Collect WatchGuard Firebox logs

Supported in:

Google secops SIEM

This document explains how to ingest WatchGuard Firebox logs to Google Security Operations using Bindplane. WatchGuard Firebox is a unified threat management (UTM) firewall appliance that provides network security features including stateful packet inspection, intrusion prevention, application control, URL filtering, gateway antivirus, and VPN connectivity. Firebox logs capture traffic events, security alerts, authentication activity, and system health information.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance.
A Windows 2016 or later or Linux host with systemd.
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
Privileged access to the WatchGuard Firebox web UI (Fireware Web UI) or WatchGuard System Manager.

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agent.
Download the Ingestion Authentication File.
- Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open the Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional installation resources

For additional installation options, consult this installation guide.

Configure Bindplane agent to ingest syslog and send to Google SecOps

Access the configuration file:
- Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
- Open the file using a text editor (for example, nano, vi, or Notepad).

Edit the config.yaml file as follows:

receivers:
  udplog:
    # Replace the port and IP address as required
    listen_address: "0.0.0.0:514"

exporters:
  chronicle/chronicle_w_labels:
    compression: gzip
    # Adjust the path to the credentials file you downloaded in Step 1
    creds_file_path: '/path/to/ingestion-authentication-file.json'
    # Replace with your actual customer ID from Step 2
    customer_id: YOUR_CUSTOMER_ID
    endpoint: malachiteingestion-pa.googleapis.com
    # Add optional ingestion labels for better organization
    log_type: 'WATCHGUARD'
    raw_log_field: body
    ingestion_labels:

service:
  pipelines:
    logs/source0__chronicle_w_labels-0:
      receivers:
        - udplog
      exporters:
        - chronicle/chronicle_w_labels

Replace the port and IP address as required in your infrastructure.
Replace YOUR_CUSTOMER_ID with the actual Customer ID.
Update /path/to/ingestion-authentication-file.json to the file path where the authentication file was saved in Step 1.

Restart Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:
```
sudo systemctl restart observiq-otel-collector
```
To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:
```
net stop observiq-otel-collector && net start observiq-otel-collector
```

Configure WatchGuard Firebox syslog forwarding

To configure the WatchGuard Firebox to forward syslog messages to the Bindplane agent, follow these steps using the Fireware Web UI:

Sign in to the Fireware Web UI (https://<firebox-ip>:8080).
Go to System > Logging.
Click Add in the Syslog Servers section.
Provide the following configuration details:
- IP Address: Enter the IP address of the Bindplane agent host (for example, 192.168.1.100).
- Port: Enter 514 (or the port configured in the Bindplane agent).
- Log Format: Select Syslog (standard BSD syslog format).
In the Syslog Settings section, configure the log level:
- Set the Log Level to Information or higher to capture traffic, security, and system events.
Click Save.

Configure log types to forward

In the Fireware Web UI, go to System > Logging > Syslog.
Ensure the following log types are enabled for syslog forwarding:
- Traffic - firewall traffic events (allow, deny).
- Alarm - IPS and security alarm events.
- Event - system events and status changes.
- Debug - optional, for troubleshooting only.
Click Save.

(Alternative) Configure via WatchGuard System Manager

Open WatchGuard System Manager and connect to the Firebox.
Go to Setup > Logging > Send log messages to this syslog server.
Click Add.
Provide the following configuration details:
- IP Address: Enter the IP address of the Bindplane agent host.
- Port: Enter 514.
- Log Format: Select Syslog.
Click OK and save the configuration to the Firebox.

