Configuring the Firewall Log Analyzer app

The Firewall Log Analyzer works similarly to an Intrusion Detection System, but it does not require the purchase and installation of an expensive device. If you already have an IDS/IPS, our app can help you interpret those logs as well.

You will configure the app to send firewall logs to one of your RocketCyber-connected computers, where our firewall analysis software will identify malicious traffic, data leaks, and various reconnaissance and attack vectors. Any detected events will trigger an immediate alert, which will appear on your RocketCyber dashboard.

To configure the Firewall Analyzer, follow these steps:

  • Go to an organization.

Note: This app must be configured at the organization level. Configuring at this level allows you to send each organization's logs to one of their own machines for processing if this is necessary for business or compliance reasons.

  • Click Configure at the bottom to set up the Firewall Log Analyzer app.

  • In the Firewall Log Analyzer App Configuration page, there are numerous configuration options available. Start with the Syslog Configuration tab. This tab configures the selected agent as a Syslog server that will receive data from your firewall devices. 

    Here, we will configure the options to turn an installed RocketAgent into a Syslog server to collect firewall log data:

Setting Action
Syslog Server Device Select which of your RocketCyber-connected computers will serve as the Syslog server for collecting data.
Syslog Server IP

This is the IP address of the Syslog Server Device. Copy this IP address to configure Syslog forwarding on your firewall.

Syslog Server Port Specify the port that the Syslog Server Device will listen to for receiving firewall logs. We recommend using the default port 514.
Syslog Server Protocol Choose whether to receive logs via tcp or udp. We recommend using the default option, udp.
Max Daily Results If you're concerned about an overwhelming amount of data in your RocketCyber account, this setting allows you to limit the number of results reported per day.
Save Copy of Logs to Monitoring Device Hard Drive and Maximum Allowed Size for Local Log Save (in GB) These options allow you to save a copy of your logs to the local hard drive of the processing machine and manage the file size. Note: Saving logs may impact system performance, and files will stop saving when the limit is reached, rather than overwriting.
Don't Report Events Lower Than This Priority

To avoid being overwhelmed by low-priority notifications (e.g., blocked malicious email attachments), you can use this setting to filter out less critical alerts. You can change this setting to info or debug during an active attack or to verify functionality; the default is set to error. Events related to reputation IP lookups are exceptions and will still report regardless of this filtering option.

All connections are informational by nature. If you have lookups enabled, it is assumed you want a warning of attacks, so these alerts are allowed even though they are informational. If desired, the Reputation lookup on connecting IPs toggle can be turned off under the firewall brand tab.

Non-firewall devices such as switches, routers, or access points may register as being a firewall and can be excluded.

The non-firewall devices can then be deleted from the firewall registration list.

  • When you finish, remember to click Create or Update in the lower-right corner to save your configuration settings.

Troubleshooting articles