The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
SonicWall Next-Gen Firewalls (NGFW) include a range of products (NSsp, NSa, NSv, and TZ network security appliances) that provide application inspection, IDS/IPS, VPN, and traditional firewall functionality. This technology pack will process SonicWall NGFW event log messages, providing normalization, enrichment, and categorization of common events of interest.
Requirement(s)
- SonicWall NGFW Device(s) running SonicOS version 6.5, 7.0, or later
- Graylog Server with a valid Enterprise license, running Graylog version 4.2.5, 4.3.0, or later
- SonicWall devices configured to send logs to Graylog via syslog
- SonicWall devices configured to send enhanced syslog format
Stream Configuration
This technology pack includes one stream:
- “Illuminate:SonicWall Device Messages”
Hint: If this stream does not exist prior to the activation of this pack, then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.
Index Set Configuration
This technology pack includes one index set definition:
- “SonicWall Device Event Log Messages”
Warning: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with default retention settings of a daily rotation and 90 days of retention, with 4 shards per index. It is strongly recommended to review and adjust these settings to best suit your environment.
Log Format Example
id=SDF2lk3rj sn=SD2342LJFS time="2022-04-22 11:02:41" fw=10.1.2.3 pri=4 c=1024 m=537 msg="Connection Closed" app=2 n=23593520 src=192.168.10.20:53323:IF0 dst=10.0.130.15:53:IF1 srcMac=00:15:5d:a1:a2:08 dstMac=f8:0f:6f:a8:a2:21 proto=udp/dns sent=85 rcvd=117 spkt=1 rpkt=1 cdur=30633 rule="3 (LAN->WAN)" fw_action="NA"
What Is Provided
- Rules to normalize and enrich event log messages
- A Spotlight content pack
Log Message Processing
Illuminate will identify SonicWall NGFW event log messages and add the field event_source_product with the value sonicwall_ngfw.
The Illuminate processing of SonicWall NGFW log messages provides the following:
- Field extraction, normalization and message enrichment for SonicWall log messages
- Graylog Schema compliance
- GIM Categorization of the following messages:
| SonicWall Event Code | gim_event_category
|
gim_event_subcategory
|
gim_event_type
|
|---|---|---|---|
| 10 | endpoint | endpoint.service | service error |
| 22 | alert | alert.network alert | network alert |
| 23 | alert | alert.network alert | network alert |
| 24 | authentication | authentication.logoff | session disconnect |
| 25 | alert | alert.network alert | network alert |
| 27 | alert | alert.network alert | network alert |
| 28 | alert | alert.network alert | network alert |
| 31 | authentication | authentication.logon,authentication.credential validation | logon |
| 32 | authentication | authentication.logon,authentication.credential validation | logon |
| 33 | authentication | authentication.logon,authentication.credential validation | logon |
| 34 | authentication | authentication.credential validation | error |
| 81 | alert | alert.network alert | network alert |
| 82 | alert | alert.network alert | network alert |
| 83 | alert | alert.network alert | network alert |
| 139 | authentication | authentication.logon,authentication.credential validation | logon |
| 140 | authentication | authentication.logon,authentication.credential validation | logon |
| 141 | authentication | authentication.access notice | error |
| 150 | endpoint | endpoint.process | process stopped |
| 151 | endpoint | endpoint.process | process stopped |
| 177 | alert | alert.network alert | network alert |
| 178 | alert | alert.network alert | network alert |
| 179 | alert | alert.network alert | network alert |
| 229 | alert | alert.network alert | network alert |
| 237 | authentication | authentication.logon,authentication.credential validation | logon |
| 238 | authentication | authentication.logon,authentication.credential validation | logon |
| 243 | authentication | authentication.logon,authentication.credential validation | logon |
| 244 | authentication | authentication.logon,authentication.credential validation | logon |
| 245 | authentication | authentication.logon,authentication.credential validation | logon |
| 246 | authentication | authentication.logon,authentication.credential validation | logon |
| 248 | alert | alert.network alert | network alert |
| 267 | alert | alert.network alert | network alert |
| 328 | iam | iam.object modify | account renamed |
| 437 | alert | alert.network alert | network alert |
| 440 | endpoint | endpoint.service | configuration change |
| 441 | endpoint | endpoint.service | configuration change |
| 442 | endpoint | endpoint.service | configuration change |
| 446 | alert | alert.network alert | network alert |
