Looking for Log File Reference Information

Popper

For a paper I am writing for a Data Analytics class I have chosen to do a little digging into the wonderful world of the data being produced by the Watchguard Firewall in their log files.

I setup a Watchguard server center and recorded logs for a couple of weeks to get data for analysis. When I write out the logs as a CSV from there, I get a ton of data of course. Now I am wondering what is the information stored in each column. Most of them I understand, but a few I am not sure why they are there. So, I am looking for something that defines all this information. I have already been looking through the Log Message Catalog, but I haven't seen what I am looking at when I import that CSV into excel. Here is a list of the headers from the CSV:

• sid
• cluster
• sn
• tag_id
• raw_id
• disp
• direction
• pri
• policy
• protocol
• src_ip
• src_port
• dst_ip
• dst_port
• src_ip_nat
• src_port_nat
• dst_ip_nat
• dst_port_nat
• src_intf
• dst_intf
• rc
• pckt_len
• ttl
• Pr_info
• proxy_act
• alarm_name
• alarm_type
• alarm_id
• info_1
• info_2
• info_3
• info_4
• info_5
• info_6
• log_type
• msg
• bucket
• update_time

Sorry for the length, that is the complete list. Most of them are self explanatory, but I am looking for information on the Info_1 through 6 column, the bucket column. Is there somewhere available that I have at this point not been able to find with all of these column headers defined and explained?

I've got plenty of data logs, now just working on sanitizing them and putting together some visualization analytics. Why did I got back to school for a Masters after doing IT work for 30 years
Thanks for all of your assistance!
---Brian

Bruce_Briggs

Those fields have different meanings for different log records.

For example - info_1 has
. app_id=234 for message ID = 3000-0149
. record_type=A for message ID = 3000-0148
. rcvd_bytes=8294; app_id=350 for message ID = 1AFF-0024
. authtype=XOAUTH2 for message ID = 21FF-0001
and a number of message IDs have no value for info_1

Popper

Ok, yeah, I have seen the different information as I was looking through it. I was hoping there was some kind of standard. Hmm... so no way to figure out what is worth analyzing easily. Just trying to come up with an attack method. I am analyzing just the traffic logs for a network I have set aside for just wifi users. So, it is mainly Users Cell phones.

Just figured it would be more interesting to analyze stuff I can see than some made up data from some random place.

Thanks for a quick answer, Bruce.

james.carson

If you're using the older log server that is part of WSM it may try to store values that modern firewalls log as those random values.

I would suggest using Dimension (which is available as a virtual machine download, but requires your firewall(s) have an active support contract to log.)

If you're looking to determine what one of the generic labels might be, looking at the log catalog for the possible fields for that specific log type might be helpful:

https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_8.pdf

You can identify each log by the msg_id or message ID.

Popper

Thank you for the suggestion. I just installed the server based one, since it was simple to quickly setup on my laptop for some log captures (And I have done it before in the past). I only have 3 more weeks to finish up this research paper for the data analytics class, so I will stick with the captured data I have already. No use in rushing to get more data again for a class paper. Next up after this is the Master's thesis for my Cybersecurity Masters. Anyone have any good suggestions?
Thanks,
---Brian