firewall.huawei

Introduction

The tags beginning with firewall.huawei identify events generated by Huawei.

Valid tags and data tables 

The full tag must have at least 3 levels. The first two are fixed as firewall.huawei. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

For more information, read more About Devo tags.

Huawei log format

Huawei uses a fixed syslog format that contains key fields including the module name:

In the following example, the event was generated by the SHELL module and informs of a login action.

For more information about the Huawei Firewall log event format, see the vendor documentation.

Devo Relay rule

You will need to define a relay rule that can correctly identify the event module and apply the corresponding tag. The events are identified by the source port that they are received on and by matching a format defined by a regular expression. 

When the source conditions are met, the relay will apply a tag that begins with firewall.huawei.ngfw. A regular expression in the Source Data field describes the structure of the event data - specifically the syslog header that identifies the module. The module name is extracted from the event as a capturing group and appended as the fourth level of the tag.

In the example below the rule is defined with the following settings:

• Source port → 13030 (this can be any free port)

• Source data → %%[0-9]{2}([A-Z]+)/

• Target tag → firewall.huawei.ngfw.\\D1

• Check the Stop processing and Sent without syslog tag boxes.

Table structure

These are the fields displayed in these tables: