Graylog with Untangle

Graylog Add-ons
1

Hi all,

I recently switched over to an Untangle firewall which has tons of great log data. I noticed there are a couple old content packs in the marketplace, but it seems they haven’t been maintained, and no longer work. Has anyone spent time getting the logs indexed properly? I would really like to be able to run searches on the webfilter logs so I can better investigate the web traffic on my network.

Thanks

2

If anyone is interested, I did end up figuring out how to accomplish this for the WebFilter logs.

3

@cpmiller22

Of course, because Sharing is Caring :slight_smile:

I was just looking at IPFIX and I did noticed that GL Version 4.0.7 has IPFIX UDP INPUT available.

4

Here are the steps:

  • On the untangle side, enable remote syslog and send to your graylog server
  • On the graylog side make sure you have an input setup for untangle
  • On the input you need to add 2 extractors:

Extractor 1:

  • Select Regex
  • use the following :\s\s+(.*)
  • store field as “json”
  • give it a name

Extractor 2:

  • Select type JSON
  • Keep default values
  • Do not select “flatted values”

You can run the tester to confirm, but these steps work great for me. I can now easily search through all my web traffic. The field names are quite a user friendly as they could be, but this approach is much easier than trying to build and maintain a custom json file. I’ll probably work on enabling firewall logs and maybe some admin logs as well, but this was my first priority.

1 Like
5

Thats awesome, Thanks :slight_smile:

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.