| 486 | authentication | authentication.logon,authentication.credential validation | logon |
| 506 | endpoint | endpoint.service | service stopped |
| 508 | endpoint | endpoint.service | service stopped |
| 527 | endpoint | endpoint.ports | port closed |
| 528 | endpoint | endpoint.ports | port closed |
| 538 | endpoint | endpoint.ports | port closed |
| 546 | alert | alert.network alert | network alert |
| 548 | alert | alert.network alert | network alert |
| 549 | authentication | authentication.access policy | device policy violation |
| 560 | iam | iam.object disable | account disabled |
| 561 | iam | iam.object enable | account enabled |
| 564 | authentication | authentication.logoff | session disconnect |
| 580 | alert | alert.network alert | network alert |
| 583 | alert | alert.network alert | network alert |
| 606 | alert | alert.network alert | network alert |
| 608 | alert | alert.network alert | network alert |
| 609 | alert | alert.network alert | network alert |
| 656 | authentication | authentication.credential validation | error |
| 669 | endpoint | endpoint.service | service error |
| 676 | endpoint | endpoint.default | endpoint message |
| 677 | endpoint | endpoint.default | endpoint message |
| 682 | endpoint | endpoint.default | endpoint message |
| 701 | endpoint | endpoint.default | endpoint message |
| 728 | endpoint | endpoint.service | service stopped |
| 734 | endpoint | endpoint.default | endpoint message |
| 735 | endpoint | endpoint.default | endpoint message |
| 737 | authentication | authentication.credential validation | error |
| 744 | authentication | authentication.access notice | error |
| 745 | authentication | authentication.access notice | error |
| 746 | authentication | authentication.access notice | error |
| 747 | authentication | authentication.access notice | error |
| 748 | authentication | authentication.access notice | error |
| 749 | authentication | authentication.access notice | error |
| 750 | authentication | authentication.access notice | error |
| 751 | authentication | authentication.access notice | error |
| 752 | authentication | authentication.access notice | error |
| 753 | authentication | authentication.access notice | error |
| 754 | authentication | authentication.access notice | error |
| 755 | authentication | authentication.access notice | error |
| 756 | authentication | authentication.access notice | error |
| 757 | authentication | authentication.access notice | error |
| 758 | authentication | authentication.access notice | error |
| 759 | authentication | authentication.access notice | error |
| 789 | alert | alert.network alert | network alert |
| 790 | alert | alert.network alert | network alert |
| 793 | alert | alert.network alert | network alert |
| 794 | alert | alert.network alert | network alert |
| 795 | alert | alert.network alert | network alert |
| 809 | alert | alert.network alert | network alert |
| 864 | alert | alert.network alert | network alert |
| 866 | alert | alert.network alert | network alert |
| 868 | alert | alert.network alert | network alert |
| 879 | alert | alert.default | alert message |
| 881 | endpoint | endpoint.configuration | system time changed |
| 882 | http,network | http.communication,network.network connection | network http communication |
| 883 | endpoint | endpoint.default | endpoint message |
| 884 | endpoint | endpoint.default | endpoint message |
| 885 | endpoint | endpoint.default | endpoint message |
| 886 | endpoint | endpoint.default | endpoint message |
| 897 | alert | alert.network alert | network alert |
| 898 | alert | alert.network alert | network alert |
| 904 | alert | alert.default | alert message |
| 905 | alert | alert.default | alert message |
| 913 | authentication | authentication.credential validation | error |
| 987 | authentication | authentication.credential validation | error |
| 988 | authentication | authentication.access notice | error |
| 989 | authentication | authentication.access notice | error |
| 990 | authentication | authentication.access notice | error |
| 991 | authentication | authentication.access notice | error |
| 992 | authentication | authentication.default | authentication message |
| 993 | authentication | authentication.default | authentication message |
| 994 | endpoint | endpoint.service | configuration change |
| 995 | endpoint | endpoint.service | configuration change |
| 996 | authentication | authentication.default | authentication message |
| 997 | authentication | authentication.default | authentication message |
| 998 | authentication | authentication.default | authentication message |
| 999 | endpoint | endpoint.default | endpoint message |
