[watchguard_firebox] Support email addresses in 2500-0000 and 2500-0001 events (#12909)

taylor-swanson · web-flow · commit 106d90a6613c · 2025-02-27T15:04:31.000-06:00
- Support email addresses in 2500-0000 and 2500-0001 events and append
email address to related.user
diff --git a/packages/watchguard_firebox/changelog.yml b/packages/watchguard_firebox/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.2.0"
+  changes:
+    - description: Support email addresses in 2500-0000 and 2500-0001 events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12909
 - version: "1.1.0"
   changes:
     - description: ECS version updated to 8.17.0.
diff --git a/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-diagnostic.log b/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-diagnostic.log
@@ -175,5 +175,7 @@
 <142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="021A-0020" IKEv2 IKE_AUTH exchange from 81.2.69.144:500 to 81.2.69.144:500 failed. Gateway-Endpoint='m500-197'. Reason=Received message with the wrong interface IP address 81.2.69.144. Expecting peer to use remote gateway endpoint IP address 81.2.69.144.
 <142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="2500-0000" Mobile VPN with SSL user tsmith logged in. Virtual IP address is 192.168.113.2. Real IP address is 81.2.69.144.
 <142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="2500-0001" Mobile VPN with SSL user tsmith logged off. Virtual IP address is 192.168.113.2.
+<142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="2500-0000" Mobile VPN with SSL user user@example.com logged in. Virtual IP address is 192.168.113.2. Real IP address is 81.2.69.144.
+<142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="2500-0001" Mobile VPN with SSL user user@example.com logged off. Virtual IP address is 192.168.113.2.
 <142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="5B01-0004" Updated Mobile VPN with L2TP session for user 'Firebox-DB\test', virtual IP address '192.168.113.2'.
 <142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id="5B01-0005" Deleted Mobile VPN with L2TP session for user 'Firebox-DB\test', virtual IP address '192.168.113.2'.
diff --git a/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-diagnostic.log-expected.json b/packages/watchguard_firebox/data_stream/log/_dev/test/pipeline/test-diagnostic.log-expected.json
@@ -11022,6 +11022,145 @@
                 }
             }
         },
+        {
+            "@timestamp": "2025-05-10T15:19:05.000+05:30",
+            "destination": {
+                "ip": "192.168.113.2"
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "category": [
+                    "authentication"
+                ],
+                "kind": "event",
+                "original": "<142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id=\"2500-0000\" Mobile VPN with SSL user user@example.com logged in. Virtual IP address is 192.168.113.2. Real IP address is 81.2.69.144.",
+                "outcome": "success",
+                "timezone": "+05:30",
+                "type": [
+                    "start"
+                ]
+            },
+            "log": {
+                "syslog": {
+                    "appname": "firewall",
+                    "hostname": "WatchGuard-Firebox",
+                    "priority": 142,
+                    "procid": "10"
+                }
+            },
+            "message": "Mobile VPN with SSL user user@example.com logged in. Virtual IP address is 192.168.113.2. Real IP address is 81.2.69.144.",
+            "observer": {
+                "hostname": "WatchGuard-Firebox",
+                "product": "Firebox",
+                "serial_number": "FVE6035FD3AE3",
+                "type": "firewall",
+                "vendor": "WatchGuard"
+            },
+            "related": {
+                "hosts": [
+                    "WatchGuard-Firebox"
+                ],
+                "ip": [
+                    "192.168.113.2",
+                    "81.2.69.144"
+                ],
+                "user": [
+                    "user@example.com"
+                ]
+            },
+            "source": {
+                "ip": "81.2.69.144"
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ],
+            "user": {
+                "email": "user@example.com"
+            },
+            "watchguard_firebox": {
+                "log": {
+                    "log_type": "diagnostic",
+                    "msg_id": "2500-0000",
+                    "real_ip_address": "81.2.69.144",
+                    "serial_number": "FVE6035FD3AE3",
+                    "syslog_timestamp": "2025-05-10T15:19:05.000+05:30",
+                    "timestamp": "2024-05-10T09:49:05.000Z",
+                    "user_email": "user@example.com",
+                    "virtual_ip_address": "192.168.113.2",
+                    "vpn_user_type": "Mobile VPN with SSL user"
+                }
+            }
+        },
+        {
+            "@timestamp": "2025-05-10T15:19:05.000+05:30",
+            "destination": {
+                "ip": "192.168.113.2"
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "category": [
+                    "authentication"
+                ],
+                "kind": "event",
+                "original": "<142>May 10 15:19:05 WatchGuard-Firebox FVE6035FD3AE3 (2024-05-10T09:49:05) firewall[10]: msg_id=\"2500-0001\" Mobile VPN with SSL user user@example.com logged off. Virtual IP address is 192.168.113.2.",
+                "outcome": "success",
+                "timezone": "+05:30",
+                "type": [
+                    "end"
+                ]
+            },
+            "log": {
+                "syslog": {
