https://community.splunk.com/t5/Getting-Data-In/WatchGuard-FireBox-Assistance/m-p/531423#M89398 <P>Hello Everyone,</P><P>&nbsp;</P><P>I'm hoping to get some assistance.&nbsp; My company using WatchGuard Firebox firewalls.&nbsp; I'm working to get the data correcting ingested into Splunk and get all the fields extracted (HIGHLY prefer a CIM complaint format) but the only WatchGuard App and TA Addon I've found are outdated, poorly written (I've been told) and are not CIM compliant.&nbsp; Is there an easy way to pull the information from the WatchGuard Log Catalog (<A href="https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_5.pdf" target="_blank" rel="noopener">https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_5.pdf</A>) and put it into Splunk to properly ingest and label the data coming in from WatchGuard logs?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AJSCSA_0-1606783212014.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12124i707B99AD785B1B98/image-size/medium?v=v2&amp;px=400" role="button" title="AJSCSA_0-1606783212014.png" alt="AJSCSA_0-1606783212014.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks for any and all assistance with this!</P> Tue, 01 Dec 2020 00:41:31 GMT AJSCSA 2020-12-01T00:41:31Z https://community.splunk.com/t5/Getting-Data-In/WatchGuard-FireBox-Assistance/m-p/531423#M89398 <P>Hello Everyone,</P><P>&nbsp;</P><P>I'm hoping to get some assistance.&nbsp; My company using WatchGuard Firebox firewalls.&nbsp; I'm working to get the data correcting ingested into Splunk and get all the fields extracted (HIGHLY prefer a CIM complaint format) but the only WatchGuard App and TA Addon I've found are outdated, poorly written (I've been told) and are not CIM compliant.&nbsp; Is there an easy way to pull the information from the WatchGuard Log Catalog (<A href="https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_5.pdf" target="_blank" rel="noopener">https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_5.pdf</A>) and put it into Splunk to properly ingest and label the data coming in from WatchGuard logs?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AJSCSA_0-1606783212014.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12124i707B99AD785B1B98/image-size/medium?v=v2&amp;px=400" role="button" title="AJSCSA_0-1606783212014.png" alt="AJSCSA_0-1606783212014.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks for any and all assistance with this!</P> Tue, 01 Dec 2020 00:41:31 GMT https://community.splunk.com/t5/Getting-Data-In/WatchGuard-FireBox-Assistance/m-p/531423#M89398 AJSCSA 2020-12-01T00:41:31Z https://community.splunk.com/t5/Getting-Data-In/WatchGuard-FireBox-Assistance/m-p/531746#M89443 <P>Any chance anyone could look at this and offer some advice?&nbsp; Thanks!</P> Wed, 02 Dec 2020 17:20:23 GMT https://community.splunk.com/t5/Getting-Data-In/WatchGuard-FireBox-Assistance/m-p/531746#M89443 AJSCSA 2020-12-02T17:20:23Z https://community.splunk.com/t5/Getting-Data-In/WatchGuard-FireBox-Assistance/m-p/546137#M90978 <P>Hi there,</P><P>First of all, I am not a professional splunker but due to my case, I have to dig deep for some scenarios on the watchguard firebox devices.</P><P>Please note that, based on my experience so far on watchguard (again I am not guru) the app and add-on does not handle the fields extraction properly.<BR />I just used them so far for the source type (watchguard:firebox:syslog) and I am extracting most of the fields on my own.</P><P>Please advise which fields do you need them the most, maybe we can help each other.</P><P>I am using this regular expression for for Source_IP, Destination_IP, Source_Port and Destination_Port:</P><P>(?&lt;src_ip&gt;\d+\.\d+\.\d+\.\d+) (?&lt;dst_ip&gt;\d+\.\d+\.\d+\.\d+) (?&lt;src_portt&gt;\d+) (?&lt;dst_port&gt;\d+)<BR />So far it covers all my needs for the required searches/dashboards.<BR />(do not forget the SPACES)<BR /><BR />Please advise if it helps you.</P><P>Regards,</P> Wed, 31 Mar 2021 06:49:47 GMT https://community.splunk.com/t5/Getting-Data-In/WatchGuard-FireBox-Assistance/m-p/546137#M90978 a_n 2021-03-31T06:49:47Z https://community.splunk.com/t5/Getting-Data-In/WatchGuard-FireBox-Assistance/m-p/546144#M90980 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/228901">@AJSCSA</a> ,</P><P>Do you have properly configured soucretype ?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vikramyadav_0-1617174529501.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/13552iD8CD5D7C9CDB5C9B/image-size/medium?v=v2&amp;px=400" role="button" title="vikramyadav_0-1617174529501.png" alt="vikramyadav_0-1617174529501.png" /></span></P><P><BR />Also I have got one doc please try that out.<BR /><A href="https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/splunk_integration_V2.html" target="_blank">https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/splunk_integration_V2.html</A></P><P>&nbsp;</P><P>--------------------------------------------------------------------------<BR />If this helps your like will be appreciate.&nbsp;<span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></P><P>&nbsp;</P> Wed, 31 Mar 2021 07:11:27 GMT https://community.splunk.com/t5/Getting-Data-In/WatchGuard-FireBox-Assistance/m-p/546144#M90980 vikramyadav 2021-03-31T07:11:27Z