Documentation Center
AlienVault® USM Appliance™

Shorewall Firewall

When you configure Shorewall Firewall to send log data to USM Appliance, you can use the Sharewall Firewall plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Shorewall
Device Type Firewall
Connection Type Syslog
Data Source Name Shorewall
Data Source ID 1877

Integrating Shorewall Firewall

Before you configure the Shorewall Firewall integration, you must have the IP Address of the USM Appliance Sensor.

To configure Shorewall Firewall to send Syslog messages to USM Appliance

  1. Open the /etc/shorewall/shorewall.conf file for editing and configure the IP_FORWARDING=[On|Off|Keep] parameter. This parameter determines whether the Shorewall Firewall enables or disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward). Possible parameter settings are:
    • On or on: Packet forwarding will be enabled.
    • Off or off: Packet forwarding will be disabled.
    • Keep or keep: The Shorewall Firewall will neither enable or disable packet forwarding. If the IP_FORWARDING parameter is not set, or is set to an empty value, for example, IP_FORWARD="", then IP_FORWARD=On is assumed.
  2. Configure rsyslog to send Shoewall log data to USM Appliance as shown in the following code sample. .
  3. *.* @@<USM_APPLIANCE_IP>:514

    # if you need to forward to other systems as well, just

    # add additional config lines:

    *.* @@other-server.example.net:10514

    # Log anything (except mail) of level info or higher.

    # Don't log private authentication messages!

    *.info;mail.none;authpriv.none;cron.none /var/log/messages

    # The authpriv file has restricted access.

    authpriv.* /var/log/secure

    # Log all the mail messages in one place.

    mail.* /var/log/maillog

    # Log cron stuff

    cron.* /var/log/cron

    # Everybody gets emergency messages

    *.emerg *

    # Save news errors of level crit and higher in a special file.

    uucp,news.crit /var/log/spooler

    # Save boot messages also to boot.log

    local7.* /var/log/boot.log

In this example, we forward all messages to the remote system. By applying different filters, however, you can choose to forward only select entries to the remote system. Note that you can also include as many forwarding actions as you like. For example, if you want to configure a backup central server, you can simply forward log data to both the remote system, and the backup central server, using two different forwarding lines.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

http://shorewall.org/Documentation_Index.html

For troubleshooting, refer to the vendor documentation:

http://shorewall.org/troubleshoot.htm