| 1000 | endpoint | endpoint.default | endpoint message |
| 1001 | endpoint | endpoint.default | endpoint message |
| 1002 | endpoint | endpoint.default | endpoint message |
| 1003 | endpoint | endpoint.default | endpoint message |
| 1004 | endpoint | endpoint.default | endpoint message |
| 1005 | endpoint | endpoint.default | endpoint message |
| 1006 | endpoint | endpoint.default | endpoint message |
| 1011 | iam | iam.object modify | password change |
| 1033 | authentication | authentication.access notice | error |
| 1035 | authentication | authentication.logon,authentication.credential validation | logon |
| 1048 | iam | iam.object modify | password change |
| 1049 | endpoint | endpoint.filesystem | file modified |
| 1058 | endpoint | endpoint.process | process altered |
| 1059 | endpoint | endpoint.process | process altered |
| 1073 | authentication | authentication.access notice | error |
| 1075 | authentication | authentication.kerberos request | error |
| 1076 | authentication | authentication.default | authentication message |
| 1080 | authentication | authentication.logon,authentication.credential validation | logon |
| 1085 | endpoint | endpoint.service | service stopped |
| 1088 | endpoint | endpoint.service | service error |
| 1089 | endpoint | endpoint.service | service error |
| 1091 | alert | alert.network alert | network alert |
| 1092 | alert | alert.network alert | network alert |
| 1093 | alert | alert.network alert | network alert |
| 1117 | authentication | authentication.default | authentication message |
| 1118 | authentication | authentication.default | authentication message |
| 1119 | authentication | authentication.default | authentication message |
| 1120 | authentication | authentication.default | authentication message |
| 1121 | authentication | authentication.default | authentication message |
| 1122 | authentication | authentication.default | authentication message |
| 1123 | authentication | authentication.default | authentication message |
| 1157 | iam | iam.object disable | account disabled |
| 1158 | iam | iam.object disable | account disabled |
| 1180 | alert | alert.default | alert message |
| 1181 | alert | alert.default | alert message |
| 1190 | iam | iam.object modify | group member added |
| 1191 | iam | iam.object modify | group member removed |
| 1192 | iam | iam.object modify | group member added |
| 1193 | iam | iam.object modify | group member removed |
| 1198 | alert | alert.default | alert message |
| 1199 | alert | alert.default | alert message |
| 1200 | alert | alert.default | alert message |
| 1201 | alert | alert.default | alert message |
| 1202 | authentication | authentication.default | authentication message |
| 1203 | authentication | authentication.default | authentication message |
| 1204 | authentication | authentication.default | authentication message |
| 1209 | alert | alert.default | alert message |
| 1210 | alert | alert.default | alert message |
| 1211 | alert | alert.default | alert message |
| 1212 | alert | alert.default | alert message |
| 1213 | alert | alert.default | alert message |
| 1214 | alert | alert.default | alert message |
| 1226 | http,network | http.communication,network.network connection | network http communication |
| 1227 | authentication | authentication.access policy | account policy violation |
| 1229 | network | network.default | network message |
| 1231 | endpoint | endpoint.configuration | system time changed |
| 1243 | authentication | authentication.credential validation | error |
| 1316 | alert | alert.default | alert message |
| 1336 | endpoint | endpoint.service | configuration change |
| 1337 | iam | iam.object modify | password change |
| 1338 | iam | iam.object modify | password change |
| 1341 | authentication | authentication.default | authentication message |
| 1342 | authentication | authentication.default | authentication message |
| 1363 | alert | alert.default | alert message |
| 1366 | alert | alert.default | alert message |
| 1367 | alert | alert.default | alert message |
| 1369 | alert | alert.network alert | network alert |
| 1373 | alert | alert.network alert | network alert |
| 1374 | alert | alert.network alert | network alert |
| 1375 | alert | alert.network alert | network alert |
| 1376 | alert | alert.network alert | network alert |
| 1378 | alert | alert.default | alert message |
| 1382 | endpoint | endpoint.audit | audit policy changed |
| 1383 | endpoint | endpoint.audit | audit error |
| 1387 | alert | alert.network alert | network alert |
| 1393 | endpoint | endpoint.service | service stopped |
| 1432 | endpoint | endpoint.service | configuration change |
| 1438 | endpoint | endpoint.configuration | system configuration modified |
