Watchguard Fireware

Firewall and security appliance logs

Global Fields (4)

FieldType
ngs.createdAt
Timestamp when the event was created locally.
pdate
ngs.id
Unique identifier for the log entry.
string
ngs.indexedAt
Timestamp when the log was indexed into the SIEM.
pdate
ngs.source
Origin or source system of the log.
string

Generic Fields (21)

These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.

FieldReference-Specific FieldsType
gen.proxy.endpoint
Destination endpoint accessed through the proxy.
watchguard.arg
watchguard.method
watchguard.path
string
gen.username
Username associated with the event.
watchguard.authenticated_user
watchguard.dst_user
watchguard.src_user
watchguard.user
text_general
gen.src.interface
Network interface used for the source connection.
watchguard.dev_name
watchguard.inif
strings
gen.firewall.action
Firewall action taken (e.g., allow, block, drop).
watchguard.disposition
strings
gen.firewall.rule
Firewall rule that triggered the event.
watchguard.dlp_rule
watchguard.exception_rule
watchguard.policy_name
watchguard.rule_name
strings
gen.dest.ip
Destination IP address.
watchguard.dst_ip
watchguard.peer_ip
watchguard.remote
text_general
gen.dest.port
Destination port number.
watchguard.dst_port
watchguard.peer_port
pint
gen.severity
Normalized severity field across log sources.
watchguard.event.level
watchguard.severity
strings
gen.file.name
File name associated with the event.
watchguard.file
watchguard.file_name
watchguard.filename
strings
gen.file.path
Full file path associated with the event.
watchguard.file
watchguard.file_name
watchguard.filename
strings
gen.mail.sender
Email address of the message sender.
watchguard.from
watchguard.sender
strings
gen.src.ip
Source IP address.
watchguard.local_ip
watchguard.src_ip
text_general
gen.src.port
Source port number.
watchguard.local_port
watchguard.src_port
pint
gen.dest.interface
Network interface used for the destination connection.
watchguard.outif
strings
gen.protocol
Network protocol used (e.g., TCP, UDP, ICMP).
watchguard.protocol
strings
gen.dns.record
DNS record type (e.g., A, AAAA, MX).
watchguard.query_type
watchguard.record_type
strings
gen.dns.domain
Queried DNS domain name.
watchguard.question
strings
gen.firewall.bytesReceived
Number of bytes received through the firewall session.
watchguard.rcvd_bytes
plong
gen.mail.receiver
Email address of the message recipient.
watchguard.recipients
watchguard.to
strings
gen.firewall.bytesSent
Number of bytes sent through the firewall session.
watchguard.sent_bytes
plong
gen.av.infectionName
Name of the detected infection or malware.
watchguard.virus
strings

Reference-Specific Fields (195)

