Skip to main content

Overview

OneFirewall Server WCF (World Crime Feeds) is the core server component that can be installed on-premises or in the cloud, depending on your deployment setup. It is responsible for collecting and processing security logs from firewalls, intrusion prevention systems (IPS), and other network or security devices in your environment.

Syslog Listener on UDP Port 514

The OneFirewall service includes a Syslog listener running on UDP port 514, which is the standard port for receiving syslog traffic. This listener can accept log messages from multiple sources and automatically parse them to extract relevant security information, such as:
  • Source and destination IPs
  • Timestamps
  • Severity levels
  • Event types or signatures

Sending Logs to OneFirewall

Depending on your existing infrastructure, there are several ways to forward logs to the OneFirewall Syslog listener.

ELK / OpenSearch

To forward logs using Filebeat or Logstash, edit the configuration file and include a Syslog output section: 
output.syslog:
  host: ["udp://<onefirewall_server_ip>:514"]
  protocol: udp
  facility: local0
Then restart the service to apply changes: 
sudo systemctl restart filebeat
or 
sudo systemctl restart logstash

IBM QRadar

  1. Go to Admin → Data Sources → Log Sources.
  2. Add a new Syslog destination.
  3. Set the Destination IP to your OneFirewall server.
  4. Select UDP as the protocol and set Port 514.
  5. Save and deploy the configuration.

Splunk

In Splunk, you can configure Syslog forwarding either via a forwarder or directly on the main server.

Example configuration

[udp://514]
connection_host = ip
sourcetype = syslog
Ensure that your firewall allows outbound UDP 514 traffic to the OneFirewall server. Restart the Splunk service after applying changes: 
sudo systemctl restart splunk

pfSense / OPNsense

  1. Navigate to Status → System Logs → Settings → Remote Logging Options.
  2. Enable Send log messages to remote syslog server.
  3. Enter the OneFirewall Server IP and set Port to 514.
  4. Select the log categories you want to forward (e.g., Firewall, DHCP, System).
  5. Save the settings.

API Log Ingestion (Cloud Environments)

For cloud-based deployments, OneFirewall Server exposes an HTTP API endpoint that allows log ingestion via HTTPS. This method is typically used when UDP traffic is restricted or when integrating with cloud-native logging tools such as:
  • AWS CloudWatch Logs
  • Azure Monitor
  • Google Cloud Logging
The API accepts structured JSON log payloads and supports authentication using API tokens.

Verifying Log Connectivity

You can verify if logs are successfully reaching the OneFirewall server using standard Linux tools.

Using tcpdump

sudo tcpdump -i any port 514 -n

Using logger (for testing)

logger -n <onefirewall_server_ip> -P 514 -d "Test log message from client"
If configured correctly, the message will appear in the OneFirewall server logs.

Summary

ComponentPurposeProtocolPort
Syslog ListenerReceives log traffic from network devicesUDP514
API EndpointAccepts log data via HTTPS (mainly for cloud)HTTP/HTTPSConfigurable