How to Collect Firewall Logs in Wazuh

Firewall logs are one of the most critical telemetry sources in modern security monitoring.

They capture every allowed, denied, and inspected connection attempt traversing a network boundary, making them essential for detecting intrusion attempts, lateral movement, and policy violations.

In practice, firewall logs typically include metadata such as source/destination IPs, ports, protocols, rule actions (allow/deny), and sometimes application-layer context.

When centralized properly, they become a high-fidelity dataset for threat detection and compliance reporting.

Wazuh acts as a centralized security monitoring platform capable of ingesting, normalizing, and analyzing firewall logs from multiple vendors and environments.

It achieves this through a combination of agents, syslog listeners, decoders, and correlation rules.

Wazuh supports firewall log ingestion from a wide range of sources, including:

• Linux firewalls (iptables, nftables)
• Network appliances (Palo Alto Networks, Fortinet)
• Open-source firewalls like pfSense
• Windows Defender Firewall logs
• Cloud-native firewall and VPC flow logs (AWS, Azure, GCP)

By centralizing these logs, Wazuh enables correlation across endpoints, network devices, and cloud infrastructure.

For background on Wazuh’s log processing model, see the official documentation on log analysis and rules: Wazuh Log Analysis Documentation

Related reading:

• How to Install a Wazuh Agent on Windows Server
• How to Monitor AWS CloudTrail Logs Using Wazuh

Architecture of Firewall Log Collection in Wazuh

Firewall log collection in Wazuh follows a structured pipeline designed for scalability, normalization, and correlation.

Log flow: Firewall → Wazuh Agent → Wazuh Manager → Indexer → Dashboard

At a high level, firewall telemetry flows through the following stages:

1. Firewall device generates logs
   • Events are created based on rule evaluation (allow/deny/drop/inspect)
2. Wazuh Agent or syslog collector receives logs
   • Either reads local log files or receives syslog streams
3. Wazuh Manager processes logs
   • Applies decoders to extract structured fields
   • Matches rules for alert generation
4. Indexer stores normalized events
   • Events are indexed for search and analytics
5. Dashboard visualizes alerts
   • Security analysts view trends, anomalies, and alerts

This pipeline is designed to maintain separation between ingestion, processing, and visualization layers, improving scalability and resilience.

File-based logs vs syslog ingestion

Wazuh supports two primary ingestion models for firewall logs:

File-based ingestion

• Logs written locally on firewall or proxy systems
• Wazuh agent tails log files (e.g., /var/log/iptables.log)
• Common for Linux-based firewalls

Syslog ingestion

• Firewalls forward logs in real time via UDP/TCP syslog
• Wazuh manager or a log collector receives events directly
• Preferred for enterprise appliances like Fortinet or Palo Alto

Syslog is generally more scalable and lower latency, while file-based collection is simpler for smaller environments.

 Decoders, rules, and alert generation pipeline

Once logs reach the Wazuh manager, they go through a structured processing chain:

• Decoders
  • Extract structured fields (IP, port, action, protocol)
  • Normalize vendor-specific formats into a common schema
• Rules engine
  • Evaluates decoded events against predefined conditions
  • Detects suspicious patterns (port scans, brute force attempts, policy violations)
• Alert generation
  • High-confidence matches generate alerts
  • Alerts are enriched with metadata for dashboards and SIEM correlation

This pipeline is where Wazuh firewall monitoring becomes actionable security intelligence rather than raw log storage.

Related posts:

• How to Create Custom Detection Rules in Wazuh (With Examples)
• How to Reduce False Positives in Wazuh

Where firewall logs are stored and indexed

After processing, firewall logs are:

• Stored in the Wazuh indexer (OpenSearch-based backend)
• Indexed for fast querying and correlation
• Made available in the Wazuh dashboard for visualization and alert triage

Storage typically includes:

• Raw event data
• Parsed fields (source/destination IP, action, rule ID)
• Enriched metadata (MITRE ATT&CK mapping, severity levels)

Prerequisites for Collecting Firewall Logs

Before configuring firewall log ingestion in Wazuh, several prerequisites must be in place to ensure reliable and secure data collection.

