From b284a04aa3dfa357247a65449b9b2cd50423dab6 Mon Sep 17 00:00:00 2001 From: Quan Nguyen Date: Thu, 19 Mar 2026 11:51:00 -0400 Subject: [PATCH 1/2] [Watchguard]: Pipeline failure on traffic logs --- packages/watchguard_firebox/changelog.yml | 5 + .../log/_dev/test/pipeline/test-traffic.log | 3 +- .../pipeline/test-traffic.log-expected.json | 96 +++++++++++++++++++ .../ingest_pipeline/pipeline_traffic.yml | 8 +- .../data_stream/log/fields/fields.yml | 2 + packages/watchguard_firebox/docs/README.md | 1 + packages/watchguard_firebox/manifest.yml | 2 +- 7 files changed, 114 insertions(+), 3 deletions(-) diff --git a/packages/watchguard_firebox/changelog.yml b/packages/watchguard_firebox/changelog.yml index df3da314207..735e354a155 100644 --- a/packages/watchguard_firebox/changelog.yml +++ b/packages/watchguard_firebox/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.6.2" + changes: + - description: Fix pipeline failure on traffic logs for ESP (non-TCP/UDP) sessions by adding null checks for source/destination port and IP before running the community_id processor. + type: bugfix + link: https://github.com/elastic/integrations/pull/1 - version: "1.6.1" changes: - description: Fix Grok Pattern for Watchguard Member Info. diff --git a/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-traffic.log b/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-traffic.log index b19cd248b6f..79307caf770 100644 --- a/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-traffic.log +++ b/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-traffic.log @@ -216,4 +216,5 @@ <142>May 12 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 Member2 (2024-05-10T09:49:05) firewall[10]: msg_id="2DFF-0006" Allow 1-Trusted 0-External tcp 10.0.1.2 67.43.156.0 60180 23 msg="ProxyAllow: IP DNSWatch blackholed domain" proxy_act="TCPUDP-Proxy.Standard.1" Protocol="telnet" geo_dst="USA" (TCP-UDPproxy-00) <142>May 12 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 Member2 (2024-05-10T09:49:05) firewall[10]: msg_id="2DFF-0007" Deny 1-Trusted 0-External tcp 10.0.1.2 67.43.156.0 60180 23 msg="ProxyAllow: IP DNSWatch content filtered domain" proxy_act="TCP-UDP-Proxy.Standard.1" Protocol="telnet" geo_dst="USA" (TCP-UDP-proxy-002) <142>May 12 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 Member2 (2024-05-10T09:49:05) firewall[10]: msg_id="3000-0148" Deny WAN-SAMPLE WAN-SAMPLE 40 tcp 20 247 1.128.0.0 67.43.156.1 0 5357 offset 5 S 2680103568 win 4 flags="SR" duration="0" sent_pkts="1" rcvd_pkts="0" sent_bytes="40" rcvd_bytes="0" (Unhandled External Packet-00) -<142>Feb 4 11:04:49 Member1 FVE6035FD3AE3 Watchguard_MemberOne (2026-02-04T10:04:49) firewall: msg_id="3000-0148" Allow DMZ LAN 60 tcp 20 63 10.0.1.2 10.0.1.3 55118 3306 offset 10 S 3052065981 win 61690  (TCP-UDP DMZ 2 LAN-00) \ No newline at end of file +<142>Feb 4 11:04:49 Member1 FVE6035FD3AE3 Watchguard_MemberOne (2026-02-04T10:04:49) firewall: msg_id="3000-0148" Allow DMZ LAN 60 tcp 20 63 10.0.1.2 10.0.1.3 55118 3306 offset 10 S 3052065981 win 61690  (TCP-UDP DMZ 2 LAN-00) +<142>Mar 17 14:20:26 Firebox_M670 (2026-03-17T20:20:26) firewall: msg_id="3000-0151" Allow Firebox External_UPN esp 10.0.1.2 10.0.1.3 geo_src="USA" geo_dst="USA" duration="697" sent_pkts="2" rcvd_pkts="67635" sent_bytes="1600" rcvd_bytes="7220344" (Any From Firebox-00) diff --git a/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-traffic.log-expected.json b/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-traffic.log-expected.json index 27d4d355f50..b986f535841 100644 --- a/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-traffic.log-expected.json +++ b/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-traffic.log-expected.json @@ -25731,6 +25731,102 @@ "window_size": 61690 } } + }, + { + "@timestamp": "2026-03-17T14:20:26.000+05:30", + "destination": { + "bytes": 1600, + "ip": "10.0.1.3", + "packets": 2 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "network" + ], + "duration": 697000000000, + "kind": "event", + "original": "<142>Mar 17 14:20:26 Firebox_M670 (2026-03-17T20:20:26) firewall: msg_id=\"3000-0151\" Allow Firebox External_UPN esp 10.0.1.2 10.0.1.3 geo_src=\"USA\" geo_dst=\"USA\" duration=\"697\" sent_pkts=\"2\" rcvd_pkts=\"67635\" sent_bytes=\"1600\" rcvd_bytes=\"7220344\" (Any From Firebox-00)", + "outcome": "success", + "timezone": "+05:30", + "type": [ + "end" + ] + }, + "log": { + "syslog": { + "appname": "firewall", + "hostname": "Firebox_M670", + "priority": 142 + } + }, + "network": { + "bytes": 