| 1439 | endpoint | endpoint.configuration | system configuration modified |
| 1440 | endpoint | endpoint.configuration | system configuration modified |
| 1441 | endpoint | endpoint.configuration | system configuration modified |
| 1450 | alert | alert.default | alert message |
| 1471 | alert | alert.default | alert message |
| 1490 | http,network | http.communication,network.network connection | network http communication |
| 1491 | http,network | http.communication,network.network connection | network http communication |
| 1517 | authentication | authentication.credential validation | error |
| 1518 | alert | alert.default | alert message |
| 1519 | alert | alert.default | alert message |
| 1522 | endpoint | endpoint.default | endpoint message |
| 1524 | endpoint | endpoint.default | endpoint message |
| 1525 | endpoint | endpoint.default | endpoint message |
| 1526 | endpoint | endpoint.default | endpoint message |
| 1552 | authentication | authentication.credential validation | error |
| 1553 | authentication | authentication.credential validation | error |
| 1554 | authentication | authentication.credential validation | error |
| 1555 | authentication | authentication.credential validation | error |
| 1556 | authentication | authentication.credential validation | error |
| 1557 | authentication | authentication.credential validation | error |
| 1572 | authentication | authentication.logon,authentication.credential validation | logon |
| 1585 | authentication | authentication.logon,authentication.credential validation | logon |
| 1590 | endpoint | endpoint.configuration | system configuration modified |
| 1595 | endpoint | endpoint.default | endpoint message |
| 1596 | endpoint | endpoint.default | endpoint message |
| 1599 | endpoint | endpoint.configuration | system configuration modified |
| 1600 | endpoint | endpoint.configuration | system configuration modified |
| 1601 | endpoint | endpoint.configuration | system configuration modified |
| 1627 | iam | iam.object disable | account disabled |
| 1632 | endpoint | endpoint.service | service stopped |
| 1634 | endpoint | endpoint.service | service removed |
| 1635 | endpoint | endpoint.service | service error |
| 1636 | endpoint | endpoint.default | endpoint message |
| 1637 | endpoint | endpoint.default | endpoint message |
| 1640 | endpoint | endpoint.service | configuration change |
| 1642 | endpoint | endpoint.ports | port closed |
| 1655 | authentication | authentication.access policy | account policy violation |
| 1674 | endpoint | endpoint.audit | audit policy changed |
Events associated with the built-in Administrative account
SonicWall NGFW devices are configured with a built-in Administrator account. The default name for this account is "Admin", but this can be altered by the user. Some events are logged by the SonicWall devices related to this account, which do not include the actual user name but instead just refer to "Administrator". Illuminate will assign a user_name value of "Administrator" for these events.
Severity Mapping
SonicWall devices have different severity level assignments which are mapped to the Graylog schema severity levels, in the fields event_severity and event_severity_level.
vendor_event_severity_severity
|
vendor_event_severity
|
event_severity_level
|
event_severity
|
|---|---|---|---|
| 0 | Emergency | 5 | critical |
| 1 | Alert | 5 | critical |
| 2 | Critical | 5 | critical |
| 3 | Error | 4 | high |
| 4 | Warning | 3 | medium |
| 5 | Notice | 2 | low |
| 6 | Info | 1 | informational |
| 7 | Debug | 1 | informational |
Spotlight Content Pack
The Spotlight content pack contains:
-
Dashboard: Illuminate:SonicWall NGFW Overview
-
Overview tab: Summary of SonicWall device operations.
-
Alerts tab: Summary of SonicWall GIM categorized alerts
-
Network tab: Summary of Network Traffic
-
VPN tab: Summary of VPN activity
-
-
Saved Search: Illuminate:SonicWall NGFW Alert Log Viewer
- View SonicWall NGFW GIM categorized Security Alerts
- View SonicWall NGFW GIM categorized Security Alerts
-
Saved Search: Illuminate:SonicWall NGFW Log Viewer - Filtered
- Filter SonicWall NGFW logs by vendor severity, from the most critical level (0 - Emergency) to the least (7 - debug)
- Filter SonicWall NGFW logs by vendor severity, from the most critical level (0 - Emergency) to the least (7 - debug)
-
Saved Search: Illuminate:SonicWall NGFW Log Viewer
- Saved search to view SonicWall NGFW Event Log Messages
- Saved search to view SonicWall NGFW Event Log Messages
-
Saved Search: Illuminate:SonicWall NGFW VPN Log Viewer
- Saved search to view SonicWall NGFW VPN, SSL VPN, L2TP, and Portal Messages
- Saved search to view SonicWall NGFW VPN, SSL VPN, L2TP, and Portal Messages