+                    "appname": "firewall",
+                    "hostname": "WatchGuard-Firebox",
+                    "priority": 142,
+                    "procid": "10"
+                }
+            },
+            "message": "Mobile VPN with SSL user user@example.com logged off. Virtual IP address is 192.168.113.2.",
+            "observer": {
+                "hostname": "WatchGuard-Firebox",
+                "product": "Firebox",
+                "serial_number": "FVE6035FD3AE3",
+                "type": "firewall",
+                "vendor": "WatchGuard"
+            },
+            "related": {
+                "hosts": [
+                    "WatchGuard-Firebox"
+                ],
+                "ip": [
+                    "192.168.113.2"
+                ],
+                "user": [
+                    "user@example.com"
+                ]
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ],
+            "user": {
+                "email": "user@example.com"
+            },
+            "watchguard_firebox": {
+                "log": {
+                    "log_type": "diagnostic",
+                    "msg_id": "2500-0001",
+                    "serial_number": "FVE6035FD3AE3",
+                    "syslog_timestamp": "2025-05-10T15:19:05.000+05:30",
+                    "timestamp": "2024-05-10T09:49:05.000Z",
+                    "user_email": "user@example.com",
+                    "virtual_ip_address": "192.168.113.2",
+                    "vpn_user_type": "Mobile VPN with SSL user"
+                }
+            }
+        },
         {
             "@timestamp": "2025-05-10T15:19:05.000+05:30",
             "destination": {
diff --git a/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_diagnostic.yml b/packages/watchguard_firebox/data_stream/log/elasticsearch/ingest_pipeline/pipeline_diagnostic.yml
@@ -600,8 +600,8 @@ processors:
   - grok:
       field: watchguard_firebox.log.body
       patterns:
-        - '^%{DATA:watchguard_firebox.log.vpn_user_type} %{WORD:watchguard_firebox.log.user_name} logged in. Virtual IP address is %{IP:watchguard_firebox.log.virtual_ip_address}. Real IP address is %{IP:watchguard_firebox.log.real_ip_address}.$'
-        - '^%{DATA:watchguard_firebox.log.vpn_user_type} %{WORD:watchguard_firebox.log.user_name} logged off. Virtual IP address is %{IP:watchguard_firebox.log.virtual_ip_address}.$'
+        - '^%{DATA:watchguard_firebox.log.vpn_user_type} (?:%{USERNAME:watchguard_firebox.log.user_name}|%{EMAILADDRESS:watchguard_firebox.log.user_email}) logged in. Virtual IP address is %{IP:watchguard_firebox.log.virtual_ip_address}. Real IP address is %{IP:watchguard_firebox.log.real_ip_address}.$'
+        - '^%{DATA:watchguard_firebox.log.vpn_user_type} (?:%{USERNAME:watchguard_firebox.log.user_name}|%{EMAILADDRESS:watchguard_firebox.log.user_email}) logged off. Virtual IP address is %{IP:watchguard_firebox.log.virtual_ip_address}.$'
       if: ctx.watchguard_firebox?.log?.msg_id != null && ['2500-0000','2500-0001'].contains(ctx.watchguard_firebox.log.msg_id)
       tag: grok_for_message_id_2500-0000_2500-0001
       ignore_failure: true
@@ -1177,6 +1177,11 @@ processors:
       tag: set_destination_ip_from_log_virtual_ip_address
       copy_from: watchguard_firebox.log.virtual_ip_address
       ignore_empty_value: true
+  - set:
+      field: user.email
+      tag: set_user_email_from_log_user_email
+      copy_from: watchguard_firebox.log.user_email
+      ignore_empty_value: true
   - gsub:
       field: watchguard_firebox.log.mac
       tag: gsub_watchguard_firebox_log_mac
@@ -1283,6 +1288,12 @@ processors:
       value: '{{{watchguard_firebox.log.user_name}}}'
       allow_duplicates: false
       if: ctx.watchguard_firebox?.log?.user_name != null
+  - append:
+      field: related.user
+      tag: append_log_user_email_into_related_user
+      value: '{{{watchguard_firebox.log.user_email}}}'
+      allow_duplicates: false
+      if: ctx.watchguard_firebox?.log?.user_email != null
   - date:
       field: watchguard_firebox.log.next_update_time
       target_field: watchguard_firebox.log.next_update_time
@@ -1336,6 +1347,7 @@ processors:
         - watchguard_firebox.log.server_name
         - watchguard_firebox.log.source_ip
         - watchguard_firebox.log.source_port
+        - watchguard_firebox.log.user_email
         - watchguard_firebox.log.user_name
         - watchguard_firebox.log.virtual_ip_address
       tag: remove_custom_duplicate_fields
diff --git a/packages/watchguard_firebox/data_stream/log/fields/fields.yml b/packages/watchguard_firebox/data_stream/log/fields/fields.yml
@@ -608,6 +608,8 @@
           type: keyword
         - name: user_domain
           type: keyword
+        - name: user_email
+          type: keyword
         - name: user_name
           type: keyword
         - name: user_response_time
diff --git a/packages/watchguard_firebox/docs/README.md b/packages/watchguard_firebox/docs/README.md
@@ -555,6 +555,7 @@ An example event for `log` looks as following:
 | watchguard_firebox.log.updated_role |  | keyword |
 | watchguard_firebox.log.user_auth_protocol |  | keyword |
 | watchguard_firebox.log.user_domain |  | keyword |
+| watchguard_firebox.log.user_email |  | keyword |
 | watchguard_firebox.log.user_name |  | keyword |
 | watchguard_firebox.log.user_response_time |  | date |
 | watchguard_firebox.log.user_type |  | keyword |
diff --git a/packages/watchguard_firebox/manifest.yml b/packages/watchguard_firebox/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.1.4
 name: watchguard_firebox
 title: WatchGuard Firebox
-version: "1.1.0"
+version: "1.2.0"
 description: Collect logs from WatchGuard Firebox with Elastic Agent.
 type: integration
 categories:
