Document toolboxDocument toolbox

firewall.watchguard

Owned by Former user (Deleted)
Last updated: Sept 12, 2023 by Juan Tomás Alonso Nieto (Deactivated)
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is the data send to Devo? ] [ 4 Table structure ]

Introduction

Tags beginning with firewall.watchguard identify events generated by WatchGuard.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as firewall.watchguard. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

WatchGuard Firewall

  • firewall.watchguard.traffic

  • firewall.watchguard.traffic.v2

firewall.watchguard.traffic

How is the data send to Devo?

Before sending WatchGuard events, make sure that the aliases don’t contain space characters (" "), as they are used to distinguish between different fields.

The procedure to check and modify the aliases is detailed in this article.

Table structure

These are the fields displayed in this table:

firewall.watchguard.traffic

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

srcIP

ip4

 

 

 

dstIP

ip4

 

 

 

protocol

str

 

 

 

srcPORT

int4

 

 

 

dstPORT

int4

 

 

 

proxy_act

str

 

 

 

cats

str

 

 

 

dstname

str

 

 

 

sni

str

 

 

 

cn

str

 

 

 

cert_issuer

str

 

 

 

cert_subject

str

 

 

 

action

str

 

 

 

app_id

str

 

 

 

app_name

str

 

 

 

app_cat_id

str

 

 

 

app_beh_name

str

 

 

 

app_ctl_disp

str

 

 

 

cat_name

str

 

 

 

duration

str

 

 

 

sent_bytes

str

 

 

 

rcvd_bytes

str

 

 

 

geo_src

str

 

 

 

geo_dst

str

 

 

 

serial_number

str

 

 

 

fecha

timestamp

timestamp(fechad, +".000")

fechad

 

disposition

str

 

 

 

interface

str

 

 

 

external

str

 

 

 

request

str

 

 

 

area00

str

 

 

 

area01

str

 

 

 

proc_id

str

 

 

 

rc

str

 

 

 

service

str

 

 

 

log_type

str

 

 

 

msg_id

str

ifthenelse(isnull(msg_id_dstar), msg_id_aux, +msg_id_end, msg_id_dstar)

msg_id_dstar

msg_id_aux

msg_id_end

 

fqdn_dst_match

str

 

 

 

srcInterface

str

 

 

 

dstInterface

str

 

 

 

num1

int4

 

 

 

num2

int4

 

 

 

num3

int4

 

 

 

winVersion

str

ifthenelse(isnotnull(win1), (win1 + " " + win2 + " " + win3 + " " + win4 + " " + win5 + " " + __win6), null)

win4

__win6

win2

win3

win5

win1

 

msg

str

 

 

 

line

str

 

 

 

rule_name

str

 

 

 

query_opcode

str

 

 

 

header

str

 

 

 

content_type

str

 

 

 

method

str

 

 

 

scheme

str

 

 

 

op

str

 

 

 

arg

str

 

 

 

path

str

 

 

 

elapsed_time

str

 

 

 

reputation

str

 

 

 

signature_name

str

 

 

 

signature_cat

str

 

 

 

signature_id

str

 

 

 

sig_vers

str

 

 

 

src_user

str

 

 

 

id

str

 

 

 

ip_packet_length

str

_ip_packet_length

num1

 

ip_header_length

str

_ip_header_length

num2

 

ttl

str

_ttl

num3

 

new_action

str

 

 

 

tls_profile

str

 

 

 

tls_version

str

 

 

 

seq

str

 

 

 

severity

str

 

 

 

type

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

rawSource

✓