SafeLine WAF offers a powerful logging capability through Syslog, which enables integration with a variety of third-party monitoring and visualization tools. This guide explains how to leverage SafeLine’s Syslog output to feed data into a Prometheus + Grafana stack, allowing for real-time observability of web application firewall events.
Why Integrate with Prometheus and Grafana?
- Prometheus is an open-source monitoring and alerting toolkit.
- Grafana is a visualization tool that can be used to display data stored in Prometheus.
Together, they provide:
- Real-time monitoring of WAF events
- Custom dashboards
- Alerts on suspicious activities or anomalies
Step 1: Configure SafeLine to Output Syslog
Edit the SafeLine WAF configuration to enable and point Syslog output to a log forwarder or log collector.
# /path/to/safeline/config.yaml
logging:
syslog:
enabled: true
server: "127.0.0.1"
port: 514
protocol: "udp"
tag: "safeline"
🔒 Note: Ensure that the Syslog server (e.g., rsyslog, syslog-ng) is running and can receive logs from SafeLine.
Step 2: Use Promtail or Fluentd to Collect Logs
SafeLine does not export metrics in Prometheus format directly, so you’ll need to convert Syslog messages into metrics using a log processor like Promtail (from Loki stack) or Fluentd.
Option 1: Promtail + Loki
- Install Promtail and configure it to read from the syslog output file.
- Forward logs to Loki.
- Configure Grafana to read data from Loki.
# promtail-config.yaml
server:
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: /tmp/positions.yaml
clients:
- url: http://localhost:3100/loki/api/v1/push
scrape_configs:
- job_name: syslog
static_configs:
- targets:
- localhost
labels:
job: safeline
__path__: /var/log/safeline/syslog.log
Option 2: Fluentd + Prometheus Exporter
Use Fluentd with a plugin like fluent-plugin-prometheus
to convert log entries into Prometheus metrics.
<source>
@type syslog
port 514
bind 0.0.0.0
</source>
<match safeline.**>
@type prometheus
metric_name safeline_events_total
<label>
event_type ${record["event_type"]}
source_ip ${record["source_ip"]}
</label>
</match>
Step 3: Visualize in Grafana
- Add Prometheus (or Loki) as a data source in Grafana.
- Create custom dashboards using queries like:
safeline_events_total{event_type="bot_block"}
- Set up alerts based on thresholds for event counts, source IPs, rule matches, etc.
Example Use Cases
- Detect brute-force attempts over time
- Monitor IPs triggering rate limiting
- Alert on spikes in WAF-detected threats
Conclusion
By integrating SafeLine WAF's Syslog output with Prometheus and Grafana (or Loki), security teams gain deep visibility into traffic trends and anomalies in real time. This setup enhances incident response, auditability, and overall web application security posture.
Top comments (0)