Installed and running Wazuh manager and agent

A functional Wazuh deployment must include:

• A running Wazuh manager instance
• At least one Wazuh agent installed on a monitored system
• Proper communication between agent and manager (ports 1514/1515 typically)

Without this foundation, log ingestion and alert generation will not function correctly.

Related guide:

• How to Install a Wazuh Agent on Windows Server

Firewall device logging enabled (syslog or local log file output)

Firewall logging must be explicitly enabled on the target device:

• Syslog forwarding configured (preferred for enterprise firewalls)
• Local logging enabled for file-based collection
• Correct log verbosity (ensure deny/allow events are included)

Without proper logging configuration, Wazuh cannot ingest meaningful firewall telemetry.

Network connectivity between firewall and Wazuh components

Ensure:

• Firewall can reach Wazuh manager (or syslog collector)
• Required ports are open (UDP/TCP 514 for syslog, or custom ports)
• No firewall rules are blocking log transmission

This is a common failure point in distributed environments.

Basic understanding of Wazuh configuration files (ossec.conf)

Administrators should be familiar with:

• ossec.conf for agent and manager configuration
• Log collection blocks (<localfile>, <remote>)
• Syslog input configuration sections

This file is central to defining how Wazuh collects and processes firewall logs.

For official configuration reference:
Wazuh Configuration Reference

 Configuring Firewall Log Collection in Wazuh Agent

To begin collecting firewall logs in Wazuh, you must explicitly define where logs are sourced from and how they should be ingested.

This is handled primarily through the Wazuh agent configuration file (ossec.conf), which controls local log monitoring and forwarding behavior.

Adding log file paths in ossec.conf

For file-based firewall logging, you configure the Wazuh agent to monitor specific log files using <localfile> entries.

Example structure:

• Specify log type as syslog or command
• Define absolute file paths
• Ensure correct permissions for agent access

Typical configuration pattern:

• /var/log/ufw.log
• /var/log/iptables.log
• /var/log/firewalld

This allows the agent to continuously tail firewall logs and forward new events to the Wazuh manager in near real-time.

Example configuration for Linux firewall logs (iptables/ufw)

For Linux-based firewalls, logging must be enabled at the OS level first, then collected by Wazuh.

iptables logging example (Linux):

• Log dropped packets using LOG target
• Write to kernel log or /var/log/messages

Wazuh agent configuration:

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/iptables.log</location>
</localfile>

UFW logging example:

• Enable logging via ufw logging on
• Logs typically appear in /var/log/ufw.log

Then configure:

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/ufw.log</location>
</localfile>

This setup enables visibility into dropped connections, rejected packets, and policy violations at the host level.

Configuring syslog input for network firewalls

For network appliances, Wazuh typically does not read local files. Instead, it ingests logs via syslog.

In this case:

• Firewalls forward logs to Wazuh manager or a syslog collector
• Wazuh is configured to listen on a syslog port (UDP/TCP 514 or custom ports)

This method is preferred for:

• High-throughput environments
• Distributed network infrastructure
• Enterprise-grade firewalls

Setting log formats (syslog, JSON, plain text)

Wazuh supports multiple log formats, but consistency is critical for parsing accuracy.

Common formats:

• Syslog (RFC 3164 / RFC 5424) → most widely supported
• Plain text logs → used in Linux firewall logs
• JSON logs → increasingly common in cloud-native firewalls

Format selection affects:

• Decoder accuracy
• Field extraction quality
• Rule matching reliability

For structured environments, JSON is preferred due to predictable field mapping.

Sending Firewall Logs via Syslog to Wazuh

Syslog forwarding is the most common and scalable method for ingesting firewall logs into Wazuh, especially in enterprise and multi-device environments.

Enabling syslog forwarding on firewall devices

Most firewall platforms allow configuration of remote syslog servers.

