This content pack sturctures and enriches log messages which are generated and shipped by Watchguard Fireware. The logs are parsed to enable all the wonderful features of Graylog. :-)
The log messages include a message ID which can be extracted by the following expression.
^.*msg_id=\"(\S\S\S\S-\S\S\S\S)\"
The resulting msg_id is used by the extractors to lookup msg_name,msg_area,msg_level and msg_desc fields.
With the help of this information it is easier to read the incoming log messages. Every message provides additional information which can be used for search queries.
The extractor access a lookup table which uses a data adapter to read the csv file.
This file is a list similar to the Fireware log catalog
The msg_id is used as a key to identify the format of the log message. Based on that the extractor rule of the graylog input is setup for each msg_id separately.
-
graylog up and running :)
-
copy csv files to
/etc/graylog -
configure Fireware to send logs
System Manager -> Setup -> Logging -> - [x] send syslog mess...
-IP-Address:
-Port: 55514(content pack default port)
You can import the complete content in one File. Just upload content-pack-graylog-cp-watchguard.json in System/Content Pack Section of Graylog and install. With the parameters for input port and lookup table file path you can customize the content pack to suit your needs.
if you run into trouble while importing or updating it may be helpful to remove every component an start afresh.
With the help of streams it is possible to narrow your search results to the following areas:
- Proxy
- Management
- Firewall
- Networking
- Cluster
- Security Services
- VPN
- Mobile Security
- INFO
- WARNING
- ERROR
- DEBUG
The streams are also useful to allow user access only for certain messages.
With the integrator panel you are able to see which messages have a missing extractor. The timeline shows incoming and unextracted messages.
With the incident panel you have a quick overview of firewall traffic and counts of different messages types. Its also a good point to start digging the logs, in case of an incident. The fact that graylog also provides an alert engine as well as an plugin for thread intelligence you can turn your Watchguard into an universal adaptable SIEM enabled device.
Please help adding extractors to the input to be able to facilitate structured searches of every kind of msg_id.
How to:
- find missing extractor for msg_id
- figure out how values can be matched
- build regex,grok, ... use: https://grokconstructor.appspot.com/do/match or: https://www.debuggex.com/
- test
- create pull request
cheers:-)