firewall.huawei
Introduction
The tags beginning with firewall.huawei
identify events generated by Huawei.
Valid tags and data tables
The full tag must have at least 3 levels. The first two are fixed as firewall.huawei
. The third level identifies the type of events sent. The fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Huawei Next-Gen Firewall |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
For more information, read more About Devo tags.
Huawei log format
Huawei uses a fixed syslog format that contains key fields including the module name:
TimeStamp Hostname %% dd ModuleName/Severity/Brief (l): Description
In the following example, the event was generated by the SHELL module and informs of a login action.
2018-07-22 11:19:31 sysname %%01SHELL/4/LOGIN(l): access type:console vsys:root user:admin login from con0
For more information about the Huawei Firewall log event format, see the vendor documentation.
Devo Relay rule
You will need to define a relay rule that can correctly identify the event module and apply the corresponding tag. The events are identified by the source port that they are received on and by matching a format defined by a regular expression.
When the source conditions are met, the relay will apply a tag that begins with firewall.huawei.ngfw. A regular expression in the Source Data field describes the structure of the event data - specifically the syslog header that identifies the module. The module name is extracted from the event as a capturing group and appended as the fourth level of the tag.
In the example below the rule is defined with the following settings:
Source port →
13030
(this can be any free port)Source data →
%%[0-9]{2}([A-Z]+)/
Target tag →
firewall.huawei.ngfw.\\D1
Check the Stop processing and Sent without syslog tag boxes.
Table structure
These are the fields displayed in these tables: