›

SonicWall Firewall Integration

Version	1.16.0 (View all)
Compatible Kibana version(s)	8.2.0 or higher
Supported Serverless project types What’s this?	Security Observability
Subscription level What’s this?	Basic
Level of support What’s this?	Elastic

This integration collects syslog messages from SonicWall firewalls. It has been tested with Enhanced Syslog logs from SonicOS 6.5 and 7.0 as described in the Log Events reference guide.

Configuration

edit

Configure a Syslog Server in your firewall using the following options:

Name or IP Address: The address where your Elastic Agent running this integration is reachable.
Port: The Syslog port (UDP) configured in this integration.
Server Type: Syslog Server.
Syslog Format: Enhanced Syslog.
Syslog ID: Change this default (firewall) if you need to differentiate between multiple firewalls. This value will be stored in the observer.name field.

It’s recommended to enable the Display UTC in logs (instead of local time) setting under the Device > Settings > Time configuration menu. Otherwise you’ll have to configure the Timezone Offset setting of this integration to match the timezone configured in your firewall.

Ensure proper connectivity between your firewall and Elastic Agent.

Supported messages

edit

This integration features generic support for enhanced syslog messages produced by SonicOS and features more detailed ECS enrichment for the following messages:

Category	Subcategory	Message IDs
Firewall	Access Rules	440-442, 646, 647, 734, 735
Firewall	Application Firewall	793, 1654
Firewall Settings	Advanced	428, 1473, 1573, 1576, 1590
Firewall Settings	Checksum Enforcement	883-886, 1448, 1449
Firewall Settings	FTP	446, 527, 528, 538
Firewall Settings	Flood Protection	25, 856-860, 862-864, 897, 898, 901, 904, 905, 1180, 1213, 1214, 1366, 1369, 1450-1452
Firewall Settings	Multicast	683, 690, 694, 1233
Firewall Settings	SSL Control	999, 1001-1006, 1081
High Availability	Cluster	1149, 1152
Log	Configuration Auditing	1382, 1383, 1674
Network	ARP	45, 815, 1316
Network	DNS	1098, 1099
Network	DNS Security	1593
Network	ICMP	38, 63, 175, 182, 188, 523, 597, 598, 1254-1257, 1431, 1433, 1458
Network	IP	28, 522, 910, 1301-1303, 1429, 1430
Network	IPcomp	651-653
Network	IPv6 Tunneling	1253
Network	Interfaces	58
Network	NAT	339, 1197, 1436
Network	NAT Policy	1313-1315
Network	Network Access	41, 46, 98, 347, 524, 537, 590, 714, 1304
Network	TCP	36, 48, 173, 181, 580, 708, 709, 712, 713, 760, 887-896, 1029-1031, 1384, 1385, 1628, 1629
Security Services	Anti-Spyware	794-796
Security Services	Anti-Virus	123-125, 159, 408, 482
Security Services	Application Control	1154, 1155
Security Services	Attacks	22, 23, 27, 81-83, 177-179, 267, 606, 1373-1376, 1387, 1471
Security Services	Botnet Filter	1195, 1200, 1201, 1476, 1477, 1518, 1519
Security Services	Content Filter	14, 16, 1599-1601
Security Services	Geo-IP Filter	1198, 1199, 1474, 1475
Security Services	IDP	789, 790
Security Services	IPS	608, 609
Security Services	Next-Gen Anti-Virus	1559-1562
Security Services	RBL Filter	797, 798
System	Administration	340, 341
System	Cloud Backup	1511-1516
System	Restart	93-95, 164, 599-601, 1046, 1047, 1392, 1393
System	Settings	573, 574, 1049, 1065, 1066, 1160, 1161, 1268, 1269, 1336-1340, 1432, 1494, 1520, 1521, 1565-1568, 1636, 1637
System	Status	4, 53, 521, 1107, 1196, 1332, 1495, 1496
Users	Authentication Access	24, 29-35, 199, 200, 235-238, 246, 261-265, 328, 329, 438, 439, 486, 506-509, 520, 549-551, 557-562, 564, 583, 728, 729, 759, 986, 987, 994-998, 1008, 1035, 1048, 1080, 1117-1124, 1157, 1158, 1243, 1333-1335, 1341, 1342, 1517, 1570-1572, 1585, 1627, 1655, 1672
Users	Radius Authentication	243-245, 744-751, 753-757, 1011
Users	SSO Agent Authentication	988-991
VPN	DHCP Relay	229
Wireless	RF Monitoring	879
Wireless	WLAN	1363
Wireless	WLAN IDS	546, 548

Logs

edit

Example

An example event for log looks as following:

