The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

The Stormshield firewall is a security solution that provides real-time protection, control, and supervision and content filtering via IPS, application control, AV, URL filtering, vulnerability detection, anti-spam, etc. This technology pack will process Stormshield log messages, providing normalization and enrichment of common events of interest.

Prerequisite(s)

  • Stormshield Firewall running Stormshield Network Security (SNS) version 2+.

  • Graylog Server with a valid enterprise license, running Graylog version 4.3.0+.

Warning: This spotlight requires a more recent version of Graylog due to a change in functionality. Fields will be improperly processed if using a version earlier than Graylog 4.3.0.

Not Supported

  • N/A

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:Stormshield Firewall Messages”

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • “Stormshield Firewall Logs”

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

id=firewall time="2022-11-25 16:30:33" fw="SN710_ABCD" tz=+0100 startime="2022-11-25 16:30:32" pri=5 confid=01 slotlevel=2 ruleid=208 srcif="vlan4" srcifname="20_SOMETHING" ipproto=tcp dstif="vlan3" dstifname="1000_XYZ" proto=http_proxy src=10.10.20.13 srcport=42006 srcportname=ephemeral_fw_tcp srcname=SOMENAME srcmac=xx:6b:8d:9a:da:13 dst=192.168.1.1 dstport=8080 dstportname=http_proxy dstname=Protect-DMZ ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"

Requirements

  • Configure Stormshield Firewall to transmit Syslog to your Graylog server Syslog input.

What is Provided

  • Rules to normalize and enrich Stormshield firewall log messages.

  • A Stormshield Spotlight content pack (dashboard and saved search).

Stormshield Firewall Log Message Processing

The Illuminate processing of Stormshield Firewall log messages provides the following:

  • Field extraction and normalization and message enrichment for Stormshield Firewall log messages.

  • GIM Categorization of the following messages:

Stormshield Firewall Logtype GIM Category GIM Subcategory
filter network network.connection
connection network network.connection
alarm alert alert.default

Stormshield Firewall Spotlight Content Pack

The Stormshield Firewall Spotlight content pack contains:

  • Dashboard: Stormshield Network Firewall Overview

    • Stormshield Overview tab

    • Alerts tab

  • Saved Search: Stormshield Firewall Log Viewer

    • Saved search based on event severity