Graylog Illuminate is available for use with Graylog Enterprise and Graylog Security Graylog Security. Contact sales to learn more about obtaining Illuminate.

SonicWall Next-Gen Firewalls (NGFW) include a range of products (NSsp, NSa, NSv, and TZ network security appliances) that provide application inspection, IDS/IPS, VPN, and traditional firewall functionality. This technology pack will process SonicWall NGFW event log messages, providing normalization, enrichment, and categorization of common events of interest.


  • SonicWall NGFW Device(s) running SonicOS version 6.5, 7.0, or later
  • Graylog Server with a valid Enterprise license, running Graylog version 4.2.5, 4.3.0, or later
  • SonicWall devices configured to send logs to Graylog via syslog
  • SonicWall devices configured to send enhanced syslog format

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:SonicWall Device Messages”

Hint: If this stream does not exist prior to the activation of this pack, then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • “SonicWall Device Event Log Messages”
Warning: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with default retention settings of a daily rotation and 90 days of retention, with 4 shards per index. It is strongly recommended to review and adjust these settings to best suit your environment.

Log Format Example

id=SDF2lk3rj sn=SD2342LJFS time="2022-04-22 11:02:41" fw= pri=4 c=1024 m=537 msg="Connection Closed" app=2 n=23593520 src= dst= srcMac=00:15:5d:a1:a2:08 dstMac=f8:0f:6f:a8:a2:21 proto=udp/dns sent=85 rcvd=117 spkt=1 rpkt=1 cdur=30633 rule="3 (LAN->WAN)" fw_action="NA"

What Is Provided

  • Rules to normalize and enrich event log messages
  • A Spotlight content pack

Log Message Processing

Illuminate will identify SonicWall NGFW event log messages and add the field event_source_product with the value sonicwall_ngfw.

The Illuminate processing of SonicWall NGFW log messages provides the following:

