SonicWall NGFW
  • 08 Sep 2022
  • 4 Minutes to read
  • Dark
    Light

SonicWall NGFW

  • Dark
    Light

SonicWall NGFW

About SonicWall NGFW:

SonicWall Next-Gen Firewalls (NGFW) include a range of products (NSsp, NSa, NSv, and TZ network security appliances) that provide application inspection, IDS/IPS, VPN, and traditional firewall functionality. This technology pack will process SonicWall NGFW event log messages, providing normalization, enrichment, and categorization of common events of interest.

Requirement(s):

  • SonicWall NGFW Device(s) running SonicOS version 6.5, 7.0, or later
  • Graylog Server with a valid Enterprise license, running Graylog version 4.2.5, 4.3.0, or later
  • SonicWall devices configured to send logs to Graylog via syslog
  • SonicWall devices configured to send enhanced syslog format

Stream Configuration:

This technology pack includes one stream:

  • “Illuminate:SonicWall Device Messages”
About Illuminate Streams

If this stream does not exist prior to the activation of this pack, then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration:

This technology pack includes one index set definition:

  • “SonicWall Device Event Log Messages”
About Illuminate Index Set Definitions

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with default retention settings of a daily rotation and 90 days of retention, with 4 shards per index. It is strongly recommended to review and adjust these settings to best suit your environment.

Log Format Example:

id=SDF2lk3rj sn=SD2342LJFS time="2022-04-22 11:02:41" fw=10.1.2.3 pri=4 c=1024 m=537 msg="Connection Closed" app=2 n=23593520 src=192.168.10.20:53323:IF0 dst=10.0.130.15:53:IF1 srcMac=00:15:5d:a1:a2:08 dstMac=f8:0f:6f:a8:a2:21 proto=udp/dns sent=85 rcvd=117 spkt=1 rpkt=1 cdur=30633 rule="3 (LAN->WAN)" fw_action="NA"

What is Provided:

  • Rules to normalize and enrich event log messages
  • A Spotlight content pack

Log Message Processing

Illuminate will identify SonicWall NGFW event log messages and add the field event_source_product with the value sonicwall_ngfw.

The Illuminate processing of SonicWall NGFW log messages provides the following:

