DEV Community

Carrie
Carrie

Posted on

Integrating SafeLine WAF Syslog with Prometheus and Grafana

#prometheus #grafana #waf #syslog

SafeLine WAF offers a powerful logging capability through Syslog, which enables integration with a variety of third-party monitoring and visualization tools. This guide explains how to leverage SafeLine’s Syslog output to feed data into a Prometheus + Grafana stack, allowing for real-time observability of web application firewall events.

Why Integrate with Prometheus and Grafana?

  • Prometheus is an open-source monitoring and alerting toolkit.
  • Grafana is a visualization tool that can be used to display data stored in Prometheus.

Together, they provide:

  • Real-time monitoring of WAF events
  • Custom dashboards
  • Alerts on suspicious activities or anomalies

Step 1: Configure SafeLine to Output Syslog

Edit the SafeLine WAF configuration to enable and point Syslog output to a log forwarder or log collector.

# /path/to/safeline/config.yaml
logging:
  syslog:
    enabled: true
    server: "127.0.0.1"
    port: 514
    protocol: "udp"
    tag: "safeline"
Enter fullscreen mode Exit fullscreen mode

🔒 Note: Ensure that the Syslog server (e.g., rsyslog, syslog-ng) is running and can receive logs from SafeLine.

Step 2: Use Promtail or Fluentd to Collect Logs

SafeLine does not export metrics in Prometheus format directly, so you’ll need to convert Syslog messages into metrics using a log processor like Promtail (from Loki stack) or Fluentd.

Option 1: Promtail + Loki

  • Install Promtail and configure it to read from the syslog output file.
  • Forward logs to Loki.
  • Configure Grafana to read data from Loki. 
# promtail-config.yaml
server:
  http_listen_port: 9080
  grpc_listen_port: 0

positions:
  filename: /tmp/positions.yaml

clients:
  - url: http://localhost:3100/loki/api/v1/push

scrape_configs:
  - job_name: syslog
    static_configs:
      - targets:
          - localhost
        labels:
          job: safeline
          __path__: /var/log/safeline/syslog.log
Enter fullscreen mode Exit fullscreen mode

Option 2: Fluentd + Prometheus Exporter

Use Fluentd with a plugin like fluent-plugin-prometheus to convert log entries into Prometheus metrics.

<source>
  @type syslog
  port 514
  bind 0.0.0.0
</source>

<match safeline.**>
  @type prometheus
  metric_name safeline_events_total
  <label>
    event_type ${record["event_type"]}
    source_ip ${record["source_ip"]}
  </label>
</match>
Enter fullscreen mode Exit fullscreen mode

Step 3: Visualize in Grafana

  1. Add Prometheus (or Loki) as a data source in Grafana.
  2. Create custom dashboards using queries like: 
safeline_events_total{event_type="bot_block"}
Enter fullscreen mode Exit fullscreen mode
  1. Set up alerts based on thresholds for event counts, source IPs, rule matches, etc.

Example Use Cases

  • Detect brute-force attempts over time
  • Monitor IPs triggering rate limiting
  • Alert on spikes in WAF-detected threats

Conclusion

By integrating SafeLine WAF's Syslog output with Prometheus and Grafana (or Loki), security teams gain deep visibility into traffic trends and anomalies in real time. This setup enhances incident response, auditability, and overall web application security posture.

Top comments (0)