I would be interested in this as well. Robert
On Mar 2, 9:47 am, rob.butterwo...@gmail.com wrote: > Hi, > Has anyone got OSSEC to parse WatchguardFireboxlogs ? I have my > logs coming in via syslog, and being stored, but if I run them through > logtest they get recognized as Debian dpkg logs, so I guess ossec is > pretty much ignoring them. > > The format seems to be missing a unique key to spot the logs as being > from the watchguards, sadly. We are considering using thefirebox > system name to identify them (e.g. adding wg_ at the start of all our > firewall system names so I can match on a regexp with that string in > it). However, before I spend time on this, I wonder whether anyone > else has already do the hard work ? > > If not, any pointers to instructions on writing new decoders and rules > would be most welcome. If I get anything worth sharing, I'll offer it > back to the project or at least post my findings here. > > Rob