For more information, see the WatchGuard Fireware logging documentation.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`action`	`security_result.action_details`	The value of `action` from the raw log is assigned to `security_result.action_details`.
`action`	`target.labels.value`	The value of `action` from the raw log is assigned to `target.labels.value`, with `target.labels.key` being "Action over resource".
`arg`	`target.file.full_path`	The value of `arg` from the raw log is assigned to `target.file.full_path`.
`app_cat_id`	`about.labels.value`	The value of `app_cat_id` from the raw log is assigned to `about.labels.value`, with `about.labels.key` being "app_cat_id".
`app_cat_name`	`target.application`	Used in combination with `app_name` to form the value of `target.application` (e.g., "Google - Web services").
`app_id`	`about.labels.value`	The value of `app_id` from the raw log is assigned to `about.labels.value`, with `about.labels.key` being "app_id".
`app_name`	`target.application`	Used in combination with `app_cat_name` to form the value of `target.application` (e.g., "Google - Web services").
`cats`	`security_result.category_details`	The value of `cats` from the raw log is assigned to `security_result.category_details`.
`cert_issuer`	`network.tls.server.certificate.issuer`	The value of `cert_issuer` from the raw log is assigned to `network.tls.server.certificate.issuer`.
`cert_subject`	`network.tls.server.certificate.subject`	The value of `cert_subject` from the raw log is assigned to `network.tls.server.certificate.subject`.
`cn`	`network.tls.server.certificate.subject`	The value of `cn` from the raw log is assigned to `network.tls.server.certificate.subject`.
`conn_action`	`security_result.action_details`	The value of `conn_action` from the raw log is assigned to `security_result.action_details`.
`content_type`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`description`	`metadata.description`	The value of `description` derived from the raw log is assigned to `metadata.description`.
`dhcp_type`	`network.dhcp.type`	The value of `dhcp_type` from the raw log is mapped to the corresponding DHCP type in `network.dhcp.type` (e.g., "REQUEST", "ACK").
`dst_host`	`target.hostname`	The value of `dst_host` from the raw log is assigned to `target.hostname`.
`dst_ip`	`target.ip`	The value of `dst_ip` from the raw log is assigned to `target.ip`.
`dst_mac`	`target.mac`	The value of `dst_mac` from the raw log is assigned to `target.mac`.
`dst_port`	`target.port`	The value of `dst_port` from the raw log is assigned to `target.port`.
`dst_user`	`target.user.user_display_name`	The value of `dst_user` from the raw log is assigned to `target.user.user_display_name`.
`dstname`	`target.administrative_domain`	The value of `dstname` from the raw log is assigned to `target.administrative_domain`.
`duration`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`elapsed_time`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`endpoint`	`intermediary.labels.value`	The value of `endpoint` from the raw log is assigned to `intermediary.labels.value`, with `intermediary.labels.key` being "Gateway-Endpoint".
`event_name`	`principal.application`	The value of `event_name` from the raw log is assigned to `principal.application`.
`firewall_id`	`intermediary.asset_id`	The value of `firewall_id` from the raw log is prepended with "Firewall ID : " and assigned to `intermediary.asset_id`.
`firewall_name`	`principal.asset_id`	The value of `firewall_name` from the raw log is prepended with "Firewall: " and assigned to `principal.asset_id`.
`firewallname`	`intermediary.hostname`	The value of `firewallname` from the raw log is assigned to `intermediary.hostname`.
`firewallname`	`principal.hostname`	The value of `firewallname` from the raw log is assigned to `principal.hostname`.
`fqdn_dst_match`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`geo`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`geo_dst`	`target.location.country_or_region`	The value of `geo_dst` from the raw log is assigned to `target.location.country_or_region`.
`geo_src`	`principal.location.country_or_region`	The value of `geo_src` from the raw log is assigned to `principal.location.country_or_region`.
`host`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`ike_policy`	`security_result.rule_id`	The value of `ike_policy` from the raw log is assigned to `security_result.rule_id`.
`ike_policy_version`	`security_result.rule_version`	The value of `ike_policy_version` from the raw log is assigned to `security_result.rule_version`.
`intermediary_host`	`intermediary.hostname`	The value of `intermediary_host` from the raw log is assigned to `intermediary.hostname`.
