I am trying to analyze the data that goes through a precise firewall rule (Sophos firewall) in order to ensure better security. In this goal, I made several Aggregation panels into a Dashboard to daily monitor and analyze these data. The problem that blocks me is that I am using the “fw_rule” field (from Sophos UTM Extractors) to identify the rule that I want to monitor, but when another rule is created above, its number is increased by one. When it is the case, my Aggregation panels then collect data from a wrong rule.
Same thing when a rule is deleted, the position number of the monitored rule is decreased, and from this point, it is not monitored anymore.
I would like to find a solution to identify and monitor this firewall rule in a unique way, no matter what its position number is.
Does anyone encountered a similar issue?
In fact, there is no visible issue on the screen, as Graylog does not make the difference between stream rules. It just collects packets and extracts its firewall rule to display it into the panel. Therefore, I do not have the insurance to monitor the right stream rule.
Can we get a visual on your stream rules?
I think you maybe interpreting stream rule/s for messages fields. In the screenshot there are no stream rules visible. You have two fields that I see which is fw_fwrule and timestamp.
I would need to see what you are seeing to help you further, perhaps I could offer a suggestion on a widget or configuration.
What type of INPUT are you using?
What fields are available in the messages received?
NOTE: A simple way you can insure that these are the right messages from your (Sophos firewall) is to create a new INPUT.
Here is the widget for just those devices coming in on that INPUT. From there you can filter even more data. I think doing it this way it will solve your problem/s now and in the future.
I only have a single INPUT, a raw/plaintext UDP one.
This INPUT receives logfiles from the firewall and extracts data from these into fields thanks to the extractor package that I installed.
This package allows me to use a tons of fields related to the logfile data :
full_message
fw_action
fw_dstip
fw_dstmac
fw_dstport
fw_event
fw_function
fw_fwrule
fw_id
fw_initf
fw_length
fw_line
fw_method
fw_name
fw_outitf
fw_prec
fw_proto
fw_reason
fw_severity
fw_srcip
fw_srcmac
fw_srcport
fw_sub
fw_sys
fw_tcpflags
fw_tos
fw_ttl
fw_url
fw_user
fw_username
fw_variant
fw_virtual_ip
gl2_processing_timestamp
gl2_receive_timestamp
But none of these filters allows me to focus my widgets on a specific rule, as the value of the fw_fwrule field changes almost every week.
(As a new member of Graylog Community, I am limited to 1 screenshot per post).
Ok I’m not quit getting what you want but I did get more information about your environment. I need to ask a couple question to get a better understanding on what’s going wrong or what you want to do.
Let’s sum it up and see if I’m correct
You have all the fields created through some package you installed?
You can see these fields in the messages received?
The fields that were create by some package you installed don’t work on your widgets?
I think you want to create a widget for the field fw_fwrule?
The value/data of the field fw_fwrule changes every week?
Could you explain the statement above? Are you referring that you can not make a midget from those fields?
When you stated specific rule are you referring to Stream rules?
There is different kinds of rule/s in Graylog specially Streams but if were focusing on Widgets could you show a screenshot of what rule/s are you referring to? or are you referring to fields in that statement?
Screenshot would work really good explaining what you want or trying to do. The screenshot above e doesn’t really tell me much, only that those configuration work for that aggregation widget.
If the field fw_fwrule is always present in the log message and the data changes weekly, that seems normal. Since the Timestamp field data changes every second.
And last, can you explain this statement below, I’m not sure what you mean.
Perhaps showing an example of what your trying to do. I seen your statement that your limited on screenshots.
Maybe try these steps and show what happens. Focusing on the FIELD fw_fwrule .
BTW this is version 4.2 BUT you can adapt it to your version.
Navigate to the the upper left corner of the Web UI and click on “Search”.
On the Left pane click on the “+” sign then click on the Aggregation button shown below.
Now you should see this.
Click on edit button. There should be “+” signs shown. Click on those to see all your options.
For example, this widget counts the number of messages tagged with the fw_fwrule field value to 433, and displays it chronologically (thanks to the timestamp).
This value does not change in Graylog, that’s the point. In fact, this value represents the position of the firewall rule in the firewall. It changes when someone adds or deletes a rule, for example, the firewall rule is currently in position 433 (this number is the value of the field fw_fwrule). Someone adds a rule above the number 433, the new number of my rule is now 444. But at the same time, in Graylog, my widget is still collecting logs from rule 433, which is now a completely different rule.
Do this explanation helps you to understand the issue?
Oh no sorry, I did not explain well. By specific rule I meant the one firewall rule (declared on my company’s Sophos equipment) that I want to monitor (by collecting the affiliated logfiles).
@alapeyre - Looks to me like you might have to tag against a different marker than fw_rule (number) to get things to work since that field can be variable if another rule is inserted or moved above. I would look at changing your monitoring/dashboards to look at fw_name instead - that would usually be unique yet stay with the particular rule. For display you could still show the fw_rule number in most cases.
Argh - I wanted that to be the unique RULE name rather than action taken. I think there are some other items in there that could be examined/compared - fw_id, fw_initf, fw_line… Did you create the extractors yourself… meaning if you picked up someone else’s package, maybe they mislabeled something? Can you give a raw (changed data) message example and perhaps a broken out Graylog fields (with changed data) result? … be sure to use the forum tools like </> for logging text to make it readable.
I think we are out of luck unless you can change something on the Sophos side.
I did find myself thinking about watching logs for a rule add/delete/change but then you have to store the change - which would require enterprise license… pull some math to see if it incremented/decremented your rule number… bleh… too complicated!
Alternatively you could create a widget that lists rule numbers (etc.) so you can pick out the correct one and then parameterize it to your dashboard. As long as YOU know the right rule number, you can plug it in…
I created two fields devname AND policyid using a Regular expressions.
Then I created a stream to collect all the logs from that specific device called MYFIREWALL that has any policy number Or I can use a specific policy number ( i.e. firewall_rule).
Indeed I think there is no solution on the Graylog side as the log files that I receive do not mention which firewall rule it comes from. I will just continue to manually modify that rule number.
Thanks both of you for your replies, have a good week !