LogZilla

Overview

WatchGuard Technologies produces network security appliances including firewalls, proxy servers, email security, and comprehensive network security services. WatchGuard devices provide unified threat management (UTM) and advanced persistent threat (APT) protection for organizations.

App Function

The WatchGuard app performs the following functions:

Message Recognition: Identifies WatchGuard log messages and sets the program name to Watchguard plus the area name
Message Normalization: Removes timestamps from log text to enable proper event deduplication
Universal Tagging: Sets common user tags for all WatchGuard events
Event-Specific Tagging: Creates user tags based on specific log message types and event categories

Vendor Documentation

Incoming Log Format

WatchGuard logs use syslog format with a msg_id indicator followed by a descriptive phrase explaining the logged event. The message phrase may contain additional data such as IP addresses, but field locations and delimiters are not consistent across message types.

Each message ID corresponds to a specific message template that defines which portions of the message contain extractable data. See examples below for template variations.

Parsed Metadata Fields

The WatchGuard app uses the event ID to determine message severity level, area classification, and event name. Severity levels include INFO, WARN, and ERROR. Area classifications include:

| Area | | --- | | Firewall / Packet Filter | | Proxy / Connection Framework Manager | | Proxy / FTP | | Proxy / SMTP | | Proxy / DNS | | Proxy / H.323 | | Proxy / HTTP | | Proxy / HTTPS | | Proxy / IMAP | | Proxy / POP3 | | Proxy / SIP | | Proxy / TCP-UDP |

There are too many message event names to list here.

From the message contents the following user tags are created:

Tagged	Tag Name	Example	Description
	`app_beh_name`	`connect`	Application behavior name
	`app_name`	`World Wide Web HTTP`	Application name
	`cat_name`	`Network Protocols`	Category name
☑	`details`	(see below)	Detailed event information
	`disposition`	`Allow`	Action disposition
☑	`dst`	`10.0.1.51`	Destination address
☑	`dst_ip`	`61.135.169.125`	Destination IP address
☑	`dst_port`	`80`	Destination port
☑	`inif`	`Firebox`	Ingress interface
☑	`ip`	`192.168.111.254`	IP address
	`msg`	`Application identified`	Message description
☑	`outif`	`0-External`	Egress interface
☑	`pcy_name`	`HTTP-00`	Policy name
☑	`policy_name`	`HTTP-00`	Policy name (alternate)
☑	`port`	`513`	Port number
☑	`protocol`	`tcp`	Network protocol
☑	`reason`	`timeout`	Event reason
☑	`src`	`10.0.1.34`	Source address
☑	`src_ip`	`10.0.1.20`	Source IP address
☑	`src_port`	`4107`	Source port
☑	`status`	`offline`	Connection status
☑	`user`	`James@Firebox-DB`	Username

Example details value:

text
Policy Name: HTTPS-proxy-00 Reason: high APT threat detected Task_UUID:
d09445005c3f4a9a9bb78c8cb34edc2a Source IP: 10.0.1.2 Source Port:
43130 Destination IP: 67.228.175.200 Destination Port: 443 Proxy Type:
HTTP Proxy Host: analysis.lastline.com Path: /docs/lastline-demo-sample.exe

Log Examples

IP Already On Blocked List

text
msg_id="3000-002A" IP address 192.168.111.10 will not be added to the
blocked sites list because it already exists.

Quota Usage for User

text
msg_id="3000-0065" User James@Firebox-DB used 21 MB of the bandwidth
quota (100 MB) and used 1 minute of the time quota (3 minutes).

DNS Parse Error

text
msg_id="1DFF-0003" Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143
56704 53 msg="ProxyDeny: DNS parse error" (DNS-proxy-00)

APT Threat Notification

text
msg_id="0F01-0015" APT threat notified. Details=''Policy Name:
HTTPS-proxy-00 Reason: high APT threat detected Task_UUID:
d09445005c3f4a9a9bb78c8cb34edc2a Source IP: 10.0.1.2 Source Port:
43130 Destination IP: 67.228.175.200 Destination Port: 443 Proxy
Type: HTTP Proxy Host: analysis.lastline.com Path:
/docs/lastline-demo-sample.exe