  • Field extraction, normalization and message enrichment for SonicWall log messages
  • Graylog Schema compliance
  • GIM Categorization of the following messages:
SonicWall Event Codegim_event_categorygim_event_subcategorygim_event_type
10endpointendpoint.serviceservice error
22alertalert.network alertnetwork alert
23alertalert.network alertnetwork alert
24authenticationauthentication.logoffsession disconnect
25alertalert.network alertnetwork alert
27alertalert.network alertnetwork alert
28alertalert.network alertnetwork alert
31authenticationauthentication.logon,authentication.credential validationlogon
32authenticationauthentication.logon,authentication.credential validationlogon
33authenticationauthentication.logon,authentication.credential validationlogon
34authenticationauthentication.credential validationerror
81alertalert.network alertnetwork alert
82alertalert.network alertnetwork alert
83alertalert.network alertnetwork alert
139authenticationauthentication.logon,authentication.credential validationlogon
140authenticationauthentication.logon,authentication.credential validationlogon
141authenticationauthentication.access noticeerror
150endpointendpoint.processprocess stopped
151endpointendpoint.processprocess stopped
177alertalert.network alertnetwork alert
178alertalert.network alertnetwork alert
179alertalert.network alertnetwork alert
229alertalert.network alertnetwork alert
237authenticationauthentication.logon,authentication.credential validationlogon
238authenticationauthentication.logon,authentication.credential validationlogon
243authenticationauthentication.logon,authentication.credential validationlogon
244authenticationauthentication.logon,authentication.credential validationlogon
245authenticationauthentication.logon,authentication.credential validationlogon
246authenticationauthentication.logon,authentication.credential validationlogon
248alertalert.network alertnetwork alert
267alertalert.network alertnetwork alert
328iamiam.object modifyaccount renamed
437alertalert.network alertnetwork alert
440endpointendpoint.serviceconfiguration change
441endpointendpoint.serviceconfiguration change
442endpointendpoint.serviceconfiguration change
446alertalert.network alertnetwork alert
486authenticationauthentication.logon,authentication.credential validationlogon
506endpointendpoint.serviceservice stopped
508endpointendpoint.serviceservice stopped
527endpointendpoint.portsport closed
528endpointendpoint.portsport closed
538endpointendpoint.portsport closed
546alertalert.network alertnetwork alert
548alertalert.network alertnetwork alert
549authenticationauthentication.access policydevice policy violation
560iamiam.object disableaccount disabled
561iamiam.object enableaccount enabled
564authenticationauthentication.logoffsession disconnect
580alertalert.network alertnetwork alert
583alertalert.network alertnetwork alert
606alertalert.network alertnetwork alert
608alertalert.network alertnetwork alert
609alertalert.network alertnetwork alert
656authenticationauthentication.credential validationerror
669endpointendpoint.serviceservice error
676endpointendpoint.defaultendpoint message
677endpointendpoint.defaultendpoint message
682endpointendpoint.defaultendpoint message
701endpointendpoint.defaultendpoint message
728endpointendpoint.serviceservice stopped
734endpointendpoint.defaultendpoint message
735endpointendpoint.defaultendpoint message
737authenticationauthentication.credential validationerror
744authenticationauthentication.access noticeerror
745authenticationauthentication.access noticeerror
746authenticationauthentication.access noticeerror
747authenticationauthentication.access noticeerror
748authenticationauthentication.access noticeerror
749authenticationauthentication.access noticeerror
750authenticationauthentication.access noticeerror
751authenticationauthentication.access noticeerror
752authenticationauthentication.access noticeerror
753authenticationauthentication.access noticeerror
754authenticationauthentication.access noticeerror
755authenticationauthentication.access noticeerror
756authenticationauthentication.access noticeerror
757authenticationauthentication.access noticeerror
758authenticationauthentication.access noticeerror
759authenticationauthentication.access noticeerror
789alertalert.network alertnetwork alert
790alertalert.network alertnetwork alert
793alertalert.network alertnetwork alert
794alertalert.network alertnetwork alert
795alertalert.network alertnetwork alert
809alertalert.network alertnetwork alert
864alertalert.network alertnetwork alert
866alertalert.network alertnetwork alert
868alertalert.network alertnetwork alert
879alertalert.defaultalert message
881endpointendpoint.configurationsystem time changed
882http,networkhttp.communication,network.network connectionnetwork http communication
883endpointendpoint.defaultendpoint message
884endpointendpoint.defaultendpoint message
885endpointendpoint.defaultendpoint message
886endpointendpoint.defaultendpoint message
897alertalert.network alertnetwork alert
898alertalert.network alertnetwork alert
904alertalert.defaultalert message
905alertalert.defaultalert message
913authenticationauthentication.credential validationerror
987authenticationauthentication.credential validationerror
988authenticationauthentication.access noticeerror
989authenticationauthentication.access noticeerror
990authenticationauthentication.access noticeerror
991authenticationauthentication.access noticeerror
992authenticationauthentication.defaultauthentication message
993authenticationauthentication.defaultauthentication message
994endpointendpoint.serviceconfiguration change
995endpointendpoint.serviceconfiguration change
996authenticationauthentication.defaultauthentication message
997authenticationauthentication.defaultauthentication message
998authenticationauthentication.defaultauthentication message
999endpointendpoint.defaultendpoint message
1000endpointendpoint.defaultendpoint message
1001endpointendpoint.defaultendpoint message
1002endpointendpoint.defaultendpoint message
1003endpointendpoint.defaultendpoint message
1004endpointendpoint.defaultendpoint message
1005endpointendpoint.defaultendpoint message
1006endpointendpoint.defaultendpoint message
1011iamiam.object modifypassword change
1033authenticationauthentication.access noticeerror
1035authenticationauthentication.logon,authentication.credential validationlogon
1048iamiam.object modifypassword change
1049endpointendpoint.filesystemfile modified
1058endpointendpoint.processprocess altered
1059endpointendpoint.processprocess altered
1073authenticationauthentication.access noticeerror
1075authenticationauthentication.kerberos requesterror
1076authenticationauthentication.defaultauthentication message
1080authenticationauthentication.logon,authentication.credential validationlogon
1085endpointendpoint.serviceservice stopped
1088endpointendpoint.serviceservice error
1089endpointendpoint.serviceservice error
1091alertalert.network alertnetwork alert
1092alertalert.network alertnetwork alert
1093alertalert.network alertnetwork alert
1117authenticationauthentication.defaultauthentication message
1118authenticationauthentication.defaultauthentication message
1119authenticationauthentication.defaultauthentication message
1120authenticationauthentication.defaultauthentication message
1121authenticationauthentication.defaultauthentication message
1122authenticationauthentication.defaultauthentication message
1123authenticationauthentication.defaultauthentication message
1157iamiam.object disableaccount disabled
1158iamiam.object disableaccount disabled
1180alertalert.defaultalert message
1181alertalert.defaultalert message
1190iamiam.object modifygroup member added
1191iamiam.object modifygroup member removed
1192iamiam.object modifygroup member added
1193iamiam.object modifygroup member removed
1198alertalert.defaultalert message
1199alertalert.defaultalert message
1200alertalert.defaultalert message
1201alertalert.defaultalert message
1202authenticationauthentication.defaultauthentication message
1203authenticationauthentication.defaultauthentication message
1204authenticationauthentication.defaultauthentication message
1209alertalert.defaultalert message
1210alertalert.defaultalert message
1211alertalert.defaultalert message
1212alertalert.defaultalert message
1213alertalert.defaultalert message
1214alertalert.defaultalert message
1226http,networkhttp.communication,network.network connectionnetwork http communication
1227authenticationauthentication.access policyaccount policy violation
1229networknetwork.defaultnetwork message
1231endpointendpoint.configurationsystem time changed
1243authenticationauthentication.credential validationerror
1316alertalert.defaultalert message
1336endpointendpoint.serviceconfiguration change
1337iamiam.object modifypassword change
1338iamiam.object modifypassword change
1341authenticationauthentication.defaultauthentication message
1342authenticationauthentication.defaultauthentication message
1363alertalert.defaultalert message
1366alertalert.defaultalert message
1367alertalert.defaultalert message
1369alertalert.network alertnetwork alert
1373alertalert.network alertnetwork alert
1374alertalert.network alertnetwork alert
1375alertalert.network alertnetwork alert
1376alertalert.network alertnetwork alert
1378alertalert.defaultalert message
1382endpointendpoint.auditaudit policy changed
1383endpointendpoint.auditaudit error
1387alertalert.network alertnetwork alert
1393endpointendpoint.serviceservice stopped
1432endpointendpoint.serviceconfiguration change
1438endpointendpoint.configurationsystem configuration modified
1439endpointendpoint.configurationsystem configuration modified
1440endpointendpoint.configurationsystem configuration modified
1441endpointendpoint.configurationsystem configuration modified
1450alertalert.defaultalert message
1471alertalert.defaultalert message
1490http,networkhttp.communication,network.network connectionnetwork http communication
1491http,networkhttp.communication,network.network connectionnetwork http communication
1517authenticationauthentication.credential validationerror
1518alertalert.defaultalert message
1519alertalert.defaultalert message
1522endpointendpoint.defaultendpoint message
1524endpointendpoint.defaultendpoint message
1525endpointendpoint.defaultendpoint message
1526endpointendpoint.defaultendpoint message
1552authenticationauthentication.credential validationerror
1553authenticationauthentication.credential validationerror
1554authenticationauthentication.credential validationerror
1555authenticationauthentication.credential validationerror
1556authenticationauthentication.credential validationerror
1557authenticationauthentication.credential validationerror
1572authenticationauthentication.logon,authentication.credential validationlogon
1585authenticationauthentication.logon,authentication.credential validationlogon
1590endpointendpoint.configurationsystem configuration modified
1595endpointendpoint.defaultendpoint message
1596endpointendpoint.defaultendpoint message
1599endpointendpoint.configurationsystem configuration modified
1600endpointendpoint.configurationsystem configuration modified
1601endpointendpoint.configurationsystem configuration modified
1627iamiam.object disableaccount disabled
1632endpointendpoint.serviceservice stopped
1634endpointendpoint.serviceservice removed
1635endpointendpoint.serviceservice error
1636endpointendpoint.defaultendpoint message
1637endpointendpoint.defaultendpoint message
1640endpointendpoint.serviceconfiguration change
1642endpointendpoint.portsport closed
1655authenticationauthentication.access policyaccount policy violation
1674endpointendpoint.auditaudit policy changed
Events associated with the built-in Administrative account

