cancel
Showing results for 
Search instead for 
Did you mean: 

Parser DataSource Firewall Forcepoint (WAF Web Application Firewall)

1.jpg2.jpgParser DataSource Firewall Forcepoint (WAF Web Application Firewall)

Here parsers from our partnes Banrisul S.A from Brasil, by IT Security Analyst Alex_Santos@banrisul.com.br.

Examples logs using LEEF mode:

<6>LEEF:1.0|FORCEPOINT|Firewall|6.4.3|Connection_Allowed|devTimeFormat=MMM dd yyyy HH:mm:ss   devTime=Nov 28 2018 14:41:58   proto=6   dstPort=3987   srcPort=56383   dst=10.161.112.3   src=10.0.89.23   action=Allow   sender=FW_DC-FILIAIS-Node-A

<6>LEEF:1.0|FORCEPOINT|Firewall|6.4.3|Connection_Allowed|devTimeFormat=MMM dd yyyy HH:mm:ss   devTime=Nov 28 2018 14:41:58   proto=6   dstPort=61706   srcPort=80   dst=10.161.120.52   src=10.0.90.12   action=Allow   sender=FW_DC-INTRANET node 1

<6>LEEF:1.0|FORCEPOINT|Firewall|6.4.3|Log_Compress-SIDs|devTimeFormat=MMM dd yyyy HH:mm:ss   devTime=Nov 28 2018 10:10:39   originalSituation=FW_New-Connection   sender=FW_DC-ANDARES-Node-A   msg=Compressed 2411 log entries by access rule

<6>LEEF:1.0|FORCEPOINT|Firewall|6.4.3|Log_Compress-SIDs|devTimeFormat=MMM dd yyyy HH:mm:ss   devTime=Nov 28 2018 10:10:39   originalSituation=FW_New-Connection   sender=FW_DC-INTRANET node 1   msg=Compressed 3035 log entries by access rule

Parser1:

.*?LEEF.*?\|FORCEPOINT\|Firewall\|.*?\|(.*?)\|.*?\=.*?\=.*?proto\=(\d.*?)\s.*?dstPort=(\d.*?)\s.*?srcPort=(\d.*?)\s.*?(dst\=(\d.*?)\s.*?src\=(\d.*?)\s.*?action\=(.*?)\s.*?sender\=(.*?))$

Parser2:

.*?LEEF.*?\|FORCEPOINT\|Firewall\|.*?\|((?!Connection).*?)\|.*?\=.*?\=.*?\=(.*?)$

 

Sample screens for mapping:

 

 

 

Labels (3)
Tags (2)
1 Reply
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Parser DataSource Firewall Forcepoint (WAF Web Application Firewall)

thank you very very much.

i would recomend next time deleting ip detailes etc.

you never know how is seeing it on the internet.

 

Thanks' again on the parsers.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center