Hi, Has anyone got OSSEC to parse Watchguard Firebox logs ? I have my logs coming in via syslog, and being stored, but if I run them through logtest they get recognized as Debian dpkg logs, so I guess ossec is pretty much ignoring them.
The format seems to be missing a unique key to spot the logs as being from the watchguards, sadly. We are considering using the firebox system name to identify them (e.g. adding wg_ at the start of all our firewall system names so I can match on a regexp with that string in it). However, before I spend time on this, I wonder whether anyone else has already do the hard work ? If not, any pointers to instructions on writing new decoders and rules would be most welcome. If I get anything worth sharing, I'll offer it back to the project or at least post my findings here. Rob