> ## Documentation Index > Fetch the complete documentation index at: https://docs.onefirewall.com/llms.txt > Use this file to discover all available pages before exploring further. # Logs and Network Events ## Overview **OneFirewall Server WCF (World Crime Feeds)** is the core server component that can be installed **on-premises** or in the **cloud**, depending on your deployment setup. It is responsible for collecting and processing security logs from firewalls, intrusion prevention systems (IPS), and other network or security devices in your environment. *** ## Syslog Listener on UDP Port 514 The OneFirewall service includes a **Syslog listener** running on **UDP port 514**, which is the standard port for receiving syslog traffic. This listener can accept log messages from multiple sources and automatically parse them to extract relevant security information, such as: * Source and destination IPs * Timestamps * Severity levels * Event types or signatures *** ## Sending Logs to OneFirewall Depending on your existing infrastructure, there are several ways to forward logs to the OneFirewall Syslog listener. ### **ELK / OpenSearch** To forward logs using **Filebeat** or **Logstash**, edit the configuration file and include a Syslog output section: ```yaml theme={null} output.syslog: host: ["udp://:514"] protocol: udp facility: local0 ``` Then restart the service to apply changes: ```bash theme={null} sudo systemctl restart filebeat ``` or ```bash theme={null} sudo systemctl restart logstash ``` *** ### **IBM QRadar** 1. Go to **Admin → Data Sources → Log Sources**. 2. Add a new **Syslog** destination. 3. Set the **Destination IP** to your OneFirewall server. 4. Select **UDP** as the protocol and set **Port 514**. 5. Save and deploy the configuration. *** ### **Splunk** In Splunk, you can configure Syslog forwarding either via a **forwarder** or directly on the main server. #### Example configuration ``` [udp://514] connection_host = ip sourcetype = syslog ``` Ensure that your firewall allows **outbound UDP 514** traffic to the OneFirewall server. Restart the Splunk service after applying changes: ```bash theme={null} sudo systemctl restart splunk ``` *** ### **pfSense / OPNsense** 1. Navigate to **Status → System Logs → Settings → Remote Logging Options**. 2. Enable **Send log messages to remote syslog server**. 3. Enter the **OneFirewall Server IP** and set **Port** to `514`. 4. Select the log categories you want to forward (e.g., Firewall, DHCP, System). 5. Save the settings. *** ## API Log Ingestion (Cloud Environments) For **cloud-based deployments**, OneFirewall Server exposes an **HTTP API endpoint** that allows log ingestion via HTTPS. This method is typically used when UDP traffic is restricted or when integrating with cloud-native logging tools such as: * **AWS CloudWatch Logs** * **Azure Monitor** * **Google Cloud Logging** The API accepts structured JSON log payloads and supports authentication using API tokens. *** ## Verifying Log Connectivity You can verify if logs are successfully reaching the OneFirewall server using standard Linux tools. ### **Using `tcpdump`** ```bash theme={null} sudo tcpdump -i any port 514 -n ``` ### **Using `logger` (for testing)** ```bash theme={null} logger -n -P 514 -d "Test log message from client" ``` If configured correctly, the message will appear in the OneFirewall server logs. *** ## Summary | Component | Purpose | Protocol | Port | | --------------- | --------------------------------------------- | ---------- | ------------ | | Syslog Listener | Receives log traffic from network devices | UDP | 514 | | API Endpoint | Accepts log data via HTTPS (mainly for cloud) | HTTP/HTTPS | Configurable |