  • Field extraction, normalization and message enrichment for SonicWall log messages
  • Graylog Schema compliance
  • GIM Categorization of the following messages:
SonicWall Event Code gim_event_category gim_event_subcategory gim_event_type
10 endpoint endpoint.service service error
22 alert alert network alert
23 alert alert network alert
24 authentication authentication.logoff session disconnect
25 alert alert network alert
27 alert alert network alert
28 alert alert network alert
31 authentication authentication.logon,authentication.credential validation logon
32 authentication authentication.logon,authentication.credential validation logon
33 authentication authentication.logon,authentication.credential validation logon
34 authentication authentication.credential validation error
81 alert alert network alert
82 alert alert network alert
83 alert alert network alert
139 authentication authentication.logon,authentication.credential validation logon
140 authentication authentication.logon,authentication.credential validation logon
141 authentication authentication.access notice error
150 endpoint endpoint.process process stopped
151 endpoint endpoint.process process stopped
177 alert alert network alert
178 alert alert network alert
179 alert alert network alert
229 alert alert network alert
237 authentication authentication.logon,authentication.credential validation logon
238 authentication authentication.logon,authentication.credential validation logon
243 authentication authentication.logon,authentication.credential validation logon
244 authentication authentication.logon,authentication.credential validation logon
245 authentication authentication.logon,authentication.credential validation logon
246 authentication authentication.logon,authentication.credential validation logon
248 alert alert network alert
267 alert alert network alert
328 iam iam.object modify account renamed
437 alert alert network alert
440 endpoint endpoint.service configuration change
441 endpoint endpoint.service configuration change
442 endpoint endpoint.service configuration change
446 alert alert network alert
486 authentication authentication.logon,authentication.credential validation logon
506 endpoint endpoint.service service stopped
508 endpoint endpoint.service service stopped
527 endpoint endpoint.ports port closed
528 endpoint endpoint.ports port closed
538 endpoint endpoint.ports port closed
546 alert alert network alert
548 alert alert network alert
549 authentication authentication.access policy device policy violation
560 iam iam.object disable account disabled
561 iam iam.object enable account enabled
564 authentication authentication.logoff session disconnect
580 alert alert network alert
583 alert alert network alert
606 alert alert network alert
608 alert alert network alert
609 alert alert network alert
656 authentication authentication.credential validation error
669 endpoint endpoint.service service error
676 endpoint endpoint.default endpoint message
677 endpoint endpoint.default endpoint message
682 endpoint endpoint.default endpoint message
701 endpoint endpoint.default endpoint message
728 endpoint endpoint.service service stopped
734 endpoint endpoint.default endpoint message
735 endpoint endpoint.default endpoint message
737 authentication authentication.credential validation error
744 authentication authentication.access notice error
745 authentication authentication.access notice error
746 authentication authentication.access notice error
747 authentication authentication.access notice error
748 authentication authentication.access notice error
749 authentication authentication.access notice error
750 authentication authentication.access notice error
751 authentication authentication.access notice error
752 authentication authentication.access notice error
753 authentication authentication.access notice error
754 authentication authentication.access notice error
755 authentication authentication.access notice error
756 authentication authentication.access notice error
757 authentication authentication.access notice error
758 authentication authentication.access notice error
759 authentication authentication.access notice error
789 alert alert network alert
790 alert alert network alert
793 alert alert network alert
794 alert alert network alert
795 alert alert network alert
809 alert alert network alert
864 alert alert network alert
866 alert alert network alert
868 alert alert network alert
879 alert alert.default alert message
881 endpoint endpoint.configuration system time changed
882 http,network http.communication, connection network http communication
883 endpoint endpoint.default endpoint message
884 endpoint endpoint.default endpoint message
885 endpoint endpoint.default endpoint message
886 endpoint endpoint.default endpoint message
897 alert alert network alert
898 alert alert network alert
904 alert alert.default alert message
905 alert alert.default alert message
913 authentication authentication.credential validation error
987 authentication authentication.credential validation error
988 authentication authentication.access notice error
989 authentication authentication.access notice error
990 authentication authentication.access notice error
991 authentication authentication.access notice error
992 authentication authentication.default authentication message
993 authentication authentication.default authentication message
994 endpoint endpoint.service configuration change
995 endpoint endpoint.service configuration change
996 authentication authentication.default authentication message
997 authentication authentication.default authentication message
998 authentication authentication.default authentication message
999 endpoint endpoint.default endpoint message
1000 endpoint endpoint.default endpoint message
1001 endpoint endpoint.default endpoint message
1002 endpoint endpoint.default endpoint message
1003 endpoint endpoint.default endpoint message
1004 endpoint endpoint.default endpoint message
1005 endpoint endpoint.default endpoint message
1006 endpoint endpoint.default endpoint message
1011 iam iam.object modify password change
1033 authentication authentication.access notice error
1035 authentication authentication.logon,authentication.credential validation logon
1048 iam iam.object modify password change
1049 endpoint endpoint.filesystem file modified
1058 endpoint endpoint.process process altered
1059 endpoint endpoint.process process altered
1073 authentication authentication.access notice error
1075 authentication authentication.kerberos request error
1076 authentication authentication.default authentication message
1080 authentication authentication.logon,authentication.credential validation logon
1085 endpoint endpoint.service service stopped
1088 endpoint endpoint.service service error
1089 endpoint endpoint.service service error
1091 alert alert network alert
1092 alert alert network alert
1093 alert alert network alert
1117 authentication authentication.default authentication message
1118 authentication authentication.default authentication message
1119 authentication authentication.default authentication message
1120 authentication authentication.default authentication message
1121 authentication authentication.default authentication message
1122 authentication authentication.default authentication message
1123 authentication authentication.default authentication message
1157 iam iam.object disable account disabled
1158 iam iam.object disable account disabled
1180 alert alert.default alert message
1181 alert alert.default alert message
1190 iam iam.object modify group member added
1191 iam iam.object modify group member removed
1192 iam iam.object modify group member added
1193 iam iam.object modify group member removed
1198 alert alert.default alert message
1199 alert alert.default alert message
1200 alert alert.default alert message
1201 alert alert.default alert message
1202 authentication authentication.default authentication message
1203 authentication authentication.default authentication message
1204 authentication authentication.default authentication message
1209 alert alert.default alert message
1210 alert alert.default alert message
1211 alert alert.default alert message
1212 alert alert.default alert message
1213 alert alert.default alert message
1214 alert alert.default alert message
1226 http,network http.communication, connection network http communication
1227 authentication authentication.access policy account policy violation
1229 network network.default network message
1231 endpoint endpoint.configuration system time changed
1243 authentication authentication.credential validation error
1316 alert alert.default alert message
1336 endpoint endpoint.service configuration change
1337 iam iam.object modify password change
1338 iam iam.object modify password change
1341 authentication authentication.default authentication message
1342 authentication authentication.default authentication message
1363 alert alert.default alert message
1366 alert alert.default alert message
1367 alert alert.default alert message
1369 alert alert network alert
1373 alert alert network alert
1374 alert alert network alert
1375 alert alert network alert
1376 alert alert network alert
1378 alert alert.default alert message
1382 endpoint endpoint.audit audit policy changed
1383 endpoint endpoint.audit audit error
1387 alert alert network alert
1393 endpoint endpoint.service service stopped
1432 endpoint endpoint.service configuration change
1438 endpoint endpoint.configuration system configuration modified
1439 endpoint endpoint.configuration system configuration modified
1440 endpoint endpoint.configuration system configuration modified
1441 endpoint endpoint.configuration system configuration modified
1450 alert alert.default alert message
1471 alert alert.default alert message
1490 http,network http.communication, connection network http communication
1491 http,network http.communication, connection network http communication
1517 authentication authentication.credential validation error
1518 alert alert.default alert message
1519 alert alert.default alert message
1522 endpoint endpoint.default endpoint message
1524 endpoint endpoint.default endpoint message
1525 endpoint endpoint.default endpoint message
1526 endpoint endpoint.default endpoint message
1552 authentication authentication.credential validation error
1553 authentication authentication.credential validation error
1554 authentication authentication.credential validation error
1555 authentication authentication.credential validation error
1556 authentication authentication.credential validation error
1557 authentication authentication.credential validation error
1572 authentication authentication.logon,authentication.credential validation logon
1585 authentication authentication.logon,authentication.credential validation logon
1590 endpoint endpoint.configuration system configuration modified
1595 endpoint endpoint.default endpoint message
1596 endpoint endpoint.default endpoint message
1599 endpoint endpoint.configuration system configuration modified
1600 endpoint endpoint.configuration system configuration modified
1601 endpoint endpoint.configuration system configuration modified
1627 iam iam.object disable account disabled
1632 endpoint endpoint.service service stopped
1634 endpoint endpoint.service service removed
1635 endpoint endpoint.service service error
1636 endpoint endpoint.default endpoint message
1637 endpoint endpoint.default endpoint message
1640 endpoint endpoint.service configuration change
1642 endpoint endpoint.ports port closed
1655 authentication authentication.access policy account policy violation
1674 endpoint endpoint.audit audit policy changed
Events associated with the built-in Administrative account

