The tags beginning with firewall.stonegate identify log events generated by the Stonesoft "StoneGate" Firewall (later Forcepoint NGFW).
Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud.
The full tag must have at least three levels. The first two are fixed as firewall.stonegate. The third level identifies the log format and currently must be leef.
Therefore, the only currently valid tag is firewall.stonegate.leef.
For more information, read more about Devo tags.
Devo Relay rule
You will need to define a relay rule that applies the firewall.stonegate.leef. tag to all events that are received on the port of your choosing. We'll use port 13004 in the example.
- Source Port → 13004
- Target Tag → firewall.stonegate.leef
- Check the Sent without syslog tag checkbox
Stonesoft (StoneGate) Configuration
Stonesoft is capable of exporting logs in xml, csv, cef, leef, netflow and ipfix formats. For instructions for configuring a remote syslog server (in this case, the Devo Relay), see the vendor documentation.
Specify the log export format as LEEF and enter the IP address and port of your Devo Relay.