UserGate NGFW
UserGate next-generation firewall and UTM appliance logs — traffic accept/deny decisions, web content filtering, DNS queries, IDS/IPS alerts, user authentication, VPN sessions, and system operational events.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-usergate/generator.yml \
--id usergate \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| traffic-accept | Traffic Accept (allowed connections) | ~49% | network |
| traffic-deny | Traffic Deny (blocked connections) | ~16% | network |
| web-filter | Web Content Filter | ~7% | network |
| dns | DNS Query Logging | ~5% | network |
| system-event | System Operational Events | ~5% | host |
| idps-alert | IDS/IPS Alert Detection | ~4% | intrusion_detection |
| auth | User Authentication | ~4% | authentication |
| vpn | VPN Session Events | ~3% | network |
Realism Features
- Weighted event distributions matching production UserGate log volumes (traffic ~65%, UTM ~16%, system/auth/vpn ~12%)
- UserGate-specific fields — rule_id, zone pairs (Trusted/Untrusted/DMZ), content filtering categories
- Zone-aware routing with UserGate interface naming conventions
- IDS/IPS alerts with signature IDs and severity levels matching real threat classifications
- Web content filter categories aligned with UserGate URL filtering engine
- VPN session lifecycle — tunnel establishment and teardown with user identity correlation
Sample Output
{
"@timestamp": "2026-03-07T11:24:18.000000+00:00",
"event": {
"action": "accept",
"category": ["network"],
"dataset": "usergate.log",
"outcome": "success",
"type": ["connection", "allowed"]
},
"source": { "ip": "10.1.1.25", "port": 51843 },
"destination": { "ip": "93.184.216.34", "port": 443 },
"network": {
"direction": "outbound",
"transport": "tcp"
},
"observer": {
"hostname": "ug-fw-01",
"product": "NGFW",
"type": "firewall",
"vendor": "UserGate"
},
"rule": { "id": "12", "name": "Allow-Internet" },
"usergate": {
"zone_src": "Trusted",
"zone_dst": "Untrusted"
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | ug-fw-01 | UserGate device hostname |
| domain | example.com | Domain name |
| nat_ip | 198.51.100.1 | Public NAT IP for outbound connections |
| agent_id | b5c8d3e2-... | Elastic Agent ID |
| agent_version | 8.17.0 | Elastic Agent version |
Related Generators
Cisco ASA Firewall
Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.
Check Point Security Gateway
Check Point Security Gateway SmartLog — 8 software blades including Firewall, IPS, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Threat Emulation, and Identity Awareness.
Network Traffic (Continent-Level Geo)
Network traffic events enriched with continent-level geographic information. Models cross-continent and same-continent flows for both inbound and outbound directions, with realistic allow/deny outcomes based on geographic policy.