General steps:

• Enable logging on security policies
• Define remote syslog server IP (Wazuh manager or collector)
• Select log severity level (informational, warning, critical)
• Choose transport protocol (UDP/TCP)

This ensures that all firewall events are streamed in real time into the Wazuh pipeline.

Configuring Wazuh agent or server as syslog receiver

Wazuh can receive syslog events in two main ways:

• Direct manager ingestion
  • Wazuh manager listens on syslog port
• Syslog collector + agent forwarding
  • Intermediate syslog server writes to file
  • Wazuh agent reads file via <localfile>

This architecture is often used for scaling ingestion across multiple firewalls.

UDP vs TCP syslog considerations

Choosing between UDP and TCP affects reliability and performance:

UDP syslog

• Lightweight and fast
• No delivery guarantees
• Suitable for high-volume logging

TCP syslog

• Reliable delivery (acknowledged packets)
• Higher overhead
• Preferred for security-sensitive environments

In Wazuh deployments, TCP is recommended when log loss is unacceptable (e.g., compliance environments).

Example configuration for common firewall vendors

pfSense

• Enable remote logging under Status → System Logs → Settings
• Set remote syslog target to Wazuh manager IP
• Ensure firewall rule allows UDP/TCP 514

Fortinet

• Configure via Log & Report → Log Settings
• Enable syslog forwarding
• Select log types: traffic, event, security

Palo Alto Networks

• Configure Syslog Server Profile
• Attach profile to security policies
• Forward Traffic, Threat, and System logs

REFERENCE:
Palo Alto Syslog Configuration Guide

Parsing Firewall Logs with Decoders

Once firewall logs arrive in Wazuh, they must be parsed into structured fields before they can be analyzed or used for detection.

What Wazuh decoders are and how they work

Wazuh decoders are pattern-matching components that:

• Extract structured fields from raw log data
• Normalize vendor-specific formats
• Prepare logs for rule evaluation

They operate using:

• Regular expressions (regex)
• Field mapping logic
• Hierarchical decoding (parent/child decoders)

Without decoders, firewall logs remain unstructured text and cannot be effectively correlated.

Built-in firewall decoders

Wazuh includes prebuilt decoders for many common sources:

• iptables
• UFW
• Windows Firewall
• Cisco ASA (basic patterns)
• Generic syslog firewall formats

These decoders automatically extract:

• Source IP / destination IP
• Ports
• Action (allow/deny)
• Protocol type

This significantly reduces manual configuration effort.

 Creating custom decoders for vendor-specific logs

For proprietary firewall formats (e.g., advanced Palo Alto or Fortinet logs), custom decoders may be required.

Typical steps:

• Identify log structure
• Build regex patterns for field extraction
• Define decoder hierarchy
• Map extracted fields to Wazuh event schema

Custom decoders are essential when:

• Logs include non-standard fields
• Vendor-specific formatting is used
• Built-in decoders fail to fully parse events

Testing log parsing using wazuh-logtest

Wazuh provides a built-in testing utility:

• wazuh-logtest simulates log ingestion
• Shows decoder matches in real time
• Displays rule evaluation results

This tool is critical for:

• Debugging parsing issues
• Validating custom decoders
• Ensuring rule accuracy before production deployment

Creating Rules for Firewall Event Detection

Once logs are parsed, Wazuh rules define how security-relevant events are detected and escalated.

Default Wazuh firewall rules overview

Wazuh ships with baseline firewall detection rules that identify:

• Denied connections
• Suspicious traffic patterns
• Repeated authentication or access failures

These rules provide immediate value out of the box but often require tuning for production environments.

Detecting blocked connections

Blocked traffic is one of the most important firewall signals.

Rules can detect:

• Repeated denied connections from a single IP
• Access attempts to restricted ports
• Unauthorized service probing

These patterns often indicate reconnaissance activity.

Port scanning attempts

Wazuh can detect port scanning behavior by analyzing:

• High-frequency connection attempts across multiple ports
• Sequential port access patterns
• Distributed scan sources

This is commonly associated with reconnaissance tools like Nmap.

