Request trial
Request Trial

Firewall Event Aggregation

Tags:
#1 Tenways

I've got a simple config listening on 514 UDP/TCP and forwarding everything received out to another server for ingest. One of the things I've been having trouble figuring out is how to do simple event aggregation for firewall logs. Ideally it would aggregate over a time window and append the message with a new field containing the count of messages.

I know something like this used to be done via module "pm_norepeat", but I think this is being deprecated, and I'm not aware that it is capable of appending message count to the original message. It seems this should somehow be done using variables going forward.

To add to the complexity, we have two separate firewall types within our environment, (Cisco ASA's and Palo's). Greatly appreciate if anyone can point me in the right direction.

Permalink
#2 rafDeactivated Nxlog ✓
#1 Tenways
I've got a simple config listening on 514 UDP/TCP and forwarding everything received out to another server for ingest. One of the things I've been having trouble figuring out is how to do simple event aggregation for firewall logs. Ideally it would aggregate over a time window and append the message with a new field containing the count of messages. I know something like this used to be done via module "pm_norepeat", but I think this is being deprecated, and I'm not aware that it is capable of appending message count to the original message. It seems this should somehow be done using variables going forward. To add to the complexity, we have two separate firewall types within our environment, (Cisco ASA's and Palo's). Greatly appreciate if anyone can point me in the right direction.

Hi,

Correct me if I'm wrong: so you'd like to send you messages in batches, right?

Best regards,
Rafal
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS