Document toolboxDocument toolbox

firewall.watchguard

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
2 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is the data send to Devo? ] [ 4 Table structure ]

Introduction

Tags beginning with firewall.watchguard identifies events generated by Watchguard.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as firewall.watchguard. The third level identifies the type of events sent.

Technology

Brand

Type

Technology

Brand

Type

firewall

watchguard

traffic

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

firewall.watchguard.traffic

firewall.watchguard.traffic

firewall.watchguard.traffic.v2

firewall.watchguard.traffic

How is the data send to Devo?

Before sending WatchGuard events, make sure that the aliases don’t contain space characters (" "), as they are used to distinguish between different fields.

The procedure to check and modify the aliases is detailed in this article.

Table structure

This is the set displayed by these tables.

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

-

srcIP

ip4

-

dstIP

ip4

-

protocol

str

-

srcPORT

int4

-

dstPORT

int4

-

proxy_act

str

-

cats

str

-

dstname

str

-

sni

str

-

cn

str

-

cert_issuer

str

-

cert_subject

str

-

action

str

-

app_id

str

-

app_cat_id

str

-

sent_bytes

str

-

rcvd_bytes

str

-

geo_src

str

-

geo_dst

str

-

serial_number

str

-

fecha

timestamp

-

disposition

str

-

interface

str

-

external

str

-

request

str

-

area00

str

-

area01

str

-

proc_id

str

-

rc

str

-

service

str

-

log_type

str

-

msg_id

str

-

fqdn_dst_match

str

-

srcInterface

str

-

dstInterface

str

-

num1

int4

-

num2

int4

-

num3

int4

-

winVersion

str

-

msg

str

-

line

str

-

rule_name

str

-

header

str

-

content_type

str

-

method

str

-

scheme

str

-

op

str

-

arg

str

-

path

str

-

elapsed_time

str

-

reputation

str

-

signature_name

str

-

signature_cat

str

-

signature_id

str

-

src_user

str

-

id

str

-

ip_packet_length

str

-

ip_header_length

str

-

ttl

str

-

new_action

str

-

tls_profile

str

-

tls_version

str

-

seq

str

-

severity

str

-

type

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