Watchguard

LogZilla App Store application: Watchguard

Overview

WatchGuard Technologies produces network security appliances including the Firebox firewall series. WatchGuard devices provide unified threat management (UTM), intrusion prevention, VPN, and proxy services. Devices generate syslog messages for traffic events, attacks, VPN connections, and system health.

App Function

  • Parse WatchGuard logs in both BSD syslog and IBM LEEF formats
  • Extract network metadata (IPs, ports, protocols, interfaces)
  • Categorize events by area (Firewall, Proxy, VPN, System)
  • Provide dashboards for traffic monitoring and threat detection
  • Alert on attacks, IPS detections, and policy violations

Vendor Documentation

Device Configuration

Configure the WatchGuard Firebox to send syslog to LogZilla. The Firebox supports up to three syslog servers and two log formats: Syslog (BSD) and IBM LEEF.

Log Format Selection

FormatUse CaseNotes
SyslogStandard syslog serversBSD format with msg_id field
IBM LEEFQRadar integrationLEEF 1.0 format, no Performance logs

Log Message Types

TypeDescription
TrafficPacket filter and proxy rule events
AlarmTriggered events (IPS, AV, DoS, Policy)
EventUser activity, authentication, VPN
DebugDiagnostic information
StatisticPerformance metrics

Syslog Facilities

FacilityLog Type
Local0Alarm (highest priority)
Local1Traffic
Local2Event
Local3Diagnostic
Local4Performance

Fireware Web UI (v12.4+)

  1. Log in to the Fireware Web UI
  2. Navigate to System > Logging
  3. Click the Syslog Server tab
  4. Select Send log messages to these syslog servers
  5. Click Add
  6. Enter the LogZilla server IP address and port (default: 514)
  7. Select Log Format: Syslog or IBM LEEF
  8. Configure syslog facility for each log type (Local0 for alarms, Local1-4 for others)
  9. Click Save

Policy Manager

  1. Open Policy Manager and connect to the Firebox
  2. Select Setup > Logging
  3. Select Send log messages to these syslog servers
  4. Click Add
  5. Enter the LogZilla server IP address and port (default: 514)
  6. Select Log Format: Syslog or IBM LEEF
  7. Configure syslog facility for each log type
  8. Click OK, then save the configuration to the Firebox

Verification

Generate test traffic or trigger a policy, then verify events appear in LogZilla with program name firewall.

Incoming Log Format

WatchGuard supports two log formats:

BSD Syslog Format

text
msg_id="3000-0148" Deny 0-External Firebox 32 udp 20 64 192.168.100.1 255.255.255.255 52346 10001  (Unhandled External Packet-00)

IBM LEEF Format

text
LEEF:1.0|WatchGuard|XTM|12.5.3.B616762|30000148|policy=Any From Firebox-00	disp=Allow	in_if=Firebox	out_if=0-External	proto=udp	src=192.168.100.2	srcPort=38963	dst=4.2.2.1	dstPort=53

Parsed Metadata Fields

Global Tags

Tag NameExampleDescription
VendorWatchGuardVendor name
ProductFireboxProduct name
Event ClasssecurityCross-vendor event classification

Standardized Tags

Tag NameExampleDescription
SrcIP192.168.1.100Source IP address (HC)
DstIP10.0.0.1Destination IP address (HC)
DstPorthttpsDestination port (named service)
ProtocolTCPNetwork protocol
ActionAllowFirewall action
UseradminUsername (HC)
SrcInt1-TrustedSource interface
DstInt0-ExternalDestination interface

Security Tags

Tag NameExampleDescription
MitreIdT1498MITRE ATT&CK technique ID (enables UI lookup)
MITRE TacticImpactMITRE ATT&CK tactic
WG Signature ID1112464IPS signature ID (HC)
WG Signature NameEXPLOIT buffer overflowIPS signature name
WG VirusEICAR-Test-FileDetected malware name
WG Event TypeVPN Auth FailureWatchGuard-specific event type

MITRE ATT&CK Coverage

Security events are mapped to MITRE ATT&CK techniques:

TechniqueTacticEvent Types
T1498ImpactDoS/DDoS flood attacks
T1046DiscoveryPort and IP scans
T1557Credential AccessARP spoofing attacks
T1090Command and ControlIP spoofing, source routing
T1071Command and ControlBlocked sites/ports
T1190Initial AccessIPS exploit detections
T1204ExecutionAPT threats, malware
T1566Initial AccessSpam/phishing emails

Log Examples

IP Already On Blocked List

text
msg_id="3000-002A" IP address 192.168.111.10 will not be added to the
blocked sites list because it already exists.

Quota Usage for User

text
msg_id="3000-0065" User James@Firebox-DB used 21 MB of the bandwidth
quota (100 MB) and used 1 minute of the time quota (3 minutes).

DNS Parse Error

text
msg_id="1DFF-0003" Deny 1-Trusted 0-External udp 10.0.1.5 192.168.53.143
56704 53 msg="ProxyDeny: DNS parse error" (DNS-proxy-00)

APT Threat Notification

text
msg_id="0F01-0015" APT threat notified. Details=''Policy Name:
HTTPS-proxy-00 Reason: high APT threat detected Task_UUID:
d09445005c3f4a9a9bb78c8cb34edc2a Source IP: 10.0.1.2 Source Port:
43130 Destination IP: 67.228.175.200 Destination Port: 443 Proxy
Type: HTTP Proxy Host: analysis.lastline.com Path:
/docs/lastline-demo-sample.exe

Dashboards

DashboardFocusKey Widgets
WatchGuard: SecurityThreat detection and MITRE analysisThreats, MITRE tactics, malware, IPS
WatchGuard: NetworkTraffic analysis and visibilitySources, destinations, interfaces, protocols

Triggers

TriggerDescription
WatchGuard: MITRE ATT&CK Threat DetectedCatch-all for any MITRE-mapped threat
WatchGuard: DDoS Attack DetectedDDoS flood attacks (MITRE T1498)
WatchGuard: Port or IP Scan DetectedNetwork reconnaissance (MITRE T1046)
WatchGuard: ARP Spoofing AttackLayer 2 credential theft (MITRE T1557)
WatchGuard: Malware DetectedVirus or malware found by proxy
WatchGuard: IPS Intrusion BlockedIPS signature triggered
WatchGuard: Potential C2 CommunicationBlocked C2 traffic (MITRE T1071)
WatchGuard: Traffic Routing AnomalyIP spoofing or source routing (MITRE T1090)
WatchGuard: Spam or Phishing DetectedEmail threats (MITRE T1566)
WatchGuard: Malicious User ExecutionAPT or malware execution (MITRE T1204)
WatchGuard: Credential Access AttemptCredential theft attempts
WatchGuard: VPN Authentication FailureFailed VPN login attempts
Watchguard | LogZilla Documentation