`ipaddress`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`ipsec_policy`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`ipsec_policy_version`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`keyword`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`line`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`log_message`	`metadata.description`	The value of `log_message` from the raw log is assigned to `metadata.description` when other more specific descriptions are not available.
`log_reason`	`security_result.summary`	The value of `log_reason` from the raw log is assigned to `security_result.summary`.
`log_type`	`metadata.log_type`	The value of `log_type` from the raw log is assigned to `metadata.log_type`. Always set to "WATCHGUARD".
`msg`	`security_result.summary`	The value of `msg` from the raw log is assigned to `security_result.summary`.
`msg_id`	`metadata.product_event_type`	The value of `msg_id` from the raw log is assigned to `metadata.product_event_type`.
`new_action`	`security_result.action_details`	Used with `conn_action` to form the value of `security_result.action_details` (e.g., "ProxyReplace: IP protocol - HTTPS-Client.DPI-Off").
`op`	`network.http.method`	The value of `op` from the raw log is assigned to `network.http.method`.
`path`	`target.url`	The value of `path` from the raw log is assigned to `target.url`.
`pid`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`policy_name`	`intermediary.resource.name`	The value of `policy_name` from the raw log is assigned to `intermediary.resource.name`.
`policy_name`	`security_result.rule_name`	The value of `policy_name` from the raw log is assigned to `security_result.rule_name`.
`policyname_label.value`	`security_result.rule_labels.value`	The value of `policy_name` from the raw log is assigned to `security_result.rule_labels.value`, with `security_result.rule_labels.key` being "PolicyName".
`prin_host`	`principal.hostname`	The value of `prin_host` from the raw log is assigned to `principal.hostname`.
`proc_id`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`protocol`	`network.ip_protocol`	The value of `protocol` from the raw log, converted to uppercase, is assigned to `network.ip_protocol`. Special handling for "EXTERNAL ICMP" which is mapped to "ICMP".
`proxy_act`	`security_result.rule_id`	The value of `proxy_act` from the raw log is assigned to `security_result.rule_id`.
`proxy_act`	`security_result.rule_name`	The value of `proxy_act` from the raw log is assigned to `security_result.rule_name`.
`query_name`	`network.dns.questions.name`	The value of `query_name` from the raw log is assigned to `network.dns.questions.name`.
`query_type`	`network.dns.questions.type`	The value of `query_type` from the raw log is assigned to `network.dns.questions.type`. Special handling for numeric query types and mapping to standard DNS query types.
`rc`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`reason`	`security_result.summary`	The value of `reason` from the raw log is assigned to `security_result.summary`.
`record_type`	`network.dns.answers.type`	The value of `record_type` from the raw log is mapped to the corresponding DNS record type in `network.dns.answers.type`.
`redirect_action`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`reputation`	`additional.fields.value.string_value`	The value of `reputation` from the raw log is assigned to `additional.fields.value.string_value`, with `additional.fields.key` being "reputation".
`response`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`response_code`	`network.dns.response_code`	The value of `response_code` from the raw log is mapped to the corresponding DNS response code in `network.dns.response_code`.
`route_type`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`rule_name`	`security_result.rule_name`	The value of `rule_name` from the raw log is assigned to `security_result.rule_name`.
`rcvd_bytes`	`network.received_bytes`	The value of `rcvd_bytes` from the raw log is assigned to `network.received_bytes`.
`sent_bytes`	`network.sent_bytes`	The value of `sent_bytes` from the raw log is assigned to `network.sent_bytes`.
`server_ssl`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`severity`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`sig_vers`	`network.tls.server.certificate.version`	The value of `sig_vers` from the raw log is assigned to `network.tls.server.certificate.version`.
`signature_cat`	`additional.fields.value.string_value`	The value of `signature_cat` from the raw log is assigned to `additional.fields.value.string_value`, with `additional.fields.key` being "signature_cat".