SonicWall NGFW devices are configured with a built-in Administrator account. The default name for this account is "Admin", but this can be altered by the user. Some events are logged by the SonicWall devices related to this account, which do not include the actual user name but instead just refer to "Administrator". Illuminate will assign a user_name value of "Administrator" for these events.

Severity Mapping

SonicWall devices have different severity level assignments which are mapped to the Graylog schema severity levels, in the fields event_severity and event_severity_level.

vendor_event_severity_severityvendor_event_severityevent_severity_levelevent_severity
0Emergency5critical
1Alert5critical
2Critical5critical
3Error4high
4Warning3medium
5Notice2low
6Info1informational
7Debug1informational

Spotlight Content Pack

The Spotlight content pack contains:

  • Dashboard: Illluminate:SonicWall NGFW Overview

    • Overview tab: Summary of SonicWall device operations
      overview_overview_tab.png

    • Alerts tab: Summary of SonicWall GIM categorized alerts
      overview_alerts_tab.png

    • Network tab: Summary of Network Traffic
      overview_network_tab.png

    • VPN tab: Summary of VPN activity
      overview_vpn_tab.png

  • Saved Search: Illuminate:SonicWall NGFW Alert Log Viewer

    • View SonicWall NGFW GIM categorized Security Alerts
      saved_search_alert_viewer.png
  • Saved Search: Illuminate:SonicWall NGFW Log Viewer - Filtered

    • Filter SonicWall NGFW logs by vendor severity, from the most critical level (0 - Emergency) to the least (7 - debug)
      saved_search_log_viewer_filtered.png
  • Saved Search: Illuminate:SonicWall NGFW Log Viewer

    • Saved search to view SonicWall NGFW Event Log Messages
      saved_search_log_viewer.png
  • Saved Search: Illuminate:SonicWall NGFW VPN Log Viewer

    • Saved search to view SonicWall NGFW VPN, SSL VPN, L2TP, and Portal Messages
      saved_search_vpn_review.png

Was this article helpful?