Skip to content

forcepoint FW

Description

  • Constructor : Forcepoint

  • Product : Fire wall

  • log types : Forcepoint_FW

log sample

  • Forcepoint_FW Traffic
1
LEEF:1.0|FORCEPOINT|Firewall|6.2.1|FW_Protocol-Agent-Application-Protocol-Violation|devTimeFormat=MMM dd yyyy HH:mm:ss  devTime=Jan 13 2019 03:15:03  proto=6 dstPort=21  srcPort=35278 dst=10.1.32.136 src=10.1.255.52 sender=thsdc1smgfwl01p  msg=Invalid address in PORT command. IP: 10.1.255.52, port: 10794
  • Forcepoint_FW DHCP
1
LEEF:1.0|FORCEPOINT|Firewall|6.2.1|FW_DHCP-DHCP-Reply-Received|devTimeFormat=MMM dd yyyy HH:mm:ss srcMAC=00:50:56:A3:52:F8
  • Forcepoint_FW System
1
LEEF:1.0|FORCEPOINT|Firewall|6.2.1|Generic|devTimeFormat=MMM dd yyyy HH:mm:ss devTime=Jan 13 2019 03:42:05  sender=thsdc1smgfwl02p  msg=pam_unix(sshd:auth): check pass; user unknown

Parsing strategy

  • First of all, we deal with the first part with a grok operator.

  • Then we use the kv operator to parse this log .

  • We can now normalize the fields

Fields normalization

  • Forcepoint_FW
Normalized fields Parsed fields
[type] "fw"
[alarm][name] [tmp][Name]
[alarm][description] [tmp][Extension][msg]
[init][host][ip] [tmp][Extension][src]
[init][host][port] [tmp][Extension][srcPort]
[init][host][mac] [tmp][Extension][srcMAC]
[target][host][ip] [tmp][Extension][dst]
[target][host][port] [tmp][Extension][dstPort]
[target][host][mac] [tmp][Extension][dstMAC]
[app][proto][num] [tmp][Extension][proto]
[action] [tmp][Extension][action]
[msg]] [tmp][Extension][msg]
[obs][ts] [tmp][Extension][devTime]
[obs][host][name] [tmp][Extension][sender]