SonicWall NGFW devices are configured with a built-in Administrator account. The default name for this account is "Admin", but this can be altered by the user. Some events are logged by the SonicWall devices related to this account, which do not include the actual user name but instead just refer to "Administrator". Illuminate will assign a user_name value of "Administrator" for these events.

Severity Mapping

SonicWall devices have different severity level assignments which are mapped to the Graylog schema severity levels, in the fields event_severity and event_severity_level.

vendor_event_severity_severity vendor_event_severity event_severity_level event_severity
0 Emergency 5 critical
1 Alert 5 critical
2 Critical 5 critical
3 Error 4 high
4 Warning 3 medium
5 Notice 2 low
6 Info 1 informational
7 Debug 1 informational

Spotlight Content Pack

The Spotlight content pack contains:

  • Dashboard: Illuminate:SonicWall NGFW Overview

    • Overview tab: Summary of SonicWall device operations.

    • Alerts tab: Summary of SonicWall GIM categorized alerts

    • Network tab: Summary of Network Traffic

    • VPN tab: Summary of VPN activity

  • Saved Search: Illuminate:SonicWall NGFW Alert Log Viewer

    • View SonicWall NGFW GIM categorized Security Alerts
  • Saved Search: Illuminate:SonicWall NGFW Log Viewer - Filtered

    • Filter SonicWall NGFW logs by vendor severity, from the most critical level (0 - Emergency) to the least (7 - debug)
  • Saved Search: Illuminate:SonicWall NGFW Log Viewer

    • Saved search to view SonicWall NGFW Event Log Messages
  • Saved Search: Illuminate:SonicWall NGFW VPN Log Viewer

    • Saved search to view SonicWall NGFW VPN, SSL VPN, L2TP, and Portal Messages