circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Watchguard Firewall Log Reference

hashtag
Log Samples

Learn what raw WatchGuard Firewall events look like before they're processed in Logpoint:

WatchGuard WiFi Cloud Format

2022/04/04 18:17:04 <134><00:11:74:86:17:CF><134>Apr 4 16:17:04 wl_event_handler: [BA:5C:9B:18:77:2B]=>[net_4.0(00:11:74:86:17:A3)] Sent EAP identity request with version [8021X_2004]

WatchGuard Cloud Management Format

2022/04/05 15:31:05 <26><02:DD:11:1D:7D:D4>WatchGuard Manage v11.0.0-36 : Stop: Number of clients experiencing authentication failure has exceeded 15. : 10.0.250.6://Locations/XXXXXX : 2022-04-05T15:21:14+00:00 : High : 1391484 : 12 : 84 : 1013 : Stop: Number of clients experiencing authentication failure has exceeded 15.

General Logs (Space-Delimited Format)

2009 Mar 11 12:07:07 wa-hs1->1.2.4.4 2009-03-11 12:16:49 wg_Peough disp="Deny" pri="1" policy="Unhandled Internal Packet-00" src_ip="1.1.1.1" dst_ip="1.1.2.1" pr="3085/tcp" src_port="2122" dst_port="3085" src_intf="1-Trusted" dst_intf="0-External" tcpinfo="offset 7 S 3884792327 win 65535" rc="101" msg="denied" pckt_len="48" ttl="128"

WatchGuard Version 11.9 (Syslog Format)

Dec 22 11:27:39 -- host=firewall-xxxx-01 -- firewall-clus-01 firewall: msg_id="3000-0148" Allow 3-LAN-DE 2-EXTERNAL-RADWARE 714 tcp 20 55 1.1.1.5 1.8.0.1 58722 80 offset 5 A 4058685545 win 29440 signature_name="EXPLOIT xxxxxxxx or xxxxxxxxxxx Mining Activity" signature_cat="Web Attack" signature_id="xxxxxxxx" severity="4" msg="IPS detected" (Out_Users_HTTP-HTTPS-NoProxy-00)

WatchGuard Version 11.10 (Semi-colon Delimited Format)

1433314980000; service=analyzer; thread_id=209441; hook=CreatingStreamObjectsSavingDb; count=0; cpu_avg=0.0; cpu_min=0.0; cpu_max=0.0; cpu_std-dev=0.0; cpu_total=0.0; cpu_tps=0.0; sys_avg=0.0; sys_min=0.0; sys_max=0.0; sys_std-dev=0.0; sys_total=0.0; sys_tps=0.0

hashtag
Field Mapping

WatchGuard Firewall fields are mapped to Logpoint standardized fields for consistent analysis.

Common Field Mappings:

WatchGuard Field
Logpoint Field

proxy_act

proxy_action

method

request_method

arg

argument

src_user

user, source_user

app_name

application

cat_name, cat_namec, cats

category

dstname

domain

app_id

application_id

sent_bytes

sent_datasize

rcvd_bytes

received_datasize

signature_cat

category

op

request_method

msg

message

app_cat_id

application_category_id

msg_id

message_id

fqdn_dst_match

fqdn_destination_match

act

action

geo_dst

destination_country

geo_src

source_country

tls_profile

ssl_version, ssl_profile

hashtag
Log Source Labels

WatchGuard Firewall events are categorized with specific labels based on message IDs. The integration includes over 400 label mappings for comprehensive event classification. Labels help identify event types, severity, and context for faster analysis and correlation.

Label Categories:

  • Basic Actions: Allow, Deny

  • Attack Detection: Attack, Scan, Flood, DDOS, Spoof

  • Security Events: IPS, Virus, APT, DLP, Hostile

  • Network Events: Connection, Traffic, Block, Route

  • Authentication: User, Login, Logon, Logoff, Authentication

  • VPN and IPSec: VPN, IPSec, Tunnel, Gateway

  • System Events: Configuration, Feature, License, Cluster

  • Wireless: Wireless, Access, Point, Rogue

  • Protocol Specific: HTTP, SMTP, FTP, DNS, SIP

Example Label Mappings:

Message ID
Description
Labels

3000-0156

IPSec Flood Attack

IPSEC, Flood, Attack

3000-0155

UDP Flood Attack

UDP, Flood, Attack

3000-0158

Scan Attack

Scan, Attack

3000-0159

Port Scan Detection

Port, Scan, Attack

3000-0160

DDoS Server Attack

DDOS, Server

3000-0161

DDoS Client Attack

DDOS, Attack, Client

3000-0162

SYN Flood Attack

SYN, Flood, Attack

3000-0163

ICMP Flood Attack

ICMP, Flood, Attack

3000-0164

UDP Flood Attack

UDP, Flood, Attack

3000-0165

IPSec Flood Attack

IPSEC, Flood, Attack

3000-0166

IKE Flood Attack

IKE, Flood, Attack

3000-0168

Block Site

Block, Site

3000-0169

IP Spoofing

IP, Spoof

3000-012C

ARP Spoof Attack

ARP, Spoof, Attack

3000-012E

Possible ARP Spoof Loop

Possible, Loop, ARP, Spoof, Detect

3000-0148

Normal Traffic Connection

Normal, Traffic, Connection

3000-0149

Application Control Traffic

Application, Control

For the complete list of message IDs and their corresponding labels (over 400 mappings), refer to the WatchGuard Firewall Labels section in the original documentation.

Last updated

Was this helpful?