Note: Firewall log analyzer app is only configurable under the organization level
If you are seeing the error below, follow the steps in this article to resolve the issue:
Agent failed to bind port : [string "-- Firewall Log Analyzer..."]:6824: address already in use
1. Navigate to Organization Settings:
2. Navigate to Details and Settings tab > Agent Verbosity
3. Change the setting to Debug then scroll to bottom of the page to save
4. In both the firewall for the syslog server and in the Firewall Log Analyzer app, change the default port of 514 to a different port number that is under 1000.
NOTE: There have been known issues with dropped packets when using a port above 1000 UDP.
5. Restart the agent in services on the syslog machine.
6. On the syslog machine, navigate to c:\programfiles\rocketagent\logs and locate the syslogsvr.txt file. Scroll to the bottom of the file and there should show an entry registering the firewall.
This will vary depending on the brand of firewall
ex. [2022-12-21][11:55:16][03:29:27] [debug] syslogsvr: determined is a fortinet firewall
[2022-12-21][11:55:16][03:29:27] [debug] syslogsvr: register_firewall - excluding as this is a known device, exit.
And raw_syslog entries should also begin to populate
[2022-12-21][11:55:17][03:29:28] [debug] syslogsvr: raw_syslog: <189>date=2022-12-21 time=11:54:46 devname="xxxxx-xxxxx" devid="xxxxxxxxxxxxxxxx" eventtime=1671645285534350906 tz="-0600"
Depending on the brand of firewall, only a specific set of security related events will populate into the app only if they occur. The list for each brand is located under the Firewall Log Analyzer configuration and click on the tab for the particular firewall being used. Other raw logs are parsed, filtered and will not populate into the app.