Graylog Content Pack for Watchguard

This content pack sturctures and enriches log messages which are generated and shipped by Watchguard Fireware. The logs are parsed to enable all the wonderful features of Graylog. :-)

Fireware log format

The log messages include a message ID which can be extracted by the following expression.

^.*msg_id=\"(\S\S\S\S-\S\S\S\S)\"

The resulting msg_id is used by the extractors to lookup msg_name,msg_area,msg_level and msg_desc fields.

With the help of this information it is easier to read the incoming log messages. Every message provides additional information which can be used for search queries.

The extractor access a lookup table which uses a data adapter to read the csv file.

This file is a list similar to the Fireware log catalog

The msg_id is used as a key to identify the format of the log message. Based on that the extractor rule of the graylog input is setup for each msg_id separately.

Prerequisites

1. graylog up and running :)
   • Installing Graylog
2. copy csv files to /etc/graylog

3. configure Fireware to send logs

   System Manager -> Setup -> Logging -> - [x] send syslog mess...

   -IP-Address:

   -Port: 55514(content pack default port)

Import Content Pack

You can import the complete content in one File. Just upload content-pack-graylog-cp-watchguard.json in System/Content Pack Section of Graylog and install. With the parameters for input port and lookup table file path you can customize the content pack to suit your needs.

if you run into trouble while importing or updating it may be helpful to remove every component an start afresh.

Streams

With the help of streams it is possible to narrow your search results to the following areas:

• Proxy
• Management
• Firewall
• Networking
• Cluster
• Security Services
• VPN
• Mobile Security
• INFO
• WARNING
• ERROR
• DEBUG

The streams are also useful to allow user access only for certain messages.

Dashboard

With the integrator panel you are able to see which messages have a missing extractor. The timeline shows incoming and unextracted messages.

With the incident panel you have a quick overview of firewall traffic and counts of different messages types. Its also a good point to start digging the logs, in case of an incident. The fact that graylog also provides an alert engine as well as an plugin for thread intelligence you can turn your Watchguard into an universal adaptable SIEM enabled device.

Contribute

Please help adding extractors to the input to be able to facilitate structured searches of every kind of msg_id.

How to:

• find missing extractor for msg_id
• figure out how values can be matched
• build regex,grok, ... use: https://grokconstructor.appspot.com/do/match or: https://www.debuggex.com/
• test
• create pull request

cheers:-)