Hi Rob, I don't think anyone did this yet. Can you share some of your logs with us? We can certainly help writing some rules/decoders if we get some samples...
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Mar 2, 2009 at 10:47 AM, <[email protected]> wrote: > > Hi, > Has anyone got OSSEC to parse Watchguard Firebox logs ? I have my > logs coming in via syslog, and being stored, but if I run them through > logtest they get recognized as Debian dpkg logs, so I guess ossec is > pretty much ignoring them. > > The format seems to be missing a unique key to spot the logs as being > from the watchguards, sadly. We are considering using the firebox > system name to identify them (e.g. adding wg_ at the start of all our > firewall system names so I can match on a regexp with that string in > it). However, before I spend time on this, I wonder whether anyone > else has already do the hard work ? > > If not, any pointers to instructions on writing new decoders and rules > would be most welcome. If I get anything worth sharing, I'll offer it > back to the project or at least post my findings here. > > Rob >
