Documentation Center
AlienVault® USM Anywhere™

Watchguard XTM

When you configure Watchguard XTM Firewall to send log data to USM Anywhere, you can use the Watchguard XTM plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Watchguard
Device Type Firewall
Connection Type Syslog

Integrating WatchGuard XTM

Before you configure the WatchGuard XTM integration, you must have the IP Address of the USM Anywhere Sensor.

To configure WatchGuard XTM to send log messages to USM Anywhere

  1. From the device console, go to System > Logging.
  2. Click the Syslog Server tab.
  3. Select the Send log messages to the syslog server at this IP address checkbox and specify the following parameters:

    • IP Address — IP address of the USM Anywhere Sensor.
    • Port — The USM Anywhere Sensor port for UDP is preselected.
    • Log Format — Expand the list and select syslog.
  4. Under Select the details to include in Syslog Messages, select:

    • Timestamp
    • Serial Number of the Device

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome
  • application
  • bytes_in
  • bytes_out
  • content_category
  • destination_address
  • destination_hostname
  • destination_port
  • destination_username
  • device_event_category
  • duration
  • email_recipient
  • email_sender
  • event_action
  • event_category
  • event_name
  • event_severity
  • file_hash
  • file_hash_algorithm
  • file_name
  • file_path
  • http_hostname
  • malware_variant
  • priority
  • rep_device_rule_id
  • reputation_score
  • request_content_type
  • request_method
  • request_url
  • source_address
  • source_port
  • source_username
  • timestamp_occured
  • timestamp_received
  • tls_subject
  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

http://www.watchguard.com/wgrd-help/documentation/xtm