Network Firewall (Vendor-Agnostic)
Vendor-agnostic firewall — ECS-normalized traffic flow decisions, session lifecycle, NAT translations, and IDS/IPS threat detections. Plug into any SIEM pipeline without vendor lock-in.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-firewall/generator.yml \
--id fw \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| traffic-allowed | Permitted connection through firewall | ~53% | network |
| traffic-denied | Connection rejected with RST/unreachable | ~13% | network |
| session-start | Stateful session establishment | ~11% | network |
| session-end | Session teardown with counters | ~10% | network |
| traffic-dropped | Silently dropped (default deny) | ~9% | network |
| nat-translation | Source/destination NAT event | ~3% | network |
| threat-detected | IDS/IPS signature match | ~1% | intrusion_detection |
| system-event | Device operational events | rare | configuration |
Realism Features
- Correlated sessions — session-start events consumed by session-end with matching 5-tuple
- NAT tracking — outbound sessions carry source NAT details through session lifecycle
- Zone-aware routing — trust/untrust/dmz zones with correct interface mappings per direction
- Direction-specific behavior — denied/dropped traffic predominantly inbound; allowed mostly outbound
- 15 IDS/IPS signatures across SQL injection, brute force, C2, exploits
- Session end reasons — tcp-fin (50%), aged-out (20%), tcp-rst (25%), policy-deny (5%)
Sample Output
{
"@timestamp": "2026-02-21T12:00:01.234567+00:00",
"event": {
"action": "allow",
"category": ["network"],
"dataset": "firewall.traffic",
"outcome": "success",
"type": ["connection", "allowed"]
},
"source": { "ip": "10.1.1.30", "port": 52341 },
"destination": { "ip": "142.250.80.46", "port": 443 },
"network": {
"application": "ssl",
"direction": "outbound",
"transport": "tcp"
},
"observer": { "hostname": "fw-01", "type": "firewall", "vendor": "Generic" },
"rule": { "name": "Allow-HTTPS-Out" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | fw-01 | Firewall hostname |
| domain | example.com | Domain for FQDN |
| serial_number | FW00A1B2C3D4 | Firewall serial number |
| nat_ip | 198.51.100.1 | Public NAT IP |
| agent_id | e4f8c1a2-... | Filebeat agent ID |
| agent_version | 8.17.0 | Filebeat version |
Related Generators
Cisco ASA Firewall
Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.
Check Point Security Gateway
Check Point Security Gateway SmartLog — 8 software blades including Firewall, IPS, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Threat Emulation, and Identity Awareness.
Network Traffic (Continent-Level Geo)
Network traffic events enriched with continent-level geographic information. Models cross-continent and same-continent flows for both inbound and outbound directions, with realistic allow/deny outcomes based on geographic policy.