firewall.sonicwall
- Juan Tomás Alonso Nieto (Deactivated)
- Former user (Deleted)
- Sarah Bigault (Deactivated)
Introduction
The tags beginning with firewall.sonicwall identify log events generated by the SonicWall Firewall (SonicOS).
Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud.Â
Tag structure
The full tag must have at least three levels. The first two are fixed as firewall.sonicwall. The third level identifies the SonicOS version and must be one of general or genv58.Â
Therefore, the valid tags are:
Product / Service | Tags | Data tables |
|---|---|---|
SonicWall general |
|
|
|
|
For more information, read more about Devo tags.
Devo Relay rule
Then you should define a new rule where all the events received on a specified port are tagged with the correct firewall.sonicwall tag.
Source port →
13020 (you can use any port that is free on your relay)Target tag →
firewall.sonicwall.xxx(xxxcorresponding to yourgeneralorgenv58tag)
SonicWall configuration
To configure the sending of log events to a remote syslog server (in this case, the Devo Relay), see the vendor documentation.
Table structure
These are the fields displayed in these tables:
firewall.sonicwall.general
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
| Â | Â |
fwhost |
| vhost | Â |
serverdate |
| Â | Â |
host |
| Â | Â |
message |
| Â | Â |
id |
| Â | Â |
sn |
| Â | Â |
timestamp |
| Â | Â |
fw |
| Â | Â |
pri |
| Â | Â |
c |
| Â | Â |
m |
| Â | Â |
msg |
| Â | Â |
n |
| Â | Â |
src |
| Â | Â |
srcIp |
| Â | Â |
srcPort |
| Â | Â |
dst |
| Â | Â |
dstIp |
| Â | Â |
dstPort |
| Â | Â |
proto |
| Â | Â |
type |
| Â | Â |
code |
| Â | Â |
sent |
| Â | Â |
rcvd |
| Â | Â |
vpnpolicy |
| Â | Â |
unknown |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| message | ✓ |
firewall.sonicwall.genv58
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
| Â | Â |
id |
| Â | Â |
sn |
| Â | Â |
time |
| Â | Â |
vp_time |
| Â | Â |
fw |
| Â | Â |
pri |
| Â | Â |
c |
| Â | Â |
m |
| Â | Â |
msg |
| Â | Â |
f |
| Â | Â |
app |
| Â | Â |
appName |
| Â | Â |
sess |
| Â | Â |
dur |
| Â | Â |
af_policy |
| Â | Â |
af_action |
| Â | Â |
category |
| Â | Â |
url |
| Â | Â |
n |
| Â | Â |
usr |
| Â | Â |
user |
| Â | Â |
if |
| Â | Â |
srcV6 |
| Â | Â |
src |
| Â | Â |
srcIp |
| Â | Â |
srcPort |
| Â | Â |
srcNet |
| Â | Â |
srcResName |
| Â | Â |
dstV6 |
| Â | Â |
dst |
| Â | Â |
dstIp |
| Â | Â |
dstPort |
| Â | Â |
dstNet |
| Â | Â |
dstResName |
| Â | Â |
srcMac |
| Â | Â |
dstMac |
| Â | Â |
proto |
| Â | Â |
uuid |
| Â | Â |
op |
| Â | Â |
sent |
| Â | Â |
rcvd |
| Â | Â |
result |
| Â | Â |
dstname |
| Â | Â |
arg |
| Â | Â |
sid |
| Â | Â |
ipscat |
| Â | Â |
ipspri |
| Â | Â |
appcat |
| Â | Â |
appid |
| Â | Â |
catid |
| Â | Â |
code |
| Â | Â |
Category |
| Â | Â |
spkt |
| Â | Â |
rpkt |
| Â | Â |
cdur |
| Â | Â |
dpi |
| Â | Â |
vpnpolicy |
| Â | Â |
ucastRx |
| Â | Â |
bcastRx |
| Â | Â |
bytesRx |
| Â | Â |
ucastTx |
| Â | Â |
bcastTx |
| Â | Â |
bytesTx |
| Â | Â |
radio |
| Â | Â |
station |
| Â | Â |
goodRxBytes |
| Â | Â |
goodTxBytes |
| Â | Â |
type |
| Â | Â |
icmpCode |
| Â | Â |
rule |
| Â | Â |
fw_action |
| Â | Â |
note |
| Â | Â |
agent |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| message | ✓ |