{
    "@timestamp": "2022-05-16T08:18:39.000+02:00",
    "agent": {
        "ephemeral_id": "8f24cddd-67ce-47a5-abbf-f121166c864d",
        "id": "8601d89d-ddce-4945-96ce-7d8dd35e7d9e",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.11.4"
    },
    "data_stream": {
        "dataset": "sonicwall_firewall.log",
        "namespace": "ep",
        "type": "logs"
    },
    "destination": {
        "geo": {
            "city_name": "London",
            "continent_name": "Europe",
            "country_iso_code": "GB",
            "country_name": "United Kingdom",
            "location": {
                "lat": 51.5142,
                "lon": -0.0931
            },
            "region_iso_code": "GB-ENG",
            "region_name": "England"
        },
        "ip": "81.2.69.193",
        "mac": "00-17-C5-30-F9-D9",
        "port": 64889
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "8601d89d-ddce-4945-96ce-7d8dd35e7d9e",
        "snapshot": false,
        "version": "8.11.4"
    },
    "event": {
        "action": "connection-denied",
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "code": "713",
        "dataset": "sonicwall_firewall.log",
        "ingested": "2024-01-29T19:06:19Z",
        "kind": "event",
        "outcome": "success",
        "sequence": 692,
        "severity": 7,
        "timezone": "+02:00",
        "type": [
            "connection",
            "denied"
        ]
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "level": "debug",
        "source": {
            "address": "172.23.0.4:37942"
        },
        "syslog": {
            "priority": 135
        }
    },
    "message": "� (TCP Flag(s): RST)",
    "network": {
        "bytes": 46,
        "protocol": "https",
        "transport": "tcp"
    },
    "observer": {
        "egress": {
            "interface": {
                "name": "X1"
            },
            "zone": "Untrusted"
        },
        "ingress": {
            "interface": {
                "name": "X1"
            },
            "zone": "Untrusted"
        },
        "ip": [
            "10.0.0.96"
        ],
        "name": "firewall",
        "product": "SonicOS",
        "serial_number": "0040103CE114",
        "type": "firewall",
        "vendor": "SonicWall"
    },
    "related": {
        "ip": [
            "10.0.0.96",
            "81.2.69.193"
        ],
        "user": [
            "admin"
        ]
    },
    "rule": {
        "id": "15 (WAN->WAN)"
    },
    "sonicwall": {
        "firewall": {
            "app": "12",
            "event_group_category": "Firewall Settings",
            "gcat": "6",
            "sess": "Web"
        }
    },
    "source": {
        "bytes": 46,
        "ip": "10.0.0.96",
        "mac": "00-06-B1-DD-4F-D4",
        "port": 443
    },
    "tags": [
        "sonicwall-firewall",
        "forwarded"
    ],
    "user": {
        "name": "admin"
    }
}

Exported fields

Field	Description	Type
@timestamp	Event timestamp.	date
data_stream.dataset	Data stream dataset.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
destination.address	Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.	keyword
destination.bytes	Bytes sent from the destination to the source.	long
destination.domain	The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.	keyword
destination.geo.city_name	City name.	keyword
destination.geo.continent_name	Name of the continent.	keyword
destination.geo.country_iso_code	Country ISO code.	keyword
destination.geo.country_name	Country name.	keyword
destination.geo.location	Longitude and latitude.	geo_point
destination.geo.region_iso_code	Region ISO code.	keyword
destination.geo.region_name	Region name.	keyword
destination.ip	IP address of the destination (IPv4 or IPv6).	ip
destination.mac	MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.	keyword
destination.nat.ip	Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers.	ip
destination.nat.port	Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers.	long
destination.packets	Packets sent from the destination to the source.	long
destination.port	Port of the destination.	long
ecs.version	ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.	keyword
event.dataset	Event dataset	constant_keyword
event.module	Event module	constant_keyword
event.sequence	Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.	long
event.severity	The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.	long
host.ip	Host ip addresses.	ip
http.request.body.bytes	Size in bytes of the request body.	long
http.request.method	HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.	keyword
input.type	Type of Filebeat input.	keyword
log.file.path	Path to the log file.	keyword
log.flags	Flags for the log file.	keyword
log.level	Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`.	keyword
log.offset	Offset of the entry in the log file.	long
log.source.address	Source address from which the log event was read / sent from.	keyword
log.syslog.priority	Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.	long
message	For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.	match_only_text
network.bytes	Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.	long
network.packets	Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.	long
network.protocol	In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying.	keyword
network.transport	Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying.	keyword
observer.egress.interface.name	Interface name as reported by the system.	keyword
observer.egress.zone	Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.	keyword
observer.hostname	Hostname of the observer.	keyword
observer.ingress.interface.name	Interface name as reported by the system.	keyword
observer.ingress.zone	Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.	keyword
observer.ip	IP addresses of the observer.	ip
observer.name	Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.	keyword
observer.product	The product name of the observer.	keyword
observer.serial_number	Observer serial number.	keyword
observer.type	The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.	keyword
observer.vendor	Vendor name of the observer.	keyword
related.ip	All of the IPs seen on your event.	ip
related.user	All the user names or other user identifiers seen on the event.	keyword
rule.id	A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.	keyword
rule.name	The name of the rule or signature generating the event.	keyword
sonicwall.firewall.Category	Category of CFS blocked content.	keyword
sonicwall.firewall.af_polid	Displays the Application Filter Policy ID.	keyword
sonicwall.firewall.app	Numeric application ID.	keyword
sonicwall.firewall.appName	Non-Signature Application Name.	keyword
sonicwall.firewall.appcat	Application control category.	keyword
sonicwall.firewall.appid	Application ID.	keyword
sonicwall.firewall.auditId		keyword
sonicwall.firewall.code	CFS blocking code.	keyword
sonicwall.firewall.dpi	Indicates wether a flow underwent Deep Packet Inspection.	boolean
sonicwall.firewall.event_group_category	Event group category.	keyword
sonicwall.firewall.gcat	Event group category (numeric identifier).	keyword
sonicwall.firewall.ipscat	IPS category.	keyword
sonicwall.firewall.ipspri	IPS priority.	keyword
sonicwall.firewall.oldValue		keyword
sonicwall.firewall.sess	User session type.	keyword
sonicwall.firewall.sid	IPS or Anti-Spyware signature ID.	keyword
sonicwall.firewall.tranxId		keyword
sonicwall.firewall.type	ICMP type.	keyword
sonicwall.firewall.userMode		keyword
sonicwall.firewall.uuid	Object UUID.	keyword
sonicwall.firewall.vpnpolicy	source VPN policy name.	keyword
sonicwall.firewall.vpnpolicyDst	destination VPN policy name.	keyword
source.address	Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.	keyword
source.bytes	Bytes sent from the source to the destination.	long
source.domain	The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.	keyword
source.geo.city_name	City name.	keyword
source.geo.continent_name	Name of the continent.	keyword
source.geo.country_iso_code	Country ISO code.	keyword
source.geo.country_name	Country name.	keyword
source.geo.location	Longitude and latitude.	geo_point
source.geo.region_iso_code	Region ISO code.	keyword
source.geo.region_name	Region name.	keyword
source.ip	IP address of the source (IPv4 or IPv6).	ip
source.mac	MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.	keyword
source.nat.ip	Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers.	ip
source.nat.port	Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers.	long
source.packets	Packets sent from the source to the destination.	long
source.port	Port of the source.	long
tags	List of keywords used to tag each event.	keyword
url.domain	Domain of the url, such as "http://www.elastic.co[www.elastic.co]". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.	keyword
url.full	If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.	wildcard
url.full.text	Multi-field of `url.full`.	match_only_text
url.original	Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.	wildcard
url.original.text	Multi-field of `url.original`.	match_only_text
url.path	Path of the request, such as "/search".	wildcard
url.scheme	Scheme of the request, such as "https". Note: The `:` is not part of the scheme.	keyword
user.name	Short name or login of the user.	keyword
user.name.text	Multi-field of `user.name`.	match_only_text