7221944, + "transport": "esp" + }, + "observer": { + "egress": { + "interface": { + "alias": "External_UPN" + } + }, + "hostname": "Firebox_M670", + "ingress": { + "interface": { + "alias": "Firebox" + } + }, + "product": "Firebox", + "type": "firewall", + "vendor": "WatchGuard" + }, + "related": { + "hosts": [ + "Firebox_M670" + ], + "ip": [ + "10.0.1.2", + "10.0.1.3" + ] + }, + "rule": { + "name": [ + "Any From Firebox-00" + ] + }, + "source": { + "bytes": 7220344, + "ip": "10.0.1.2", + "packets": 67635 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "watchguard_firebox": { + "log": { + "bytes_in": 7220344, + "bytes_out": 1600, + "destination_ip": "10.0.1.3", + "disposition": "Allow", + "duration": 697, + "geo_destination": "USA", + "geo_src": "USA", + "in_interface_name": "Firebox", + "log_type": "traffic", + "msg_id": "3000-0151", + "out_interface_name": "External_UPN", + "packets_in": 67635, + "packets_out": 2, + "policy_name": "Any From Firebox-00", + "source_ip": "10.0.1.2", + "syslog_timestamp": "2026-03-17T14:20:26.000+05:30", + "timestamp": "2026-03-17T20:20:26.000Z", + "transport": "esp" + } + } } ] } diff --git a/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_traffic.yml b/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_traffic.yml index 3a64cc5f88f..28f061ae5a8 100644 --- a/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_traffic.yml +++ b/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_traffic.yml @@ -1145,7 +1145,13 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - community_id: tag: src_dst_community_id - if: 'ctx.watchguard_firebox.log.source_port != 0 && ctx.watchguard_firebox.log.destination_port != 0' + if: >- + ctx.watchguard_firebox?.log?.source_ip != null + && ctx.watchguard_firebox?.log?.destination_ip != null + && ctx.watchguard_firebox?.log?.source_port != null + && ctx.watchguard_firebox.log.source_port != 0 + && ctx.watchguard_firebox?.log?.destination_port != null + && ctx.watchguard_firebox.log.destination_port != 0 source_ip: watchguard_firebox.log.source_ip source_port: watchguard_firebox.log.source_port destination_ip: watchguard_firebox.log.destination_ip diff --git a/packages/watchguard_firebox/data_stream/log/fields/fields.yml b/packages/watchguard_firebox/data_stream/log/fields/fields.yml index 1ee979f01db..fc7e8ce4b74 100644 --- a/packages/watchguard_firebox/data_stream/log/fields/fields.yml +++ b/packages/watchguard_firebox/data_stream/log/fields/fields.yml @@ -205,6 +205,8 @@ type: keyword - name: geo_destination type: keyword + - name: geo_src + type: keyword - name: group_name type: keyword - name: header diff --git a/packages/watchguard_firebox/docs/README.md b/packages/watchguard_firebox/docs/README.md index 830707d33e5..ac4e89d83eb 100644 --- a/packages/watchguard_firebox/docs/README.md +++ b/packages/watchguard_firebox/docs/README.md @@ -322,6 +322,7 @@ The `log` data stream provides events from WatchGuard Firebox of the following t | watchguard_firebox.log.gateway | | keyword | | watchguard_firebox.log.gateway_endpoint | | keyword | | watchguard_firebox.log.geo_destination | | keyword | +| watchguard_firebox.log.geo_src | | keyword | | watchguard_firebox.log.group_name | | keyword | | watchguard_firebox.log.header | | keyword | | watchguard_firebox.log.headers_size | | long | diff --git a/packages/watchguard_firebox/manifest.yml b/packages/watchguard_firebox/manifest.yml index 340282010c9..a0d69acfed5 100644 --- a/packages/watchguard_firebox/manifest.yml +++ b/packages/watchguard_firebox/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.4 name: watchguard_firebox title: WatchGuard Firebox -version: "1.6.1" +version: "1.6.2" description: Collect logs from WatchGuard Firebox with Elastic Agent. type: integration categories: From 97fdb5ba3a64dbfc5255ed36d27a917ff09797d7 Mon Sep 17 00:00:00 2001 From: Quan Nguyen Date: Thu, 19 Mar 2026 12:00:05 -0400 Subject: [PATCH 2/2] Update changelog.yml --- packages/watchguard_firebox/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/watchguard_firebox/changelog.yml b/packages/watchguard_firebox/changelog.yml index 735e354a155..85909bb59da 100644 --- a/packages/watchguard_firebox/changelog.yml +++ b/packages/watchguard_firebox/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Fix pipeline failure on traffic logs for ESP (non-TCP/UDP) sessions by adding null checks for source/destination port and IP before running the community_id processor. type: bugfix - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/17908 - version: "1.6.1" changes: - description: Fix Grok Pattern for Watchguard Member Info.