cef0.watchguards.xtm330
Introduction
The table cef0.watchguards.xtm330 identifies events in CEF format generated by Watchguards XTM 11.x.x.
Tag structure
Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.
In this case, the valid data tables are:
cef0.watchguards.xtm330
How is the data sent to Devo?
Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.
Log samples
The following are sample logs sent to cef0.watchguards.xtm330. Find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
cef0.watchguards.xtm330
2021-08-31 13:59:36.508 localhost=127.0.0.1 14 CEF: 0|Watchguards|XTM330|||0000-0000|Unknown| eventId=36937 proto=TCP customerURI=/All Customers/MSSP/05 Unknown/Unknown categorySignificance=/Informational/Warning categoryBehavior=/Communicate categoryDeviceGroup=/Firewall categoryOutcome=/Failure categoryObject=/Host/Aplication art=1628676201234 cat=Firewall act=Deny rt=1628676186000 src=127.0.0.1 sourceZoneURI=/All Zones/ArcSight System/Public Address Space Zones/UNKNOWN UKK/127.0.0.0-127.255.255.255 (UNKNOWN UKK) spt=41741 dst=127.0.0.1 destinationZoneURI=/All Zones/ArcSight System/Public Address Space Zones/UNKNOWN UKK/127.0.0.0-127.255.255.255 (UNKNOWN UKK) dpt=43083 c6a4Label=Calorstat ahost=fwsmartconnector agt=localhost agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/UNKNOWN: 127.0.0.0-127.255.255.255 amac=11-11-11-11-11-F1 av=1.0.0.1111.0 atz=Europe/Paris at=syslog dvchost=Calorstat dtz=Europe/Paris geid=26268990724637331234 _cefVer=0.1 aid=SOMEID1234C01XpolPK5GQ\\=\\=
And this is how the log would be parsed:
Field | Value | Type | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
| ||
hostname |
|
| ||
priorityCode |
|
| ||
cefTag |
|
| ||
cefVersion |
|
| ||
embDeviceVendor |
|
| ||
embDeviceProduct |
|
| ||
deviceVersion |
| |||
signatureID |
| |||
name |
|
| ||
severity |
|
| ||
_cefVer |
|
| ||
act |
|
| ||
cat |
|
| ||
c6a4Label |
|
| ||
cs1Label |
|
| ||
cs1 |
|
| ||
cs2Label |
|
| ||
cs2 |
|
| ||
dst |
|
| ||
dpt |
|
| ||
dvchost |
|
| ||
msg |
|
| ||
proto |
|
| ||
rt |
|
| ||
src |
|
| ||
spt |
|
| ||
agentzoneuri |
|
| ||
agt |
|
| ||
ahost |
|
| ||
aid |
|
| ||
amac |
|
| ||
art |
|
| ||
at |
|
| ||
atz |
|
| ||
av |
|
| ||
categorybehavior |
|
| ||
categorydevicegroup |
|
| ||
categoryobject |
|
| ||
categoryoutcome |
|
| ||
categorysignificance |
|
| ||
customeruri |
|
| ||
destinationzoneuri |
|
| ||
dtz |
|
| ||
eventid2 |
|
| ||
geid |
|
| ||
sourcezoneuri |
|
| ||
hostchain |
|
| ✓ | |
tag |
|
|
| ✓ |
rawMessage |
|
| ✓ |