. The timeline shows incoming and unextracted messages.