Thanks. I'm also working AQTRONIX WebKnight logs too. Here's a few watchguard examples. I've blanked a few bits of info. Note that we've adopted a convention of putting wg_ at the start of the system name so we can identify them as watchguard logs, but perhaps this isn't the best way ?
2009 Mar 11 12:07:07 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:49 wg_Peterborough disp="Deny" pri="1" policy="Unhandled Internal Packet-00" src_ ip="172.12.10.26" dst_ip="81.137.245.126" pr="3085/tcp" src_port="2122" dst_port="3085" src_intf="1-Trusted" dst_intf="0- External" tcpinfo="off set 7 S 3884792327 win 65535" rc="101" msg="denied" pckt_len="48" ttl="128" 2009 Mar 11 12:07:06 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:48 wg_Peterborough disp="Allow" proxy[15055]: pri="4" policy="HTTP- proxy-00" src_i p="172.12.10.116" dst_ip="69.63.176.188" pr="http/tcp" src_port="58482" dst_port="80" src_intf="1-Trusted" dst_intf="0- External" src_ip_nat="195. 99.165.66" src_port_nat="13917" rc="592" msg_id="262171" msg="ProxyStrip: HTTP Header match" proxy_act="HTTP-Client" rule_name="Default" header=" X-Channel-Host: channel138:8081\x0d\x0a" src_user="xxxxxusern...@active Directory" 2009 Mar 11 12:07:03 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:45 wg_Peterborough disp="Deny" pri="1" policy="Unhandled External Packet-00" src_ ip="192.168.30.11" dst_ip="172.12.10.130" pr="135/tcp" src_port="4533" dst_port="135" src_intf="WALAN_PELAN/IPsec" dst_intf="1-Trusted" tcpinfo ="offset 7 S 2723202119 win 65535" dst_user="usern...@active Directory" rc="101" msg="denied (decrypted packet, SA info: id 0x341e7636 )" pck t_len="48" ttl="128" On Mar 10, 8:35 pm, Daniel Cid <[email protected]> wrote: > Hi Rob, > > I don't think anyone did this yet. Can you share some of your logs > with us? We can certainly > help writing some rules/decoders if we get some samples... > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Mon, Mar 2, 2009 at 10:47 AM, <[email protected]> wrote: > > > Hi, > > Has anyone got OSSEC to parse Watchguard Firebox logs ? I have my > > logs coming in via syslog, and being stored, but if I run them through > > logtest they get recognized as Debian dpkg logs, so I guess ossec is > > pretty much ignoring them. > > > The format seems to be missing a unique key to spot the logs as being > > from the watchguards, sadly. We are considering using the firebox > > system name to identify them (e.g. adding wg_ at the start of all our > > firewall system names so I can match on a regexp with that string in > > it). However, before I spend time on this, I wonder whether anyone > > else has already do the hard work ? > > > If not, any pointers to instructions on writing new decoders and rules > > would be most welcome. If I get anything worth sharing, I'll offer it > > back to the project or at least post my findings here. > > > Rob