`signature_id`	`additional.fields.value.string_value`	The value of `signature_id` from the raw log is assigned to `additional.fields.value.string_value`, with `additional.fields.key` being "signature_id".
`signature_name`	`additional.fields.value.string_value`	The value of `signature_name` from the raw log is assigned to `additional.fields.value.string_value`, with `additional.fields.key` being "signature_name".
`sni`	`network.tls.client.server_name`	The value of `sni` from the raw log is assigned to `network.tls.client.server_name`.
`src_ctid`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`src_host`	`principal.hostname`	The value of `src_host` from the raw log is assigned to `principal.hostname`.
`src_ip`	`principal.ip`	The value of `src_ip` from the raw log is assigned to `principal.ip`.
`src_ip_nat`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`src_mac`	`principal.mac`	The value of `src_mac` from the raw log is assigned to `principal.mac`.
`src_port`	`principal.port`	The value of `src_port` from the raw log is assigned to `principal.port`.
`src_user`	`principal.user.user_display_name`	The value of `src_user` from the raw log is assigned to `principal.user.user_display_name`.
`src_user_name`	`principal.user.user_display_name`	The value of `src_user_name` from the raw log is assigned to `principal.user.user_display_name`.
`src_vpn_ip`	`principal.ip`	The value of `src_vpn_ip` from the raw log is assigned to `principal.ip`.
`srv_ip`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`srv_port`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`ssl_offload`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`tcp_info`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`time`	`metadata.event_timestamp.seconds`, `timestamp.seconds`	The value of `time` from the raw log is parsed and used to populate `metadata.event_timestamp.seconds` and `timestamp.seconds`.
`time1`	`metadata.event_timestamp.seconds`, `timestamp.seconds`	The value of `time1` from the raw log is parsed and used to populate `metadata.event_timestamp.seconds` and `timestamp.seconds`.
`tls_profile`	`about.labels.value`	The value of `tls_profile` from the raw log is assigned to `about.labels.value`, with `about.labels.key` being "tls_profile".
`tls_version`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
`user_name`	`principal.user.userid`, `principal.user.user_display_name`	The value of `user_name` from the raw log is assigned to `principal.user.userid` or `principal.user.user_display_name` depending on the context.
`user_type`	Not mapped	Not mapped to the IDM object in the provided UDM examples.
(N/A)	`intermediary.resource.type`	Always set to "ACCESS_POLICY".
(N/A)	`metadata.event_type`	Determined by parser logic based on `msg_id`, `log_type`, `event_name`, and other fields. Can be `NETWORK_CONNECTION`, `SERVICE_MODIFICATION`, `NETWORK_SMTP`, `NETWORK_DNS`, `NETWORK_HTTP`, `USER_LOGIN`, `USER_LOGOUT`, `USER_RESOURCE_UPDATE_CONTENT`, `RESOURCE_PERMISSIONS_CHANGE`, `RESOURCE_CREATION`, `GENERIC_EVENT`, `STATUS_UPDATE`, or `USER_UNCATEGORIZED`.
(N/A)	`metadata.product_name`	Always set to "Fireware".
(N/A)	`metadata.vendor_name`	Always set to "Watchguard".
(N/A)	`security_result.action`	Determined by parser logic based on `disposition`. Can be "ALLOW" or "BLOCK".
(N/A)	`extensions.auth.type`	Set to "AUTHTYPE_UNSPECIFIED" for user login/logout events, and "VPN" for network events related to VPNs.
(N/A)	`network.application_protocol`	Determined by parser logic based on `msg_id` and `event_name`. Can be "DNS", "DHCP", "HTTP", or "HTTPS".
(N/A)	`network.dns.questions.type`	Set to 1 for "A" record queries.
(N/A)	`target.labels.key`	Set to "Action over resource" when `action` is mapped to `target.labels.value`.
(N/A)	`intermediary.labels.key`	Set to "Firewall Member Name" when `prin_host` is mapped to `intermediary.labels.value`.
(N/A)	`intermediary.labels.key`	Set to "Gateway-Endpoint" when `endpoint` is mapped to `intermediary.labels.value`.
(N/A)	`principal.labels.key`	Set to "Gateway" when `gateway` is mapped to `principal.labels.value`.
(N/A)	`target.labels.key`	Set to "Gateway" when `gateway` is mapped to `target.labels.value`.
(N/A)	`principal.labels.key`	Set to "state" when `status` is mapped to `principal.labels.value`.
(N/A)	`target.labels.key`	Set to "Gateway Status" when `status` is mapped to `target.labels.value`.
(N/A)	`additional.fields.key`	Set to "signature_name", "signature_cat", "signature_id", or "reputation" when the corresponding values are mapped from the raw log.

Need more help? Get answers from Community members and Google SecOps professionals.