 Repeated failed connections

Repeated failures often indicate brute force or misconfiguration.

Detection focuses on:

• Multiple failed connections within a time window
• Authentication or service denial spikes
• Persistent retry behavior from a single source

Suspicious IP traffic patterns

Advanced correlation rules can identify:

• Unusual geographic IP sources
• Known malicious IPs (via threat intelligence feeds)
• Beaconing behavior or periodic connections

This is where Wazuh firewall monitoring becomes highly effective for threat hunting.

Writing custom rules for firewall events

Custom rules allow security teams to tailor detection logic to their environment.

Typical use cases:

• Internal segmentation violations
• Business-critical port monitoring
• Environment-specific anomaly detection

Rules are defined using:

• Conditions (decoded fields)
• Thresholds (frequency/time windows)
• Severity levels

Rule priority and alert levels

Wazuh uses severity levels to prioritize alerts:

• Low severity: informational firewall events
• Medium severity: suspicious activity
• High severity: confirmed attack patterns
• Critical severity: active exploitation or confirmed compromise

Proper tuning ensures SOC teams focus on high-value alerts without alert fatigue.

Visualizing Firewall Logs in Wazuh Dashboard

Collecting firewall logs is only the first step.

To gain operational value from the data, security teams need effective visualization and analysis tools.

The Wazuh Dashboard provides centralized visibility into firewall activity, enabling analysts to identify threats, investigate incidents, and monitor network security posture in real time.

Using Wazuh Dashboard for Firewall Activity Monitoring

Once firewall logs are successfully ingested and indexed, they become searchable through the Wazuh Dashboard.

Security teams can monitor:

• Allowed and blocked connections
• Top source and destination IP addresses
• Firewall policy violations
• Geographic traffic distribution
• High-frequency connection attempts
• Security alerts generated from firewall rules

This centralized visibility eliminates the need to manually review logs across multiple firewall devices.

Related reading:

• How to Configure Wazuh Log Retention
• How to Monitor Kubernetes Using Wazuh

Prebuilt Dashboards and Security Event Views

Wazuh includes several prebuilt visualizations that can be leveraged for firewall monitoring.

Common dashboard components include:

• Alert trend graphs
• Event severity distributions
• Top offending IP addresses
• Most frequently triggered rules
• Security event timelines
• Geographic traffic maps

These visualizations help analysts quickly identify unusual network activity without manually searching raw log data.

According to guidance from the MITRE ATT&CK framework, effective threat detection relies on combining network telemetry with endpoint and security event data to build context around attacker behavior.

Filtering Logs by Source IP, Destination IP, and Action Type

One of the most useful dashboard capabilities is log filtering.

Common filters include:

Source IP

Used to investigate:

• Suspicious external hosts
• Internal compromised systems
• Brute-force attack origins

Example:

data.srcip: "192.168.1.100"

Destination IP

Useful for identifying:

• Targeted servers
• High-value assets
• Lateral movement attempts

Example:

data.dstip: "10.0.0.50"

Firewall Action

Allows analysts to separate:

• Allowed traffic
• Blocked traffic
• Dropped packets
• Rejected connections

Example:

data.action: "deny"

Combining multiple filters can significantly accelerate investigations during active incidents.

Creating Custom Dashboards for Firewall Analytics

Organizations often require firewall-specific visualizations that align with their security objectives.

Useful custom widgets include:

H4 Top Blocked Source Addresses

Highlights:

• Persistent attackers
• Internet scanners
• Misconfigured systems

Most Targeted Services

Tracks attacks against:

• SSH (22)
• RDP (3389)
• SMB (445)
• Database services

Firewall Alert Severity Trends

Measures:

• Daily security event volume
• Escalating attack campaigns
• Effectiveness of firewall policies

 Threat Intelligence Match Dashboard

Displays:

• Known malicious IP addresses
• Reputation matches
• Blocked threat actor infrastructure

Related reading:

• How to Integrate Wazuh with VirusTotal for Threat Intelligence

Setting Up Alerts for Firewall Events

Real-time alerting enables security teams to respond immediately when firewall activity indicates potential malicious behavior.

