firewall.watchguard
Introduction
Tags beginning with firewall.watchguard
identify events generated by WatchGuard.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as firewall.watchguard
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
WatchGuard Firewall |
|
|
How is the data send to Devo?
Before sending WatchGuard events, make sure that the aliases don’t contain space characters (" "
), as they are used to distinguish between different fields.
The procedure to check and modify the aliases is detailed in this article.
Table structure
These are the fields displayed in this table:
firewall.watchguard.traffic
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
srcIP |
| Â | Â | Â |
dstIP |
| Â | Â | Â |
protocol |
| Â | Â | Â |
srcPORT |
| Â | Â | Â |
dstPORT |
| Â | Â | Â |
proxy_act |
| Â | Â | Â |
cats |
| Â | Â | Â |
dstname |
| Â | Â | Â |
sni |
| Â | Â | Â |
cn |
| Â | Â | Â |
cert_issuer |
| Â | Â | Â |
cert_subject |
| Â | Â | Â |
action |
| Â | Â | Â |
app_id |
| Â | Â | Â |
app_name |
| Â | Â | Â |
app_cat_id |
| Â | Â | Â |
app_beh_name |
| Â | Â | Â |
app_ctl_disp |
| Â | Â | Â |
cat_name |
| Â | Â | Â |
duration |
| Â | Â | Â |
sent_bytes |
| Â | Â | Â |
rcvd_bytes |
| Â | Â | Â |
geo_src |
| Â | Â | Â |
geo_dst |
| Â | Â | Â |
serial_number |
| Â | Â | Â |
fecha |
| timestamp(fechad, +".000") | fechad | Â |
disposition |
| Â | Â | Â |
interface |
| Â | Â | Â |
external |
| Â | Â | Â |
request |
| Â | Â | Â |
area00 |
| Â | Â | Â |
area01 |
| Â | Â | Â |
proc_id |
| Â | Â | Â |
rc |
| Â | Â | Â |
service |
| Â | Â | Â |
log_type |
| Â | Â | Â |
msg_id |
| ifthenelse(isnull(msg_id_dstar), msg_id_aux, +msg_id_end, msg_id_dstar) | msg_id_dstar msg_id_aux msg_id_end | Â |
fqdn_dst_match |
| Â | Â | Â |
srcInterface |
| Â | Â | Â |
dstInterface |
| Â | Â | Â |
num1 |
| Â | Â | Â |
num2 |
| Â | Â | Â |
num3 |
| Â | Â | Â |
winVersion |
| ifthenelse(isnotnull(win1), (win1 + " " + win2 + " " + win3 + " " + win4 + " " + win5 + " " + __win6), null) | win4 __win6 win2 win3 win5 win1 | Â |
msg |
| Â | Â | Â |
line |
| Â | Â | Â |
rule_name |
| Â | Â | Â |
query_opcode |
| Â | Â | Â |
header |
| Â | Â | Â |
content_type |
| Â | Â | Â |
method |
| Â | Â | Â |
scheme |
| Â | Â | Â |
op |
| Â | Â | Â |
arg |
| Â | Â | Â |
path |
| Â | Â | Â |
elapsed_time |
| Â | Â | Â |
reputation |
| Â | Â | Â |
signature_name |
| Â | Â | Â |
signature_cat |
| Â | Â | Â |
signature_id |
| Â | Â | Â |
sig_vers |
| Â | Â | Â |
src_user |
| Â | Â | Â |
id |
| Â | Â | Â |
ip_packet_length |
| _ip_packet_length num1 | Â | |
ip_header_length |
| _ip_header_length num2 | Â | |
ttl |
| _ttl num3 | Â | |
new_action |
| Â | Â | Â |
tls_profile |
| Â | Â | Â |
tls_version |
| Â | Â | Â |
seq |
| Â | Â | Â |
severity |
| Â | Â | Â |
type |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  | rawSource | ✓ |