firewall.huawei

The logs from Huawei firewall are labeled with firewall.huawei.fwtype.module  tag.
  • You can configure a Huawei firewall to report the logs to a remote syslog server. 
  • Since logs cannot be sent via TCP or tagged at the source, it is necessary to report them to an In-house Relay that will tag the logs as firewall.huawei.fwtype.module and forward them to Devo.

Huawei log format

Huawei uses a fixed syslog log format in all their devices:

TimeStamp Hostname %% dd ModuleName/Severity/Brief (l): Description

Example

2014-07-22 11:19:31 sysname %%01SHELL/4/LOGIN(l): access type:console vsys:root user:admin login from con0
  • The timestamp of the log is 2014-07-22 11:19:31
  • The host name is sysname
  • The log is generated by the SHELL module
  • The log is at level four
  • The description of the log is that the user admin logins from console

Tag structure

  • The element fwtype is fixed and identifies the firewall family. This element can only take the ngfw value, so the final label is firewall.huawei.ngfw.module.
  • The module element is extracted from the original syslog message via regex and it is appended to the tag in the relay.

For more information on how tags work, check Introduction to tags article.

In-house Relay configuration

First step is to install an In-house Relay for the correct tagging of these logs.

Then you should define a new rule where all the events coming to the port (eg. port 13030) are tagged as firewall.huawei.ngfw.module.

  • This rule should also cover the adding of the corresponding module to the firewall.huawei.ngfw depending on the events nature. 
  • This information is extracted from the message using a regular expression. The data captured is used to create the final label for each event.

You  must consider the following fields when creating the new rule:

  • Source Port  13030
  • Source Data  %%[0-9]{2}([A-Z]+)/
  • Target Tag  firewall.huawei.ngfw.\\D1
  • Check the following boxes:
    • Stop processing
    • Send without tag

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US