Wazuh supports multiple notification channels and alerting mechanisms.

Configuring Email and Webhook Notifications

Wazuh can automatically generate notifications when specific firewall events occur.

Common notification targets include:

• Security operations teams
• Incident response teams
• Compliance personnel
• Managed security providers

Alerts can be triggered based on:

• Rule level
• Event frequency
• Source IP
• Firewall action

Email notifications are useful for critical events, while webhooks support automation and integrations.

Official configuration reference:

Wazuh Alerting Documentation

Integrating with Slack, SIEM Pipelines, or Incident Response Tools

Many organizations extend Wazuh alerts into broader security workflows.

Common integrations include:

• Slack
• Microsoft Teams
• TheHive
• Shuffle SOAR
• ServiceNow
• Custom webhook endpoints

These integrations allow security teams to:

• Create incidents automatically
• Notify responders instantly
• Launch automated response playbooks
• Escalate high-priority events

Related reading:

• How to Detect Ransomware Activity Using Wazuh

Tuning Alerts to Reduce Noise and False Positives

Firewall logs can generate large volumes of alerts if rules are not properly tuned.

Common tuning strategies include:

• Whitelisting trusted IP addresses
• Increasing alert thresholds
• Excluding known internal scanners
• Suppressing repetitive informational events
• Adjusting rule severity levels

Security experts at the SANS Institute frequently emphasize that excessive alert volume contributes directly to analyst fatigue and missed detections, making alert tuning a critical component of SOC operations.

Related reading:

• How to Reduce False Positives in Wazuh

Example Alert Scenarios (DDoS, Brute Force, Intrusion Attempts)

Below are common use cases for firewall alerting.

H4 DDoS Activity

Indicators:

• Thousands of connections from multiple IPs
• Large spikes in denied traffic
• Service availability degradation

Alert triggers:

• Connection thresholds exceeded
• Abnormal traffic volumes
• Multiple firewall rule hits

Brute Force Attacks

Indicators:

• Repeated access attempts against SSH or RDP
• High failure rates from a single source

Alert triggers:

• Multiple denied connections within a short period
• Authentication failures correlated with firewall events

 Intrusion Attempts

Indicators:

• Exploit traffic
• Port scanning activity
• Connections to vulnerable services

Alert triggers:

• Threat intelligence matches
• Reconnaissance detection rules
• Known attack signatures

Advanced Firewall Log Analysis in Wazuh

While basic firewall monitoring identifies individual events, advanced analysis enables detection of complex attack chains and sophisticated threats.

Correlating Firewall Logs with Endpoint Logs

One of Wazuh’s biggest strengths is its ability to correlate network and endpoint telemetry.

For example:

1. Firewall detects inbound connection attempt.
2. Endpoint receives process execution event.
3. Authentication logs show account access.
4. File integrity monitoring detects system changes.

Individually, these events may appear benign. Together, they may indicate compromise.

This cross-source correlation significantly improves detection accuracy.

Related reading:

• How to Configure File Integrity Monitoring (FIM) in Wazuh
• How to Monitor AWS CloudTrail Logs Using Wazuh

Detecting Multi-Stage Attacks

Most attackers do not achieve their objectives through a single action.

A typical attack sequence may involve:

1. Reconnaissance

• Port scanning
• Service enumeration
• Vulnerability identification

 2. Initial Access

• Exploit attempts
• Credential attacks
• Malicious connections

3. Lateral Movement

• Internal scanning
• SMB access attempts
• RDP connections

4. Persistence and Impact

• Malware deployment
• Privilege escalation
• Data exfiltration

Firewall logs often provide visibility into multiple stages of this lifecycle.

Threat Intelligence Integration (IP Reputation Checks)

Threat intelligence significantly enhances firewall monitoring.

