Support Device WAF

Hello friends
what graylog support Device WAF ?

could you please be a little more verbose. What is “Device WAF”?

hi jan
Thank you for the answer
WAF ( [Web Application Firewall ]
I need for waf device fortiweb to content pack or plugin و etc…

I thought you meanted WAF … I’m not aware why it should not be possible. How that device or software writes the log?

Hi jan,

I’m so sorry, I should have explained more
I use Fortiweb WAF [Web Application Firewall] for the security of web services
It works like a firewall
Version is Open Source WAF Module ModeSecurity

So I guess that is a device @bahram where you can configure messages should be send via CEF or Syslog to a central Server?

  1. First check FortiWeb log format documentation, so you know format of messages
  2. Second setup syslog on FortiWeb
  3. Next create Input Syslog UDP or TCP (depends on FortiWeb syslog configuration) in Graylog
  4. Create pipeline in Graylog to fix FortiWeb timestamp, change your timezone
rule "fortigate_timestamp"
  has_field("devname") AND has_field("date") AND has_field("time")
    let build_message_0 = concat(to_string($, " ");
    let build_message_1 = concat(build_message_0, to_string($message.time));
    let new_time = parse_date(value: build_message_1, pattern:"yyyy-MM-dd HH:mm:ss", timezone:"Europe/Bratislava");
    set_field("timestamp", new_time);
  1. That’s it, only basic parsing, but you can continue and create own dashboard…
1 Like

The help was invaluable and very helpful
thanks a lot

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.