SOLVED

Monitor Firewall Logs Ingestion

Copper Contributor

Hi , We've firewall logs going into CEF table, I would like to monitor and alert if any of the firewall stops ingestion.. Anyone using a KQL query/Custom NRL rule for this? thanks

1 Reply
best response confirmed by gsingh_ (Copper Contributor)
Solution

Hi @gsingh_,

The following KQL will be a nice basis for your alert.

Here's a version that you can use as NRT:

CommonSecurityLog
//| where DeviceProduct == "Some unique identifier"
| count
| where Count == 0
//| extend AlertText = "No Firewall Logs were ingested in the last minute."

 

 

If you have multiple types of CommonSecurityLog devices logging to the table, you will need to specify some unique identifier for your Firewall logs on line 2 based on the DeviceProduct column, but there may be a more appropriate column for this in your logs. I also added an AlertText on line 5 that may be useful to set as a Custom Detail. Since they're both optional to a working solution, I commented them out in my examples.

 

Depending on your set-up, this rule may be too sensitive. NRT rules run every minute, and some variation in ingestion speed is to be expected in normal set-ups. Here's a version that can be deployed as a Scheduled rule instead:

 

CommonSecurityLog
//| where DeviceProduct == "Some unique identifier"
| where ingestion_time() > ago(15m)
| count
| where Count == 0
//| extend AlertText = "No Firewall Logs were ingested in the last 15 minutes."

 

 Let me know if you have any questions!

 

Kind regards,

Rutger Smeets

1 best response

Accepted Solutions
best response confirmed by gsingh_ (Copper Contributor)
Solution

Hi @gsingh_,

The following KQL will be a nice basis for your alert.

Here's a version that you can use as NRT:

CommonSecurityLog
//| where DeviceProduct == "Some unique identifier"
| count
| where Count == 0
//| extend AlertText = "No Firewall Logs were ingested in the last minute."

 

 

If you have multiple types of CommonSecurityLog devices logging to the table, you will need to specify some unique identifier for your Firewall logs on line 2 based on the DeviceProduct column, but there may be a more appropriate column for this in your logs. I also added an AlertText on line 5 that may be useful to set as a Custom Detail. Since they're both optional to a working solution, I commented them out in my examples.

 

Depending on your set-up, this rule may be too sensitive. NRT rules run every minute, and some variation in ingestion speed is to be expected in normal set-ups. Here's a version that can be deployed as a Scheduled rule instead:

 

CommonSecurityLog
//| where DeviceProduct == "Some unique identifier"
| where ingestion_time() > ago(15m)
| count
| where Count == 0
//| extend AlertText = "No Firewall Logs were ingested in the last 15 minutes."

 

 Let me know if you have any questions!

 

Kind regards,

Rutger Smeets

View solution in original post