Firewall Analyzer supports Stonesoft Firewall 5.5
Attributes Values SYSLOG_EXPORT_FORMAT Set this attribute to CEF SYSLOG_PORT Default UDP port is 514, retain it SYSLOG_SERVER_ADDRESS IPv4 address of Firewall Analyzer server
To set the Logging options for Access rules
|Connection Closing||No log||No log entries are created when connections are closed|
|Normal log||Both connection opening and closing are logged, but no information is collected on the volume of traffic|
|Log Accounting Information||
Both connection opening and closing are logged and information on the volume of traffic is collected. This option is not available for rules that issue Alerts.
If you want to create reports that are based on traffic volume, you must select this option for all rules that allow traffic that you want to include in the reports
The Stonesoft firewall will now send syslog data to Firewall Analyzer.
How to enable IPS logging?
Change SYSLOG_EXPORT_IPS attribute value to YES. Default setting is: NO
Restart the log server.
How to enable URL logging?
To enable deep inspection on access rule with HTTP protocol,
Right click on the Action Cell, select Edit Options > under Connection Tracking tab, select 'Override Inspection Options Set With Continue Rules' and select 'Deep Inspection'.
URL logging in Stonesoft firewall is controlled with 'Logging of accessed URLs' setting on HTTP service protocol parameters. If you enable this, accessed URLs are logged.
If the HTTP connection matches access rule that uses HTTP service where URL logging is enabled, but deep inspection is disabled, the URL is written to 'Information Message' field on 'HTTP_URL-Logged' type log entry
If the HTTP connection matches access rule that uses HTTP service with URL logging enabled, and deep inspection is enabled, the URL is written to two fields 'HTTP Request Host' and 'HTTP Request URI'. First one contains the access host name (e.g., www.example.com), and the second one contains the URI accessed (e.g., /something/here/page.php), which means that accessed address was www.example.com/something/here/page.php
The 'Information Message' field is firewall log entry field should be imported in eScope configuration as INFO_MSG field is one of the fields defined in syslog config file:
'HTTP Request Host' and 'HTTP Request URI' fields are IPS log entry fields generated by deep inspection. These are currently not set as exported fields in eScope configuration, but can be added as additional exportable fields in default_syslog_conf.xml file's list of exportable fields: