Watchguard Firewall and Proxy
Watchguard Technologies produces hardware units for firewall, proxy, email, and network security services.
App Function
This app first checks to see if the incoming log message is a Watchguard
log message, and if so it performs four functions: first, it sets the
message program name to Watchguard plus the "area" name. Second, it
regenerates the log message text to remove the timestamp (to enable
de-duplication). Third, it sets a few universal user tags (as indicated
below). Fourth, it sets specific user tags depending on the log message
type (corresponding to the type of event being logged).
Vendor Documentation
- Watchguard Technologies
- Configure Syslog Server Settings
- About Logging, Log Files, and Notification
- Configure Syslog
- Types of Log Messages
Incoming Log Format
The log messages are syslog messages comprised of a msg_id indicator
followed by a short phrase explaining the particular event being logged.
That phrase may contain additional data such as IP addresses within it,
but from message-to-message there is no consistent location or demarcation
of the data fields. Instead, each different message id corresponds to a
different message "template", which then indicates which portions of the
message phrase contain data of interest. See the examples below.
Parsed Metadata Fields
As mentioned above, the Watchguard event id is used to look up the
corresponding message severity level, the message "area", and a name
indicating the particular event being logged. The levels include
INFO, WARN, and ERROR. The areas include:
| Area |
|---|
Firewall / Packet Filter |
Proxy / Connection Framework Manager |
Proxy / FTP |
Proxy / SMTP |
Proxy / DNS |
Proxy / H.323 |
Proxy / HTTP |
Proxy / HTTPS |
Proxy / IMAP |
Proxy / POP3 |
Proxy / SIP |
Proxy / TCP-UDP |
There are too many message event names to list here.
From the message contents the following user tags are created:
| Field / User Tag Name | Example | High-Cardinality? |
|---|---|---|
app_beh_name |
connect |
|
app_name |
World Wide Web HTTP |
|
cat_name |
Network Protocols |
|
details |
(see below) | ☑ |
disposition |
Allow |
|
dst |
10.0.1.51 |
☑ |
dst_ip |
61.135.169.125 |
☑ |
dst_port |
80 |
☑ |
inif |
Firebox |
☑ |
ip |
192.168.111.254 |
☑ |
msg |
Application identified |
|
outif |
0-External |
☑ |
pcy_name |
HTTP-00 |
☑ |
policy_name |
HTTP-00 |
☑ |
port |
513 |
☑ |
protocol |
tcp |
☑ |
reason |
timeout |
☑ |
src |
10.0.1.34 |
☑ |
src_ip |
10.0.1.20 |
☑ |
src_port |
4107 |
☑ |
status |
offline |
☑ |
user |
James@Firebox-DB |
☑ |
Example details value:
Policy Name: HTTPS-proxy-00 Reason: high APT threat detected Task_UUID:
d09445005c3f4a9a9bb78c8cb34edc2a Source IP: 10.0.1.2 Source Port:
43130 Destination IP: 67.228.175.200 Destination Port: 443 Proxy Type:
HTTP Proxy Host: analysis.lastline.com Path: /docs/lastline-demo-sample.exe
Log Examples
IP Already On Blocked List
msg_id="3000-002A" IP address 192.168.111.10 will not be added to the
blocked sites list because it already exists.
Quota Usage for User
msg_id="3000-0065" User James@Firebox-DB used 21 MB of the bandwidth
quota (100 MB) and used 1 minute of the time quota (3 minutes).
DNS Parse Error
msg_id="1DFF-0003" Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143
56704 53 msg="ProxyDeny: DNS parse error" (DNS-proxy-00)
API Threat Notified
msg_id="0F01-0015" APT threat notified. Details=''Policy Name:
HTTPS-proxy-00 Reason: high APT threat detected Task_UUID:
d09445005c3f4a9a9bb78c8cb34edc2a Source IP: 10.0.1.2 Source Port:
43130 Destination IP: 67.228.175.200 Destination Port: 443 Proxy
Type: HTTP Proxy Host: analysis.lastline.com Path:
/docs/lastline-demo-sample.exe