Technical Note: [Accelops KB] Problem - Watchguard events seem to parse out the source and dest ports incorrectly
Description
Summary of Topic
When AO parses Watchguard events the source and destination ports might be incorrect. This is likely due to the interface name having a space in it, which causes the parser to count an additional field/attribute in the event and shift the attribute assignment.
Here is a sample event that parses incorrectly due to this issue:
<140>Oct 10 17:20:57 Datasphere (2012-10-10T22:20:57) firewall: Deny 1-Digital VLAN 0-External 52 tcp 20 63 10.1.1.1 63.1.1.1 34905 22 offset 8 S 3895962691 win 2105 (Everything - Deny-00)
Here is that same event with the space in the interface name removed. This event parses correctly.
<140>Oct 10 17:20:57 Datasphere (2012-10-10T22:20:57) firewall: Deny 1-Digital VLAN0-External 52 tcp 20 63 10.1.1.1 63.1.1.1 34905 22 offset 8 S 3895962691 win 2105 (Everything - Deny-00)
Additional Information
The options around this are:
1) modify your interface name to remove the space
2) modify the AO Watchguard parser to accommodate the space in the interface name
Version Application
All versions.