Now that more folks are reviewing the new Zone based firewall in the UDM has anyone been looking at how the logging looks when sending the firewall rule events to Graylog. Under pfSense I have built some very good dashboards for their firewall rules and looking to do the same with the UDM thanks to Tom’s excelent Graylog YouTube video.
At some point I will build some new Graylog import parcers, unless someone get’s that done before I do and shares them.
I would love to see how you have graylog setup with your zone based firewall rules.
As stated in my other post, pre ZBF, graylog was awesome and caught everything. Now that I upgraded, i only get triggers. I’m wondering if the setup in graylog has to change too.
Nope, you just have to put the Graylog IP in the SIEM settings and check all the boxes.
That’s what I figured, I’ve had it setup for over a year with pre zone based firewall rules and it worked great. I cant get anything meaningful from my firewall rules since the upgrade.
There is a lot of data, just not the detail behind the blocks. I only get the same trigger info that’s in the udm gui so its not too helpful since it lacks the source/destination port info.