When you configure your Shorewall Firewall to send log data to USM Appliance, you can use the Sharewall Firewall plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.
| Device | Details |
|---|---|
| Vendor | Shorewall |
| Device Type | Firewall |
| Connection Type | Syslog |
| Data Source Name | Shorewall |
| Data Source ID | 1877 |
Integrating Shorewall Firewall
Before you configure the Shorewall Firewall integration, you must have the IP Address of the USM Appliance Sensor.
To configure Shorewall Firewall to send Syslog messages to USM Appliance
- Open the /etc/shorewall/shorewall.conf file for editing and configure the IP_FORWARDING=[On|Off|Keep] parameter. This parameter determines whether the Shorewall Firewall enables or disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward). Possible parameter settings are:
- On or on: Packet forwarding will be enabled.
- Off or off: Packet forwarding will be disabled.
- Keep or keep: The Shorewall Firewall will neither enable or disable packet forwarding. If the IP_FORWARDING parameter is not set, or is set to an empty value, for example, IP_FORWARD="", then IP_FORWARD=On is assumed.
- Configure rsyslog to send Shoewall log data to USM Appliance as shown in the following code sample. .
*.* @@<USM_APPLIANCE_IP>:514
# if you need to forward to other systems as well, just
# add additional config lines:
*.* @@other-server.example.net:10514
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
In this example, we forward all messages to the remote system. By applying different filters, however, you can choose to forward only select entries to the remote system. Note that you can also include as many forwarding actions as you like. For example, if you want to configure a backup central server, you can simply forward log data to both the remote system, and the backup central server, using two different forwarding lines.
Plugin Enablement
For plugin enablement information, see Enable Plugins.
Additional Resources and Troubleshooting
http://shorewall.org/Documentation_Index.html
For troubleshooting, refer to the vendor documentation:
Feedback