Collect SonicWall logs
Supported in:
This document describes how you can collect SonicWall logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations .
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser with the SONIC_FIREWALL
ingestion label.
Configure SonicWall security appliance
- Sign in to the SonicWall console.
- Go to Log > Syslog.
- In the Syslog serverssection, click Add. The Add syslog serverwindow appears.
- In the Nameor IP addressfield, provide the Google Security Operations forwarder hostname or IP address.
- If your syslog configuration doesn't use the default 514 port, in the Port numberfield, specify the port number.
- Click Ok.
- Click Acceptto save all the syslog server settings.
Configure Google Security Operations forwarder and syslog to ingest SonicWall logs
- Go to SIEM Settings > Forwarders.
- Click Add new forwarder.
- In the Forwarder Namefield, enter a unique name for the forwarder.
- Click Submit. The forwarder is added and the Add collector configurationwindow appears.
- In the Collector namefield, type a name.
- Select SonicWallas the Log type.
- Select Syslogas the Collector type.
- Configure the following mandatory input parameters:
- Protocol: specify the connection protocol the collector will use to listen for syslog data.
- Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
- Click Submit.
For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation .
For information about requirements for each forwarder type, see Forwarder configuration by type .
If you encounter issues when you create forwarders, contact Google Security Operations support .
Field mapping reference
This parser extracts key-value pairs from SonicWall firewall syslog messages, normalizes various fields like timestamps, IP addresses, and ports, and maps them to the UDM format. It handles both IPv4 and IPv6 addresses, distinguishes between allowed and blocked events, and extracts security-relevant details like rule names and descriptions.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
|
agent
|
event.idm.read_only_udm.network.http.user_agent
|
The value of the agent
field is assigned to the UDM field. |
|
appcat
|
event.idm.read_only_udm.security_result.summary
|
The value of the appcat
field is assigned to the UDM field. If appcat
contains "PROXY-ACCESS", event.idm.read_only_udm.security_result.category
is set to "POLICY_VIOLATION" and event.idm.read_only_udm.security_result.action
is set to "BLOCK". |
|
appid
|
event.idm.read_only_udm.security_result.rule_id
|
The value of the appid
field is assigned to the UDM field. |
|
arg
|
event.idm.read_only_udm.target.resource.name
|
The value of the arg
field is assigned to the UDM field. |
|
avgThroughput
|
event.idm.read_only_udm.target.resource.attribute.labels
|
A label with key "avgThroughput" and value from the avgThroughput
field is added to the UDM field. |
|
bytesIn
|
event.idm.read_only_udm.network.received_bytes
|
The value of the bytesIn
field is converted to an unsigned integer and assigned to the UDM field. |
|
bytesOut
|
event.idm.read_only_udm.network.sent_bytes
|
The value of the bytesOut
field is converted to an unsigned integer and assigned to the UDM field. |
|
bytesTotal
|
event.idm.read_only_udm.target.resource.attribute.labels
|
A label with key "bytesTotal" and value from the bytesTotal
field is added to the UDM field. |
|
Category
|
event.idm.read_only_udm.security_result.category_details
|
The value of the Category
field is assigned to the UDM field. |
|
cdur
|
event.idm.read_only_udm.security_result.detection_fields
|
A detection field with key "Connection Duration (milli seconds)" and value from the cdur
field is added to the UDM field. |
|
dst
|
event.idm.read_only_udm.target.ip
, event.idm.read_only_udm.target.port
|
The IP and port are extracted from the dst
field. If dstV6
is not empty, the IP is extracted from dstV6
instead. |
|
dstMac
|
event.idm.read_only_udm.target.mac
|
The value of the dstMac
field is assigned to the UDM field. |
|
dstV6
|
event.idm.read_only_udm.target.ip
|
The IP is extracted from the dstV6
field. |
|
dstname
|
event.idm.read_only_udm.target.hostname
|
If dstname
is not an IP address, its value is assigned to the UDM field. |
|
duration
|
event.idm.read_only_udm.network.session_duration.seconds
|
The value of the duration
field is converted to an integer and assigned to the UDM field. |
|
fw
|
event.idm.read_only_udm.principal.ip
|
The value of the fw
field is assigned to the UDM field. If fw
contains "-", a label with key "fw" and value from the fw
field is added to event.idm.read_only_udm.additional.fields
. |
|
fw_action
|
event.idm.read_only_udm.security_result.action_details
, event.idm.read_only_udm.security_result.summary
, event.idm.read_only_udm.security_result.action
|
The value of the fw_action
field is assigned to event.idm.read_only_udm.security_result.action_details
. If fw_action
is "drop", event.idm.read_only_udm.security_result.action
is set to "BLOCK" and event.idm.read_only_udm.security_result.summary
is set to the value of msg
. |
|
gw
|
event.idm.read_only_udm.intermediary.ip
|
The IP address is extracted from the gw