By integrating reputation feeds, Wazuh can automatically identify:

• Known botnet infrastructure
• Command-and-control servers
• Malware distribution hosts
• Malicious VPN exit nodes
• Threat actor IP addresses

One of the most popular integrations is VirusTotal.

Using Frequency-Based and Threshold Rules

Many attacks are not detectable through single events.

Instead, detection relies on frequency analysis.

Examples include:

Port Scan Detection

Trigger when:

• More than 20 connection attempts
• Across multiple ports
• Within 60 seconds

Brute Force Detection

Trigger when:

• More than 10 denied connections
• From the same IP
• Within 5 minutes

 DDoS Detection

Trigger when:

• Thousands of events
• Against the same destination
• During a short time window

These threshold-based detections are widely used in enterprise SOC environments because they reduce false positives while improving detection of coordinated attacks.

Troubleshooting Firewall Log Collection Issues

Even when firewall logging is configured correctly, administrators may encounter issues that prevent logs from appearing in Wazuh or generating alerts.

Systematically troubleshooting each stage of the log collection pipeline can help identify the root cause and restore visibility.

Logs Not Appearing in Wazuh Dashboard

One of the most common issues is successfully forwarding logs but not seeing them in the Wazuh Dashboard.

Potential causes include:

• Firewall logging is disabled
• Incorrect log file path configuration
• Agent communication failures
• Indexing problems in the Wazuh Indexer
• Dashboard filters excluding relevant events

To troubleshoot:

1. Verify that firewall logs are being generated.
2. Confirm the Wazuh agent is actively monitoring the correct log location.
3. Check agent status and connectivity.
4. Search for raw events directly in the dashboard.
5. Review manager and indexer logs for ingestion errors.

Related reading:

• Wazuh Agent Not Connecting to Manager? 12 Fixes That Actually Work
• How to Upgrade a Wazuh Agent

Syslog Connection Failures

If firewall logs are forwarded via syslog, connectivity issues can prevent events from reaching Wazuh.

Common causes include:

• Firewall rules blocking syslog traffic
• Incorrect destination IP address
• Wrong syslog port configuration
• UDP packet loss
• TCP connection failures

Troubleshooting steps:

• Verify firewall-to-Wazuh network connectivity.
• Use packet capture tools such as tcpdump to confirm log transmission.
• Check whether the Wazuh server is listening on the expected port.
• Review syslog service logs for errors.

For environments with strict compliance requirements, TCP syslog is often preferred because it provides delivery guarantees.

Incorrect Decoder Matching

Firewall logs may reach Wazuh successfully but fail to generate alerts if decoders are not parsing events correctly.

Common indicators include:

• Raw logs appearing without extracted fields
• Missing source or destination IP addresses
• No rule matches despite visible events
• Events categorized as generic syslog messages

Use wazuh-logtest to validate decoder behavior and identify parsing issues.

When necessary:

• Modify existing decoders
• Create custom decoders
• Update regular expressions to accommodate vendor-specific log formats

Time Synchronization Issues (NTP Problems)

Accurate timestamps are critical for event correlation.

If systems have inconsistent clocks, analysts may encounter:

• Events appearing out of order
• Failed correlation rules
• Incorrect alert timelines
• Difficult forensic investigations

Best practices include:

• Synchronizing all systems with Network Time Protocol (NTP)
• Monitoring time drift regularly
• Using reliable internal or public NTP sources

According to the National Institute of Standards and Technology (NIST), synchronized timestamps are essential for effective security monitoring and incident investigations.

Agent Configuration Validation

Misconfigured agents are another common source of firewall monitoring issues.

Before troubleshooting advanced components, validate:

• ossec.conf syntax
• Log file paths
• Permissions on monitored files
• Agent registration status
• Connectivity to the Wazuh manager

After configuration changes:

1. Validate the configuration.
2. Restart the agent.
3. Confirm logs are being collected.
4. Verify alerts appear in the dashboard.

