You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>DeploymentGuide>PluginManagement>ConfigureLogForwardingOnCommonlyUsedDataSources>ShorewallFirewall (24 Jun 2022, SheriffCyberSecurity)Edit Attach
Up
Previous Next

Sheriff CSMâ„¢

Shorewall Firewall

When you configure Shorewall Firewall to send log data to Sheriff CSM, you can use the Sharewall Firewall plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

DeviceDetails
Vendor Shorewall
Device Type Firewall
Connection Type Syslog
Data Source Name Shorewall
Data Source ID 1877

Integrating Shorewall Firewall

Before you configure the Shorewall Firewall integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy).

To configure Shorewall Firewall to send Syslog messages to Sheriff CSM

  1. Open the /etc/shorewall/shorewall.conf file for editing and configure the IP_FORWARDING=[On|Off|Keep] parameter. This parameter determines whether the Shorewall Firewall enables or disables IPV4 Packet Forwarding (turn it over). Possible parameter settings are:

    • On or on: Packet forwarding will be enabled.
    • Off or off: Packet forwarding will be disabled.
    • Keep or keep: The Shorewall Firewall will neither enable or disable packet forwarding. If the IP_FORWARDING parameter is not set, or is set to an empty value, for example, IP_FORWARD="", then IP_FORWARD=On is assumed.

  2. Configure rsyslog to send Shoewall log data to Sheriff CSM as shown in the following code sample. .

    *.* @@<Sheriff_CSM_IP>:514</p>
# if you need to forward to other systems as well, just
# add additional config lines:
*.* @@other-server.example.net:10514
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.now
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log

    In this example, we forward all messages to the remote system. By applying different filters, however, you can choose to forward only select entries to the remote system. Note that you can also include as many forwarding actions as you like. For example, if you want to configure a backup central server, you can simply forward log data to both the remote system, and the backup central server, using two different forwarding lines.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

http://shorewall.org/Documentation_Index.html

For troubleshooting, refer to the vendor documentation:

http://shorewall.org/troubleshoot.htm
Edit  | Attach | Print version | History: r10 < r9 < r8 < r7 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r10 - 24 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.