Document toolboxDocument toolbox

firewall.huawei

Introduction

The tags beginning with firewall.huawei identify events generated by Huawei.

Valid tags and data tables 

The full tag must have at least 3 levels. The first two are fixed as firewall.huawei. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Huawei Next-Gen Firewall

firewall.huawei.ngfw.sec

firewall.huawei.ngfw

firewall.huawei.ngfw.aaa

firewall.huawei.ngfw.aaa

firewall.huawei.ngfw.cm

firewall.huawei.ngfw.fw-log

firewall.huawei.ngfw.ifnet

firewall.huawei.ngfw.ifnet

firewall.huawei.ngfw.ifpdt

firewall.huawei.ngfw.ifpdt

firewall.huawei.ngfw.info

firewall.huawei.ngfw.info

firewall.huawei.ngfw.module

firewall.huawei.ngfw.module

firewall.huawei.ngfw.mstp

firewall.huawei.ngfw.mstp

firewall.huawei.ngfw.ntp

firewall.huawei.ngfw.ntp

firewall.huawei.ngfw.sec

firewall.huawei.ngfw.sec

firewall.huawei.ngfw.shell

firewall.huawei.ngfw.shell

firewall.huawei.ngfw.spr

firewall.huawei.ngfw.spr

firewall.huawei.ngfw.ssh

firewall.huawei.ngfw.ssh

For more information, read more About Devo tags.

Huawei log format

Huawei uses a fixed syslog format that contains key fields including the module name:

TimeStamp Hostname %% dd ModuleName/Severity/Brief (l): Description

In the following example, the event was generated by the SHELL module and informs of a login action.

2018-07-22 11:19:31 sysname %%01SHELL/4/LOGIN(l): access type:console vsys:root user:admin login from con0

For more information about the Huawei Firewall log event format, see the vendor documentation.

Devo Relay rule

You will need to define a relay rule that can correctly identify the event module and apply the corresponding tag. The events are identified by the source port that they are received on and by matching a format defined by a regular expression. 

When the source conditions are met, the relay will apply a tag that begins with firewall.huawei.ngfw. A regular expression in the Source Data field describes the structure of the event data - specifically the syslog header that identifies the module. The module name is extracted from the event as a capturing group and appended as the fourth level of the tag.

In the example below the rule is defined with the following settings:

  • Source port → 13030 (this can be any free port)

  • Source data → %%[0-9]{2}([A-Z]+)/

  • Target tag → firewall.huawei.ngfw.\\D1

  • Check the Stop processing and Sent without syslog tag boxes.

Table structure

These are the fields displayed in these tables: