Stormshield log monitoring & analysis with Log360

Overview

Stormshield Network Security (SNS) firewalls are critical for perimeter defense, intrusion prevention, and secure traffic management in enterprise environments. However, the security logs they generate, ranging from authentication attempts and rule matches to system level anomalies, require structured analysis to uncover real threats. Log360, ManageEngine’s unified SIEM solution, integrates seamlessly with Stormshield devices to centralize, correlate, and analyze log data. This integration empowers security teams with real-time visibility, compliance ready reporting, and proactive threat detection, all within a unified console.

How Log360 collects and analyzes Stormshield logs

Log360 collects Stormshield logs through the Syslog protocol. By configuring the Stormshield device to forward logs to the Log360 Syslog listener, every relevant event whether related to traffic, authentication, firewall rules, or IDS/IPS, gets streamed in real time to the SIEM engine. Once ingested, Log360 parses these logs using predefined Stormshield log format rules. The events are normalized and indexed for efficient search and correlation. Key metadata like IP addresses, usernames, ports, rule IDs, and severity are extracted and mapped to Log360's security event taxonomy, enabling both granular analysis and high level correlation.

Monitoring and analytics capabilities

With Stormshield logs onboarded, Log360 provides layered monitoring and analytics through:

• Stormshield events overview: Aggregate and monitor all Stormshield-generated log types in a unified view. Filter logs by severity, source, interface, and rule ID to quickly assess firewall health and activity trends.
• Logon reports: Track successful and failed login attempts to the Stormshield management interface. Identify unusual access patterns such as logins during non-business hours or multiple failed attempts from the same IP—key indicators of brute-force or credential stuffing attempts.
• Firewall rule management: Rule creation, deletion, modifications, and hits—ensuring traceability of rule changes.
• Account management: Admin user creation, role changes, and unauthorized configuration attempts.
• Long-term archival and compliance: Retain normalized logs for an extended duration to meet ISO, PCI DSS, GDPR, and other compliance mandates

Critical Stormshield events monitored

Log360 continuously audits a range of Stormshield event categories:

• Authentication events: Successful and failed logon attempts, admin console access, remote management logins.
• Traffic events: Accepted and denied traffic by firewall policy, NAT translations, and protocol-specific patterns.
• IDS/IPS events: Signature matches, packet inspections, and real-time intrusion detections.
• System events: Device restarts, service failures, configuration changes, and disk usage thresholds.
• Device severity reports: Categorized events by severity (info, warning, critical), aiding prioritization.

Key benefits

• Centralized visibility: View Stormshield logs alongside logs from other network and security devices within a single interface.
• Faster threat detection: Quickly identify and respond to attacks like brute-force attempts, lateral movement, and exfiltration.
• Audit trail of firewall activity: Gain accountability with detailed reports on rule changes, access attempts, and admin activity.
• Regulatory compliance: Meet audit requirements with prebuilt and custom reports mapped to compliance standards.
• Simplified investigation: Use incident timelines and context-rich log views to investigate security incidents with minimal effort.

Addressing key Stormshield security challenges

Visualize your Stormshield data

Want to see detailed examples? Explore Stormshield monitoring capabilities and use cases within Log360