[watchguard_firebox]: event.kind is pipeline_error when "msg_id=3000-0148" messages have as source port "0"

[drizzthacker]

Integration Name

WatchGuard Firebox [watchguard_firebox]

Dataset Name

watchguard_firebox.log

Integration Version

1.3.0

Agent Version

8.17.2

Agent Output Type

elasticsearch

Elasticsearch Version

8.17.2

OS Version and Architecture

Debian

Software/API Version

No response

Error Message

Processor community_id with tag in pipeline logs-watchguard_firebox.log-1.3.0-pipeline_traffic failed with message: invalid source port [0]

Event Original

<140>Mar 13 13:57:20 SAMPLE C03C03E7393A3 SAMPLE (2025-03-13T12:57:20) firewall: msg_id="3000-0148" Deny WAN-SAMPLE WAN-SAMPLE 40 tcp 20 247 12.124.12.126 123.89.23.23 0 5357 offset 5 S 2680103568 win 4 flags="SR" duration="0" sent_pkts="1" rcvd_pkts="0" sent_bytes="40" rcvd_bytes="0" (Unhandled External Packet-00)

What did you do?

Debian Server with Watchguard integration, watchguard firewall sends the syslog to the integration

What did you see?

The event.kind is pipeline_error.

What did you expect to see?

The correct event.kind

Anything else?

I see it happening only on msg_id="3000-0148" Deny messages because sometimes the source port is "0"

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[mjwolf]

This PR to fix this in the integration, will only ignore the error from the community_id processor, allowing the rest of the message to be parsed properly. I'll work on fixing the actual source of the error in the processor itself in an elasticsearch PR.

[mjwolf]

This PR will update the community_id processor to allow port 0 in the source and destination: elastic/elasticsearch#125733. Although it's in elasticsearch, so this fix will be tied to a stack release