[Dshield] Submitting Watchguard Logs REPOST Sans attachment

Wayne Larmon wlarmon at dshield.org
Tue Aug 6 19:55:58 GMT 2002


> I had attached a .pdf that I received from the folks at
> Watchguard which indicated that one could set up the system to
> log to KIWI syslog and how to do that.  The list moderator
> politely rejected the post due to the attachment, but has asked
> that I repost and provide a link.  The link however is on a
> password protected support site for Watchguard so I cannot
> provide that.  I have provided the file and will email it to
> anyone interrested.  Dshield may also host it if possible.

Because is is protected, then we probably should't host it either.
Copyright, etc.  But I looked at the PDF and looked pretty straightforward.
It basically described going to the WatchGuard "policy editor" and enabling
syslogging from the "Setup Logging" section, and then configuring a syslog
server to intercept the syslog events that WatchGuard will now broadcast.

> I don't speak 'nix and do not run it in my shop, so I'd need a
> 3rd party daemon to run in win32.

This is why the PDF is confusing.  It talks in terms of how to configure for
*NIX syslogging.  But *NIX isn't needed, just an application that can catch
syslog events the same way that *NIX systems do.

> Anyone know of a freebie?
> Thanks
> Rich

Others have had good luck with Kiwi Syslog Daemon.
http://www.kiwisyslog.com/info_sysd.htm  It runs on all the common Windows
platforms (9X, ME, NT/2K/XP) and is available in both a free basic version
and a more full featured paid version.

What we need to be write a converter is for you, or another WatchGuard user,
to configure WatchGuard to log to a common syslogger (like Kiwi), and then
send us enough sample logs so that we can write a converter.

Wayne Larmon
DShield.org

>
> -----Original Message-----
> From: Richard Roy
> Sent: Tuesday, August 06, 2002 7:26 AM
> To: list at dshield.org
> Subject: RE: [Dshield] Submitting Watchguard Logs
>
>
> I have submitted your response to my post to their support team.
> I have a support contract and they are generally very good at
> helping to find answers.  When I get an answer I'll post.
> Thanks
> Rich
>
> -----Original Message-----
> From: Wayne Larmon [mailto:wlarmon at dshield.org]
> Sent: Monday, August 05, 2002 3:54 PM
> To: list at dshield.org
> Subject: RE: [Dshield] Submitting Watchguard Logs
>
>
>
> > I've seen there is a tool to parse Watchguard logs to Dshield,
> > but it is a manual process.  Does anyone know of a more automated
> > process?  Manually moving the log around or filtering it myself
> > is not always practical, especially during vacations, etc.  Has
> > anyone heard of/come up with a fully automated way to submit
> > Watchguard Logs to DShield?
>
> The existing WatchGuard client was user contributed.  As I remember, the
> sticking point for making it automated was because WatchGuard
> writes the log
> in a proprietary binary format.  The only way to get a log in an ASCII
> format that is understandable was to do a manual export operation from
> WatchGuard's controlling software.
>
> This is my understanding based on working with the contributor of the
> client.  I don't have any actual experience with WatchGuard.
>
> Is there any way for WatchGuard to write it's log automatically
> in an ASCII
> format?  Can it send logging information to something like Kiwi Syslog
> Daemon, that can then write an ASCII log.  If the log can get to an ASCII
> format, then we can write a converter that can be put on the Task
> Scheduler.
>
> Alternatively, does anybody know how to decode the native binary log?
>
> Wayne Larmon
> wlarmon at dshield.org
>
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>





More information about the list mailing list