firewall.sonicwall
Introduction
The tags beginning with firewall.sonicwall
 identify log events generated by the SonicWall Firewall (SonicOS).
Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud.Â
Tag structure
The full tag must have at least three levels. The first two are fixed as firewall.sonicwall
. The third level identifies the SonicOS version and must be one of general
 or genv58
.Â
Therefore, the valid tags are:
Product / Service | Tags | Data tables |
---|---|---|
SonicWall general |
|
|
|
|
For more information, read more about Devo tags.
Devo Relay rule
Then you should define a new rule where all the events received on a specified port are tagged with the correct firewall.sonicwall
 tag.
Source port →
13020
 (you can use any port that is free on your relay)Target tag →
firewall.sonicwall.xxx
(xxx
corresponding to yourgeneral
orgenv58
tag)
SonicWall configuration
To configure the sending of log events to a remote syslog server (in this case, the Devo Relay), see the vendor documentation.
Table structure
These are the fields displayed in these tables:
firewall.sonicwall.general
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
fwhost |
| vhost | Â |
serverdate |
| Â | Â |
host |
| Â | Â |
message |
| Â | Â |
id |
| Â | Â |
sn |
| Â | Â |
timestamp |
| Â | Â |
fw |
| Â | Â |
pri |
| Â | Â |
c |
| Â | Â |
m |
| Â | Â |
msg |
| Â | Â |
n |
| Â | Â |
src |
| Â | Â |
srcIp |
| Â | Â |
srcPort |
| Â | Â |
dst |
| Â | Â |
dstIp |
| Â | Â |
dstPort |
| Â | Â |
proto |
| Â | Â |
type |
| Â | Â |
code |
| Â | Â |
sent |
| Â | Â |
rcvd |
| Â | Â |
vpnpolicy |
| Â | Â |
unknown |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| message | ✓ |
firewall.sonicwall.genv58
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
id |
| Â | Â |
sn |
| Â | Â |
time |
| Â | Â |
vp_time |
| Â | Â |
fw |
| Â | Â |
pri |
| Â | Â |
c |
| Â | Â |
m |
| Â | Â |
msg |
| Â | Â |
f |
| Â | Â |
app |
| Â | Â |
appName |
| Â | Â |
sess |
| Â | Â |
dur |
| Â | Â |
af_policy |
| Â | Â |
af_action |
| Â | Â |
category |
| Â | Â |
url |
| Â | Â |
n |
| Â | Â |
usr |
| Â | Â |
user |
| Â | Â |
if |
| Â | Â |
srcV6 |
| Â | Â |
src |
| Â | Â |
srcIp |
| Â | Â |
srcPort |
| Â | Â |
srcNet |
| Â | Â |
srcResName |
| Â | Â |
dstV6 |
| Â | Â |
dst |
| Â | Â |
dstIp |
| Â | Â |
dstPort |
| Â | Â |
dstNet |
| Â | Â |
dstResName |
| Â | Â |
srcMac |
| Â | Â |
dstMac |
| Â | Â |
proto |
| Â | Â |
uuid |
| Â | Â |
op |
| Â | Â |
sent |
| Â | Â |
rcvd |
| Â | Â |
result |
| Â | Â |
dstname |
| Â | Â |
arg |
| Â | Â |
sid |
| Â | Â |
ipscat |
| Â | Â |
ipspri |
| Â | Â |
appcat |
| Â | Â |
appid |
| Â | Â |
catid |
| Â | Â |
code |
| Â | Â |
Category |
| Â | Â |
spkt |
| Â | Â |
rpkt |
| Â | Â |
cdur |
| Â | Â |
dpi |
| Â | Â |
vpnpolicy |
| Â | Â |
ucastRx |
| Â | Â |
bcastRx |
| Â | Â |
bytesRx |
| Â | Â |
ucastTx |
| Â | Â |
bcastTx |
| Â | Â |
bytesTx |
| Â | Â |
radio |
| Â | Â |
station |
| Â | Â |
goodRxBytes |
| Â | Â |
goodTxBytes |
| Â | Â |
type |
| Â | Â |
icmpCode |
| Â | Â |
rule |
| Â | Â |
fw_action |
| Â | Â |
note |
| Â | Â |
agent |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| message | ✓ |