The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
WatchGuard's Firebox is a unified security platform that covers traditional traffic, protecting an environment from intrusions, phishing attempts, malware, ransomware, and more. Both the hardware and virtual Firebox appliances are feature rich, allowing the appliance to run features such as stateful firewall, IPS, application control, web blocker, VPN, and more. This technology pack will process Firebox event log messages, providing normalization and enrichment of common events of interest.
Requirement(s):
-
Watchguard Firebox running Fireware 12.x
-
Graylog Server with a valid Enterprise license, running Graylog version 4.2.5, 4.3.0, or later.
-
Watchguard Firebox configured to send logs to Graylog via syslog
Stream Configuration:
This technology pack includes one stream:
-
"Illuminate:WatchGuard Device Messages”
If this stream does not exist prior to the activation of this pack, then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.
Index Set Configuration:
This technology pack includes one index set definition:
-
“WatchGuard Device Logs”
If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with default retention settings of a daily rotation and 90 days of retention, with 4 shards per index. It is strongly recommended to review and adjust these settings to best suit your environment.
Log Format Example:
DEV01 0011223344556 (2022-09-01T13:58:33) firewall: msg_id="3000-0148" Allow External Inside 44 tcp 20 238 10.11.12.13 192.168.1.10 58325 60951 offset 6 S 3172487743 win 4 geo_src="USA" geo_dst="USA" (Inbound Policy-00)
What is Provided:
-
Rules to normalize and enrich event log messages
-
A Spotlight content pack
-
Dashboard
-
Saved search
-
Log Message Processing
Illuminate will identify Watchguard Firebox event log messages and add the field event_source_product
with the value watchguard_firebox
.
The Illuminate processing of Watchguard Firebox log messages provides the following:
-
Field extraction, normalization and message enrichment for Watchguard Firebox log messages
-
Graylog Schema compliance
Spotlight Content Pack
The Spotlight content pack contains:
-
Dashboard: Illuminate:WatchGuard Firebox Overview
-
Overview tab: Summary of Firebox device operations
-
Saved search: Two widgets and a tailored log view
-
Configuring Log Delivery
This process assumes that a local Syslog input has been created on the Graylog server. The port configured for the input must match what's configured on the Firebox side.
Configuration from the Fireware Web UI and Policy Manager
-
Select System > Logging in the Fireware Web UI or Setup > Logging in Policy Manager
-
Click the Syslog Server tab
-
Select the Send log messages to these syslog servers
-
Click Add
-
Type the Graylog server IP address in the IP Address text box
-
In the Port text box, match the port configured on the input side of the Graylog server
-
Select Syslog from the Log Format drop-down list
-
Check off the time stamp and serial number of the device boxes so they are included
-
Select the syslog facility for each type of log message (Local0-7). Alarm should be set to Local0 for high priority.
-
Click Save
Appendix A: Log Event Catalog
-
The Illuminate Watchguard Firebox content will process the following events:
event_id
|
gim_event_category
|
gim_event_subcategory
|
gim_event_type
|
---|---|---|---|
1100-0004 | authentication | authentication.logon | logon |
1100-0005 | authentication | authentication.logon | logon |
1AFF-0005 | - | - | - |
1AFF-0018 | - | - | - |
1AFF-001A | - | - | - |
1AFF-001B | - | - | - |
1AFF-0021 | - | - | - |
1AFF-0024 | - | - | - |
1AFF-0025 | - | - | - |
1AFF-0026 | - | - | - |
1AFF-002C | - | - | - |
1AFF-002E | - | - | - |
1AFF-0033 | - | - | - |
1AFF-0036 | - | - | - |
1AFF-003D | - | - | - |
2CFF-0000 | - | - | - |
2CFF-0001 | - | - | - |
2CFF-0005 | - | - | - |
2DFF-0001 | - | - | - |
2DFF-0005 | - | - | - |
3000-0148 | - | - | - |
3000-0149 | - | - | - |
3000-0150 | - | - | - |
3000-0152 | - | - | - |
3000-0153 | - | - | - |
3000-0154 | - | - | - |
3000-0155 | - | - | - |
3000-0156 | - | - | - |
3000-0157 | - | - | - |
3000-0158 | - | - | - |
3000-0159 | - | - | - |
3000-0160 | - | - | - |
3000-0161 | - | - | - |
3000-0162 | - | - | - |
3000-0163 | - | - | - |
3000-0164 | - | - | - |
3000-0165 | - | - | - |
3000-0166 | - | - | - |
3000-0167 | - | - | - |
3000-0168 | - | - | - |
3000-0169 | - | - | - |
3000-0170 | - | - | - |
3000-0171 | - | - | - |
3000-0172 | - | - | - |
3000-0173 | - | - | - |