Support Device WAF

Hello friends
what graylog support Device WAF ?

could you please be a little more verbose. What is “Device WAF”?

hi jan
Thank you for the answer
WAF ( [Web Application Firewall ]
I need for waf device fortiweb to content pack or plugin و etc…

I thought you meanted WAF … I’m not aware why it should not be possible. How that device or software writes the log?

Hi jan,

I’m so sorry, I should have explained more
I use Fortiweb WAF [Web Application Firewall] for the security of web services
It works like a firewall
Version is Open Source WAF Module ModeSecurity

So I guess that is a device @bahram where you can configure messages should be send via CEF or Syslog to a central Server?

  1. First check FortiWeb log format documentation, so you know format of messages
    https://docs.fortinet.com/document/fortiweb/6.2.0/log-message-reference/470577/introduction
  2. Second setup syslog on FortiWeb
    https://docs.fortinet.com/document/fortiweb/6.2.0/administration-guide/303842/logging
  3. Next create Input Syslog UDP or TCP (depends on FortiWeb syslog configuration) in Graylog
  4. Create pipeline in Graylog to fix FortiWeb timestamp, change your timezone
rule "fortigate_timestamp"
when
  has_field("devname") AND has_field("date") AND has_field("time")
then
    let build_message_0 = concat(to_string($message.date), " ");
    let build_message_1 = concat(build_message_0, to_string($message.time));
    let new_time = parse_date(value: build_message_1, pattern:"yyyy-MM-dd HH:mm:ss", timezone:"Europe/Bratislava");
    set_field("timestamp", new_time);
end
  1. That’s it, only basic parsing, but you can continue and create own dashboard…
1 Like

Hi,
Excellent:
The help was invaluable and very helpful
thanks a lot

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.