FieldType
watchguard.action
text_general
watchguard.address
string
watchguard.app_beh_id
plong
watchguard.app_beh_name
string
watchguard.app_cat_id
plong
watchguard.app_cat_name
text_general
watchguard.app_ctl_disp
plong
watchguard.app_id
plong
watchguard.app_name
string
watchguard.arg
string
watchguard.attachment
string
watchguard.auth_method
string
watchguard.auth_server
string
watchguard.authenticated_user
string
watchguard.authtype
string
watchguard.bounce_ip
string
watchguard.call_from
string
watchguard.call_to
string
watchguard.cat_name
string
watchguard.cats
text_general
watchguard.cert_issuer
string
watchguard.cert_subject
string
watchguard.client_name
string
watchguard.client_ssl
string
watchguard.cn
string
watchguard.codec
string
watchguard.command
string
watchguard.content
string
watchguard.content_inspection
string
watchguard.content_src
string
watchguard.content_type
string
watchguard.ctl_dst
string
watchguard.ctl_src
string
watchguard.data
string
watchguard.details
text_general
watchguard.dev_name
string
watchguard.device_id
string
watchguard.disposition
string
watchguard.dlp_rule
string
watchguard.dlp_sensor
string
watchguard.domain
string
watchguard.dst_ctid
string
watchguard.dst_ip
text_general
watchguard.dst_port
pint
watchguard.dst_user
text_general
watchguard.dstname
string
watchguard.duration
plong
watchguard.email_len
plong
watchguard.encoding
string
watchguard.error
text_general
watchguard.event.area
string
watchguard.event.level
string
watchguard.event.msg_id
string
watchguard.event.name
text_general
watchguard.event.sub_area
string
watchguard.exception_rule
string
watchguard.exchange_type
string
watchguard.file
string
watchguard.file_name
string
watchguard.filename
string
watchguard.fqdn_dst_match
text_general
watchguard.from
string
watchguard.from_header
string
watchguard.gap
plong
watchguard.gateway
string
watchguard.geo_dst
string
watchguard.geo_src
string
watchguard.group
string
watchguard.group_name
string
watchguard.header
string
watchguard.headers_size
plong
watchguard.host
string
watchguard.hostname
string
watchguard.id
text_general
watchguard.ifname
string
watchguard.in_sa
string
watchguard.inif
string
watchguard.inspect_action
string
watchguard.ip
string
watchguard.ip_pkt_len
plong
watchguard.ipaddress
string
watchguard.iph_len
plong
watchguard.keyword
string
watchguard.length
plong
watchguard.limit
plong
watchguard.line
text_general
watchguard.line_length
plong
watchguard.link
string
watchguard.local
string
watchguard.local_ip
string
watchguard.local_port
pint
watchguard.local_time
pdate
watchguard.logical
string
watchguard.mac
string
watchguard.mask
string
watchguard.master
string
watchguard.max_value
plong
watchguard.mbx
string
watchguard.md5
string
watchguard.member
string
watchguard.message
text_general
watchguard.method
string
watchguard.msg
text_general
watchguard.nego_mode
string
watchguard.new
string
watchguard.new_action
string
watchguard.num
plong
watchguard.num_recipients
plong
watchguard.object
string
watchguard.offset
plong
watchguard.old
string
watchguard.op
string
watchguard.operation
string
watchguard.out_port
pint
watchguard.out_sa
string
watchguard.outif
string
watchguard.pad_error
pint
watchguard.path
string
watchguard.peer_ip
string
watchguard.peer_port
pint
watchguard.policy_name
text_general
watchguard.pool_name
string
watchguard.port
pint
watchguard.property_name
string
watchguard.protocol
string
watchguard.proxy_act
string
watchguard.query_class
string
watchguard.query_opcode
string
watchguard.query_type
string
watchguard.question
text_general
watchguard.quota_info
text_general
watchguard.rcvd_bytes
plong
watchguard.rcvd_pkts
plong
watchguard.reason
text_general
watchguard.recipients
string
watchguard.record_type
string
watchguard.redirect_action
string
watchguard.remote
string
watchguard.reply
string
watchguard.reputation
plong
watchguard.response
text_general
watchguard.response_size
plong
watchguard.ret_code
pint
watchguard.role
string
watchguard.route_type
text_general
watchguard.rule_name
string
watchguard.sa_id
string
watchguard.scheme
string
watchguard.sender
string
watchguard.sent_bytes
plong
watchguard.sent_pkts
plong
watchguard.seq
plong
watchguard.sequence
plong
watchguard.server_ssl
string
watchguard.service
string
watchguard.session_id
plong
watchguard.severity
pint
watchguard.sig_vers
text_general
watchguard.signature_cat
string
watchguard.signature_id
plong
watchguard.signature_name
text_general
watchguard.size
plong
watchguard.sni
string
watchguard.src_ctid
string
watchguard.src_ip
text_general
watchguard.src_port
pint
watchguard.src_user
text_general
watchguard.srv_ip
string
watchguard.srv_port
pint
watchguard.ssl_offload
pint
watchguard.state
string
watchguard.status
string
watchguard.subj_tag
string
watchguard.task_uuid
string
watchguard.threat_level
string
watchguard.time
pdate
watchguard.timeout
plong
watchguard.tls_profile
string
watchguard.tls_version
string
watchguard.to
string
watchguard.to_header
string
watchguard.ttl
plong
watchguard.tunnel
string
watchguard.tunnel_type
string
watchguard.type
string
watchguard.update
string
watchguard.user
string
watchguard.user_type
string
watchguard.ver_number
plong
watchguard.version
string
watchguard.virus
string
watchguard.vpn_type
string
watchguard.vpn_user_type
string
watchguard.wgrd_spam_id
string
watchguard.window
plong

Sample Log Event

Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.