firewall.huawei
- Juan Tomás Alonso Nieto (Deactivated)
The tags beginning with firewall.huawei identify log events generated by the Huawei Firewall.
Tag structure
The full tag must have at least three levels. The first two are fixed as firewall.huawei. The third level identifies the technology type and currently it can only be ngfw. The fourth element identifies the application module identified in the event.
technology | brand | type | module |
|---|---|---|---|
firewall | huawei | ngfw | fixed and usually required |
Therefore, the valid tags include:
- firewall.huawei.ngfw
- firewall.huawei.ngfw.aaa
- firewall.huawei.ngfw.cm
- firewall.huawei.ngfw.fw-log
- firewall.huawei.ngfw.ifnet
- firewall.huawei.ngfw.ifpdt
- firewall.huawei.ngfw.info
- firewall.huawei.ngfw.module
- firewall.huawei.ngfw.mstp
- firewall.huawei.ngfw.ntp
- firewall.huawei.ngfw.sec
- firewall.huawei.ngfw.shell
- firewall.huawei.ngfw.spr
- firewall.huawei.ngfw.ssh
Huawei log format
Huawei uses a fixed syslog format that contains key fields including the module name:
TimeStamp Hostname %% dd ModuleName/Severity/Brief (l): Description
In the following example, the event was generated by the SHELL module and informs of a login action.
2018-07-22 11:19:31 sysname %%01SHELL/4/LOGIN(l): access type:console vsys:root user:admin login from con0
For more information about the Huawei Firewall log event format, see the vendor documentation.
Devo Relay rule
You will need to define a relay rule that can correctly identify the event module and apply the corresponding tag. The events are identified by the source port that they are received on and by matching a format defined by a regular expression.
When the source conditions are met, the relay will apply a tag that begins with firewall.huawei.ngfw. A regular expression in the Source Data field describes the structure of the event data - specifically the syslog header that identifies the module. The module name is extracted from the event as a capturing group and appended as the fourth level of the tag.
In the example below the rule is defined with the following settings:
- Source Port → 13030 (this can be any free port)
- Source Data → %%[0-9]{2}([A-Z]+)/
- Target Tag → firewall.huawei.ngfw.\\D1
- Check the Stop processing and Sent without syslog tag boxes.