A simple configuration error can often prevent entire categories of firewall logs from being processed.

Best Practices for Firewall Monitoring with Wazuh

Effective firewall monitoring requires more than log collection.

Organizations should follow operational best practices to improve visibility, reduce alert fatigue, and strengthen detection capabilities.

Normalize Logs Across Multiple Firewall Vendors

Most enterprise environments use multiple firewall technologies.

Examples include:

• pfSense
• Fortinet
• Palo Alto Networks
• Cisco ASA
• Windows Defender Firewall

Each vendor generates logs in different formats.

Normalization helps:

• Standardize field extraction
• Simplify rule creation
• Improve dashboard consistency
• Enable cross-platform correlation

Consistent data structures also improve long-term reporting and threat hunting activities.

Use Consistent Rule Tuning to Reduce Noise

Firewall devices often generate large volumes of routine traffic events.

Without tuning, analysts can experience:

• Alert fatigue
• Missed threats
• Reduced SOC efficiency

Recommended tuning practices include:

• Whitelisting trusted systems
• Suppressing repetitive informational events
• Adjusting frequency thresholds
• Reviewing alert quality regularly

Enable Log Retention Policies

Firewall logs frequently play a critical role in:

• Incident response
• Compliance audits
• Threat hunting
• Forensic investigations

Organizations should establish retention policies based on:

• Regulatory requirements
• Storage capacity
• Security objectives

Common retention periods include:

• 90 days for operational analysis
• 1 year for security investigations
• Longer periods for regulated industries

Regularly Test Detection Rules

Detection rules should never be considered “set and forget.”

Regular testing helps verify:

• Alerts are still functioning
• Decoder updates have not broken detections
• New attack techniques are covered
• Thresholds remain effective

Security teams should periodically simulate:

• Port scans
• Brute-force attacks
• Unauthorized access attempts
• Malware communication patterns

Testing helps ensure the firewall monitoring program remains effective as environments evolve.

Segment Firewall Logs by Network Zones

Separating firewall logs by network segment improves visibility and investigation workflows.

Examples include:

 Internet Edge

Tracks:

• External threats
• DDoS activity
• Reconnaissance attempts

 DMZ

Monitors:

• Public-facing applications
• Web servers
• Reverse proxies

Internal Network

Focuses on:

• Lateral movement
• Insider threats
• Segmentation violations

Cloud Environments

Captures:

• VPC traffic
• Cloud firewall events
• Hybrid infrastructure activity

This segmentation makes it easier to identify where attacks originate and which assets are targeted.

Conclusion

Firewall logs are among the most valuable sources of security telemetry available to defenders.

By collecting, parsing, and analyzing these logs within Wazuh, organizations gain centralized visibility into network activity, policy violations, and potential threats.

Throughout this guide, we covered the complete firewall log ingestion workflow in Wazuh, including configuring log collection, forwarding syslog events, parsing logs with decoders, creating detection rules, building dashboards, and generating real-time alerts.

Together, these capabilities transform raw firewall data into actionable security intelligence.

Continuous network monitoring is essential because modern attacks rarely consist of a single event.

Threat actors often perform reconnaissance, exploit vulnerabilities, move laterally across networks, and establish persistence over time.

Firewall logs provide critical visibility into each stage of this attack lifecycle.

As your Wazuh deployment matures, consider expanding beyond firewall monitoring into broader security analytics.

Combining firewall telemetry with intrusion detection systems, endpoint monitoring, threat intelligence feeds, and cloud security logs can significantly improve detection accuracy and incident response capabilities.

Recommended next steps:

• How to Integrate Wazuh with Suricata for Better Threat Detection
• How to Monitor Kubernetes Using Wazuh
• How to Integrate Wazuh with VirusTotal for Threat Intelligence
• How to Configure File Integrity Monitoring (FIM) in Wazuh

By correlating firewall, endpoint, and threat intelligence data within a single platform, Wazuh becomes a powerful solution for comprehensive threat detection and security operations.