Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Watchguard Firebox Using Kiwi Syslog Daemon - Internet Security | DShield Watchguard Firebox Using Kiwi Syslog Daemon


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Back To Windows Clients | Summary | Set Logging

Summary

Summary: Configure your Watchguard to save to "syslog" format and then install a program to intercept syslog messages and write them to disk. Then DShield's CVTWIN can do the rest of the job.

Download Kiwi Syslog Daemon from the Kiwi site Be sure to download the KIWI Syslog SERVICE application (if you are using NT/2K/XP) which will run it as a service so no one has to be logged in. Note that Kiwi is available in both a free and a paid version. The free version will work for our purposes. You can install Kiwi now but it won't log anything until you configure WatchGuard to log to syslog format. Which we will cover now:

The Firewall must be operating properly, and should be logging to the Watchguard log host already. You can verify this by opening the control center (the little icon in the system tray that looks like a firebox) It will show that it is logging to a particular host. (See Fig. A) If that is not the case you<92>ll have to troubleshoot that first.

Watchguard configuration
Fig A

Set Logging

To set the logging:

  1. Open the Policy Manager with your current Configuaration.
  2. Click Setup, Logging (See Fig B) below
  3. Watchguard configuration
    Fig. B

  4. Click the Syslog Tab
  5. Check Enable Syslog Logging
  6. Enter the IP address of the host you will Syslog to (generally the same as the one you are already logging to
  7. Click OK
  8. Save the configuration to the FireBox.
  9. See the Watchguard Technical Support Document <93>How can I configure my Firebox to log to a Unix-style syslog server?<94> for further information.
  10. Now install Kiwi Syslog Daemon, if you haven't already.
  11. There is very little to set up and it should work in defaults. Open it as the install explains and Click Manage, Install the Service. As soon as you start the service, you should soon see traffic in the syslog console.
  12. There is very little to set up and it should work in defaults. Open it as the install explains and Click Manage, Install the Service. As soon as you start the service, you should soon see traffic in the syslog console.
  13. Once you have that, traverse the directory where you installed it and find the \logs subdirectory. You are looking for a file named, syslogcatchall.txt or similar.
  14. Download and install the DShield Client as per DShield instructions.
  15. Run the DShield Client to set it up (click Edit, Configure) Fill in the appropriate information. Select Kiwi Watchguard as the firewall and select the logfile (SystemCatchAll.txt, probably) you found above.
  16. Perform a test conversion. (File->Convert) and examine the output. Check to see if any filtering needs to be done (Filters are on the the Edit menu.)
  17. When you are satisfied that CVTWIN is converting properly, Open Control Panel, Open Scheduled tasks, Create a new task that runs every day as per the DShield instructions. Now you are submitting to DShield!!!!!

Courtesy of

Richard Roy
Network Administrator
JusticeTrax Inc.
royr@justicetrax.com