firewall.stonegate

The logs from Stonegate firewall are labeled with the firewall.stonegate.type tag.
  • You can configure Stonegate to report the logs to a remote syslog server. 
  • You can specify the remote server, port and protocol, but the logs cannot be tagged at the source. 
  • Hence, it is necessary to report the logs to an In-house Relay that will tag them as firewall.stonegate.type and forward them to Devo.

Tag structure

  • The element type is fixed and it identifies the type and format of the event.
  • This element takes the following value: firewall.stonegate.leef

For more information on how tags work, please check Introduction to tags article.

In-house Relay configuration

First step is to to install an In-house Relay for the correct tagging of the logs.

Then you should define a new rule where all the events coming to the port (eg. port 13004/tcp) are tagged as firewall.stonegate.leef. You must consider the following fields when creating the new rule.

  • Source Port → 13004
  • Target Tag → firewall.stonegate.leef
  • Check the following box:
    • The log is sent without tag 

Stonegate Configuration

  • Stonegate exports the logs in various formats: xml, csv, cef, leef, netflow and ipfix.
  • You can specify in a sheet the fields and the order you would like to include in the log (specially important for the CSV format). 
To set Stonegate to send the logs to a remote syslog server, follow the steps detailed  here.

Use the default template to send your data to Devo:

Stonegate configuration

SYSLOG_CONF_FILE=${SG_DATA_ROOT_DIR}/data/export_syslog_conf.xml
SYSLOG_EXPORT_ALERT=YES
SYSLOG_EXPORT_FORMAT=LEEF
SYSLOG_EXPORT_FW=YES
SYSLOG_EXPORT_IPS=YES
SYSLOG_EXPORT_L2FW=NO
SYSLOG_FILTER_MATCH=
SYSLOG_FILTER_TYPE=
SYSLOG_MESSAGE_PRIORITY=6
SYSLOG_PORT=13004
SYSLOG_SERVER_ADDRESS=1.2.3.4
#SYSLOG_TCP_PORT=13004
#SYSLOG_TCP_SERVER_ADDRESS=1.2.3.4

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US