Changelog

edit

Changelog

Version	Details	Kibana version(s)
1.16.0	Enhancement (View pull request) Update package spec to 3.0.3.	8.2.0 or higher
1.15.0	Bug fix (View pull request) Add ecs fields mappings for event.sequence, event.severity, host.ip, http.request.body.bytes.	8.2.0 or higher
1.14.2	Enhancement (View pull request) Changed owners	8.2.0 or higher
1.14.1	Bug fix (View pull request) Fix exclude_files pattern.	8.2.0 or higher
1.14.0	Enhancement (View pull request) Parse `host.name` or `host.ip`, and syslog priority from log message header.	8.2.0 or higher
1.13.0	Enhancement (View pull request) ECS version updated to 8.11.0.	8.2.0 or higher
1.12.0	Enhancement (View pull request) Improve event.original check to avoid errors if set.	8.2.0 or higher
1.11.0	Enhancement (View pull request) ECS version updated to 8.10.0.	8.2.0 or higher
1.10.0	Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.	8.2.0 or higher
1.9.0	Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	8.2.0 or higher
1.8.0	Enhancement (View pull request) Update package to ECS 8.9.0.	8.2.0 or higher
1.7.0	Enhancement (View pull request) Update to package-spec 2.9.0.	8.2.0 or higher
1.6.0	Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors.	8.2.0 or higher
1.5.0	Enhancement (View pull request) Update package to ECS 8.8.0.	8.2.0 or higher
1.4.0	Enhancement (View pull request) Update package to ECS 8.7.0.	8.2.0 or higher
1.3.2	Enhancement (View pull request) Added categories and/or subcategories.	8.2.0 or higher
1.3.1	Bug fix (View pull request) Ensure numeric timezones are correctly interpreted.	8.2.0 or higher
1.3.0	Enhancement (View pull request) Update package to ECS 8.6.0.	8.2.0 or higher
1.2.0	Enhancement (View pull request) Add `udp_options` to the UDP input.	8.2.0 or higher
1.1.0	Enhancement (View pull request) Update package to ECS 8.5.0.	8.2.0 or higher
1.0.0	Enhancement (View pull request) Make GA	8.2.0 or higher
0.3.0	Enhancement (View pull request) Update package to ECS 8.4.0	—
0.2.0	Enhancement (View pull request) Update package to ECS 8.3.0.	—
0.1.1	Bug fix (View pull request) Fix handling of NAT fields	—
0.1.0	Enhancement (View pull request) Initial beta version of the package	—

« Snyk Integration Sophos »