After updating my UDM Pro to Zone Based firewalls, graylog only gets the triggers, I dont get the nice source/destination detailed firewall logs anymore.
Is anyone else seeing the same thing?
Under the system settings then Activity Logging (Syslog) you need to have the “Firewall Default Policy” checked to get all the firewall data.
Thanks Tom, I did verify that I have Default Firewall Policy set in the System → Traffic Logging → Activity Logging (Syslog).
Its weird for sure, If I try to hit my gateway over 443, I see the trigger in the UDMP gui that says blocked by firewall rule X. I see the same trigger in Graylog but I never get the detailed source X was blocked to destination Y over port 443.
Any suggestions? Thanks!
One last question, would you say your video from 2 years ago is still good with graylog 6.2? Thanks again
Yes, as I note in the video make sure you are pulling the latest compose file from my github GitHub - lawrencesystems/graylog: Graylog 6 setup which I keep up to date. Current version right now is 6.2.
1 Like
Thanks, im pretty sure my setup prior to graylog 6.2 is the root cause of the issue. I also updated graylog right after the ZBF update. I deleted all of my inputs, indicies, streams, pipelines and im starting from scratch again.
well, i just figured it out. The triggers coming in were on my time zone while the network details were UTC timezone. I would get the triggers but the details were 5 hours ago. I only found this after starting from scratch. My user in graylog has my local timezone, i had to change the input to my local timezone too.
Not sure if there’s a better way but hopefully that helps someone.
It should set it based on the time zone settings in my docker compose at lines 66 and 67
GRAYLOG_TIMEZONE: "America/Detroit"
TZ: "America/Detroit"
Having them in there twice is not a mistake, it fixes the issue you described.
1 Like
Thanks, I originally changed it in my account but not in the server config. I saw in their youtube tutorial they do set the local tz in the config too. thx