Did you checked out watchguard dimension appliance? Eero 27.10.2015 10.49 ap. "Tero Onttonen" <tero.ontto...@gmail.com> kirjoitti:
> Hi, > > I would be interested in to find a solution regarding Watchguard logs. I > did not find a solution after some searching. > > Did this go any further? > > Br, > Tero > > On Wednesday, March 11, 2009 at 2:11:44 PM UTC+2, rob.but...@gmail.com > wrote: >> >> Thanks. I'm also working AQTRONIX WebKnight logs too. Here's a few >> watchguard examples. I've blanked a few bits of info. Note that >> we've adopted a convention of putting wg_ at the start of the system >> name so we can identify them as watchguard logs, but perhaps this >> isn't the best way ? >> >> 2009 Mar 11 12:07:07 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:49 >> wg_Peterborough disp="Deny" pri="1" policy="Unhandled Internal >> Packet-00" src_ >> ip="172.12.10.26" dst_ip="81.137.245.126" pr="3085/tcp" >> src_port="2122" dst_port="3085" src_intf="1-Trusted" dst_intf="0- >> External" tcpinfo="off >> set 7 S 3884792327 win 65535" rc="101" msg="denied" pckt_len="48" >> ttl="128" >> >> 2009 Mar 11 12:07:06 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:48 >> wg_Peterborough disp="Allow" proxy[15055]: pri="4" policy="HTTP- >> proxy-00" src_i >> p="172.12.10.116" dst_ip="69.63.176.188" pr="http/tcp" >> src_port="58482" dst_port="80" src_intf="1-Trusted" dst_intf="0- >> External" src_ip_nat="195. >> 99.165.66" src_port_nat="13917" rc="592" msg_id="262171" >> msg="ProxyStrip: HTTP Header match" proxy_act="HTTP-Client" >> rule_name="Default" header=" >> X-Channel-Host: channel138:8081\x0d\x0a" >> src_user="xxxxxusername@Active Directory" >> >> 2009 Mar 11 12:07:03 wa-hids1->195.xx.xx.xx 2009-03-11 12:16:45 >> wg_Peterborough disp="Deny" pri="1" policy="Unhandled External >> Packet-00" src_ >> ip="192.168.30.11" dst_ip="172.12.10.130" pr="135/tcp" src_port="4533" >> dst_port="135" src_intf="WALAN_PELAN/IPsec" dst_intf="1-Trusted" >> tcpinfo >> ="offset 7 S 2723202119 win 65535" dst_user="username@Active >> Directory" rc="101" msg="denied (decrypted packet, SA info: id >> 0x341e7636 )" pck >> t_len="48" ttl="128" >> >> On Mar 10, 8:35 pm, Daniel Cid <daniel....@gmail.com> wrote: >> > Hi Rob, >> > >> > I don't think anyone did this yet. Can you share some of your logs >> > with us? We can certainly >> > help writing some rules/decoders if we get some samples... >> > >> > Thanks, >> > >> > -- >> > Daniel B. Cid >> > dcid ( at ) ossec.net >> > >> > On Mon, Mar 2, 2009 at 10:47 AM, <rob.butterwo...@gmail.com> wrote: >> > >> > > Hi, >> > > Has anyone got OSSEC to parse Watchguard Firebox logs ? I have my >> > > logs coming in via syslog, and being stored, but if I run them >> through >> > > logtest they get recognized as Debian dpkg logs, so I guess ossec is >> > > pretty much ignoring them. >> > >> > > The format seems to be missing a unique key to spot the logs as being >> > > from the watchguards, sadly. We are considering using the firebox >> > > system name to identify them (e.g. adding wg_ at the start of all our >> > > firewall system names so I can match on a regexp with that string in >> > > it). However, before I spend time on this, I wonder whether anyone >> > > else has already do the hard work ? >> > >> > > If not, any pointers to instructions on writing new decoders and >> rules >> > > would be most welcome. If I get anything worth sharing, I'll offer >> it >> > > back to the project or at least post my findings here. >> > >> > > Rob >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