field and assigned to the UDM field. |
|
id
|
event.idm.read_only_udm.principal.hostname
, event.idm.read_only_udm.principal.asset.hostname
|
The value of the id
field is assigned to both UDM fields. |
|
maxThroughput
|
event.idm.read_only_udm.target.resource.attribute.labels
|
A label with key "maxThroughput" and value from the maxThroughput
field is added to the UDM field. |
|
msg
|
event.idm.read_only_udm.security_result.summary
, event.idm.read_only_udm.metadata.description
|
If fw_action
is not "drop" or appcat
is empty, the value of the msg
field is assigned to event.idm.read_only_udm.security_result.summary
. Otherwise, it's assigned to event.idm.read_only_udm.metadata.description
. |
|
natDst
|
event.idm.read_only_udm.target.nat_ip
|
The IP address is extracted from the natDst
field and assigned to the UDM field. |
|
natSrc
|
event.idm.read_only_udm.principal.nat_ip
|
The IP address is extracted from the natSrc
field and assigned to the UDM field. |
|
note
|
event.idm.read_only_udm.security_result.description
|
The value of the note
field, after extracting dstip
, srcip
, gw
, and sec_desc
, is assigned to the UDM field. |
|
packetsIn
|
event.idm.read_only_udm.target.resource.attribute.labels
|
A label with key "packetsIn" and value from the packetsIn
field is added to the UDM field. |
|
packetsOut
|
event.idm.read_only_udm.target.resource.attribute.labels
|
A label with key "packetsOut" and value from the packetsOut
field is added to the UDM field. |
|
packetsTotal
|
event.idm.read_only_udm.target.resource.attribute.labels
|
A label with key "packetsTotal" and value from the packetsTotal
field is added to the UDM field. |
|
pri
|
event.idm.read_only_udm.security_result.severity
|
The value of the pri
field determines the value of the UDM field: 0, 1, 2 -> CRITICAL; 3 -> ERROR; 4 -> MEDIUM; 5, 7 -> LOW; 6 -> INFORMATIONAL. |
|
proto
|
event.idm.read_only_udm.network.ip_protocol
, event.idm.read_only_udm.network.application_protocol
, event.idm.read_only_udm.metadata.event_type
|
If proto
contains "udp", the UDM ip_protocol
is set to "UDP" and event_type
is set to "NETWORK_CONNECTION". If proto
contains "https", the UDM application_protocol
is set to "HTTPS". |
|
rcvd
|
event.idm.read_only_udm.network.received_bytes
|
The value of the rcvd
field is converted to an unsigned integer and assigned to the UDM field. |
|
rule
|
event.idm.read_only_udm.security_result.rule_name
|
The value of the rule
field is assigned to the UDM field. |
|
sec_desc
|
event.idm.read_only_udm.security_result.description
|
The value of the sec_desc
field is assigned to the UDM field. |
|
sent
|
event.idm.read_only_udm.network.sent_bytes
|
The value of the sent
field is converted to an unsigned integer and assigned to the UDM field. |
|
sess
|
event.idm.read_only_udm.security_result.detection_fields
|
A detection field with key "Session Type" and value from the sess
field is added to the UDM field. |
|
sn
|
event.idm.read_only_udm.additional.fields
|
A label with key "SN" and value from the sn
field is added to the UDM field. |
|
spkt
|
event.idm.read_only_udm.network.sent_packets
|
The value of the spkt
field is converted to an integer and assigned to the UDM field. |
|
src
|
event.idm.read_only_udm.principal.ip
, event.idm.read_only_udm.principal.port
|
The IP and port are extracted from the src
field. If srcV6
is not empty, the IP is extracted from srcV6
instead. |
|
srcMac
|
event.idm.read_only_udm.principal.mac
|
The value of the srcMac
field is assigned to the UDM field. |
|
srcV6
|
event.idm.read_only_udm.principal.ip
|
The IP is extracted from the srcV6
field. |
|
srcip
|
event.idm.read_only_udm.additional.fields
, event.idm.read_only_udm.principal.ip
|
If srcip
contains "-", a label with key "srcip" and value from the srcip
field is added to event.idm.read_only_udm.additional.fields
. Otherwise, the value of srcip
is assigned to event.idm.read_only_udm.principal.ip
. |
|
time
|
event.idm.read_only_udm.metadata.event_timestamp
|
The value of the time
field is parsed and converted to a timestamp, which is then assigned to the UDM field. |
|
type
|
event.idm.read_only_udm.network.ip_protocol
|
If proto
field is "icmp", the UDM field is set to "ICMP". |
|
user/usr
|
event.idm.read_only_udm.principal.user.email_addresses
, event.idm.read_only_udm.principal.user.user_display_name
, event.idm.read_only_udm.principal.user.userid
|
If user
is empty, the value of usr
is used instead. If the value contains "@" it is treated as an email address and added to email_addresses
. If it contains a space, it's treated as a display name. Otherwise, it's treated as a userid. |
|
vpnpolicy
|
event.idm.read_only_udm.security_result.detection_fields
|
A detection field with key "vpnpolicy" and value from the vpnpolicy
field is added to the UDM field. Hardcoded to "SonicWall". Hardcoded to "Firewall". Hardcoded to "SONIC_FIREWALL". Determined by logic based on the values of other fields. Defaults to "GENERIC_EVENT", can be "STATUS_UPDATE", "NETWORK_CONNECTION", or "NETWORK_HTTP". |
Need more help? Get answers from Community members and Google SecOps professionals.
