Highlighted
Vini Acclaimed Contributor.
Acclaimed Contributor.
390 views

Watchguard Firewalls not supported by ArcSight

Hi Guys,

I was wondering if anyone is collecting logs from Watchguard firewalls and if any of you has written a parser for it?

I thought Watchguard would be supported by ArcSight but surprisingly it is not.

If anyone is interesting in working together to write a parser, let me know.

Vini
Labels (1)
0 Likes
Reply
7 Replies
xme Absent Member.
Absent Member.

Re: Watchguard Firewalls not supported by ArcSight

Hello,

I'll maybe start a project for a customer who also use Watchguard firewalls. Watchguard is not a big-player on the firewall market but I'm surprised to find nothing relevant...

Vini,

Since you posted your message, did you investigate a FlexConnector?

/x

0 Likes
Reply
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: Watchguard Firewalls not supported by ArcSight

I did have a look but I never tried to write the parser, from what I

rememeber it would not be very hard to write a parser.

Vinicius Engel

earthwave - the real-time threat management company

p: +61 2 8875 7966 | f: +61 2 8920 0562

d: +61 2 8437 9912 | w: http://www.earthwave.com.au

0 Likes
Reply
Till
New Member.

Re: Watchguard Firewalls not supported by ArcSight

Not sure if there a different kinds of Watchguard with different kinds of logging, but I came across one which was writing XML files and I wrote a parser for it.

Let me know if you want that one.

-Till

0 Likes
Reply
xme Absent Member.
Absent Member.

Re: Watchguard Firewalls not supported by ArcSight

Watchguard firewalls can export logs via Syslog. But I'm also interested in your XML FlexConnector.

But I'm also interested in your FlexConnector! Tx!

0 Likes
Reply
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: Watchguard Firewalls not supported by ArcSight

Hi Till,

If you could share your parser it would be really nice.

I know very little about watchguards and all I have seen was syslog. How was the xml sent to the connector? Or does the connector read it from the device itself in a similar way to the Cisco IPS one?

--

Vinicius Engel

earthwave - the real-time threat management company

p: +61 2 8875 7966 | f: +61 2 8920 0562

d: +61 2 8437 9912 | w: http://www.earthwave.com.au

0 Likes
Reply
Till
New Member.

Re: Watchguard Firewalls not supported by ArcSight

This was for a Proof of Concept and the customer was just providing me with a folder full of logs. I don't know how the device exported these.

parser attached.

Till

0 Likes
Reply
tliu Absent Member.
Absent Member.

Re: Watchguard Firewalls not supported by ArcSight

Hi Till -

Thanks for sharing this parser! Would you mind also posting it as a document over in the Share > area please? The ArcExchange program will be launching at Protect '10 next weekend, and we hope to see more user-submitted parsers appear in that area soon.

Notes for the future: By posting the parser as a document, other users can rate the solution. This can help community members when deciding what parsers to try.

Once the document is posted, you can feel to link to it from the discussion thread.

Thank you!

Trisha

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.