ScoobyLabs Projects

Firewalla-Logger

Firewalla-Logger is an open-source tool that fetches network flow logs from your Firewalla MSP’s API and exports them to a local directory as JSON files.
Now with deduplication and automatic sorting for cleaner, more accurate analysis.

Automated polling (configurable interval)
Log rotation & retention
Deduplication & sorting
SIEM-ready JSON output
Dockerized, portable, stateless

Example docker run:

docker run -d --restart=unless-stopped \
  -e MSPURL="https://YOUR-MSP.firewalla.net" \
  -e API_TOKEN="YOUR_TOKEN" \
  -e POLL_INTERVAL_SEC="300" \
  -v $(pwd)/firewalla-logs:/app/data \
  scooby81/firewalla-logger:latest

🔗 View on Docker Hub

Sample Output (JSON Log)

{ "ts": 1753026985.71, "total": 5825, "download": 3670, "upload": 2155, "direction": "outbound", "protocol": "tcp", "domain": "apple.com", "source": { "ip": "10.4.20.119", "name": "Living Room (2)" }, "destination": { "ip": "17.57.144.151", "name": "courier.push.apple.com" } }

Firewalla-SSH-Logger

Firewalla-SSH-Logger is an open-source, containerized tool designed to automate log collection from Firewalla appliances via SSH. It extracts, deduplicates, sorts, and archives network connection logs in Zeek-style format, making them easy to analyze or ingest into SIEMs like Wazuh, Elastic, or Graylog.

Purpose

Firewalla devices provide rich network traffic visibility but lack robust native log forwarding. Firewalla-SSH-Logger bridges this gap by periodically:

Logging into a Firewalla device via SSH
Pulling conn.log (or similar)
Parsing and cleaning logs
Deduplicating entries
Sorting them chronologically
Saving structured JSON logs for SIEM or analysis

How It Works

Runs in Docker, executing ingest_zeek_logs.py at scheduled intervals
Connects via SSH, pulls and parses conn.log
Deduplicates log entries using an ID cache
Chronologically sorts by timestamp
Persists cleaned logs and dedup cache to a Docker volume

Dockerized Deployment

Linux hosts (Ubuntu, Synology, etc.)
Easy environment variable configuration
Custom polling intervals
Stateless: deploy, configure, and run

docker-compose.yml Example

version: "3.8"
services:
  firewalla-ssh-logger:
    image: scooby81/firewalla-ssh-logger:latest
    container_name: firewalla-ssh-logger
    environment:
      # Firewalla SSH access
      FIREWALLA_HOST:        "firewalla.local"     # or IP address
      FIREWALLA_USER:        "pi"
      FIREWALLA_PASS:        "your_password"

      # Polling interval (in seconds)
      POLL_INTERVAL_SEC:     "300"                 # 5 minutes

      # Log rotation settings
      LOG_ROTATE_WHEN:       "midnight"            # Rotate logs daily
      LOG_ROTATE_INTERVAL:   "1"                   # Rotate every 1 unit of 'when'
      LOG_ROTATE_BACKUP:     "7"                   # Keep 7 backups

    volumes:
      - ./data:/app/data
    restart: unless-stopped

What These Retention Settings Do

LOG_ROTATE_WHEN: "midnight" rotates logs daily (can use H, M, S, W0-W6 for granularity)
LOG_ROTATE_INTERVAL: How often to rotate (e.g. "1" = daily if when=midnight)
LOG_ROTATE_BACKUP: Number of rotated logs to retain

🔗 View Firewalla-SSH-Logger on Docker Hub