Sonicwall
LogZilla App Store application: Sonicwall
Overview
SonicWall SonicOS is a security-focused operating system for SonicWall next-generation firewalls. SonicOS devices provide stateful packet inspection, deep packet inspection, application control, and intrusion prevention. Devices generate syslog messages for traffic flows, security events, and firewall actions.
App Function
- Parse SonicWall syslog messages in space-separated key-value format
- Extract metadata tags for filtering and analysis
- Normalize timestamps by removing redundant time fields
- Set
Event Classtag for cross-vendor categorization - Provide dashboards for monitoring traffic, actions, and application usage
Vendor Documentation
Device Configuration
Configure SonicWall to send syslog messages to LogZilla:
- Log into the SonicWall management interface
- Navigate to Log > Syslog
- In the Syslog Servers section, click Add
- Configure the following settings:
- Name or IP Address: LogZilla server IP address
- Port: 514 (default) or custom syslog port
- In Syslog Settings, set Syslog Format to Default
- Click Accept to save
Verification
Generate test traffic or trigger a configuration change, then verify events
appear in LogZilla with the program name SonicWall.
Incoming Log Format
SonicWall SonicOS uses space-separated key-value pairs:
textsn=<serial> time="<timestamp>" fw=<ip> pri=<priority> c=<category> m=<msg_id> msg="<message>" src=<src_ip>:<port>:<intf> dst=<dst_ip>:<port>:<intf> proto=<protocol>/<service> fw_action="<action>"
- sn - Device serial number
- time - Event timestamp (removed during parsing)
- fw - Firewall IP address
- pri - Syslog priority
- m - Message ID
- msg - Event description
- src/dst - Source/destination IP:port:interface
- proto - Protocol and service
- fw_action - Firewall action taken
Parsed Metadata Fields
Primary Fields
| Tag Name | Example | Description |
|---|---|---|
SrcIP | 192.168.168.10 | Source IP address |
DstIP | 172.27.14.5 | Destination IP address |
Action | allow | Action taken by firewall |
User | jsmith | Username |
Event Class | network | Cross-vendor event classification |
SonicWall App Category | Web Applications | Application category |
SonicWall App Name | General TCP | Application name |
SonicWall Category | Online Banking | Content category |
SonicWall Rule | 22 (LAN->WAN) | Firewall rule match |
SrcMAC | 98:90:96:de:f1:78 | Source MAC address |
DstMAC | ec:f4:bb:fb:f7:f6 | Destination MAC address |
Protocol | TCP | Transport protocol |
DstPort | https | Destination port service name |
Log Examples
Connection Opened
textsn=C0EAE48F5084 fw=209.106.205.33 pri=6 c=262144 m=98 msg="Connection Opened" app=49169 appName="General DNS" n=1157227522 src=10.10.24.11:63045:X16-V5 dst=8.8.8.8:53:X1 dstMac=04:62:73:2c:02:00 proto=udp/dns sent=120 dpi=1 rule="22 (LAN->WAN)" fw_action="NA"
Connection Closed
textsn=0017C5178994 time="2018-02-06 16:11:09" fw=64.107.153.15 pri=6 c=1024 m=537 msg="Connection Closed" f=2 n=11782330 src=192.168.97.214:60622:X0-V999 dst=172.27.14.5:53:X0-V51 proto=udp/dns sent=56 rcvd=146
Web Traffic with Category
textsn=18B1690729A8 time="2016-06-16 17:21:40 UTC" fw=10.205.123.15 pri=6 c=1024 m=97 app=48 n=9 src=192.168.168.10:52589:X0 dst=69.192.240.232:443:X1 srcMac=98:90:96:de:f1:78 dstMac=ec:f4:bb:fb:f7:f6 proto=tcp/https op=1 sent=798 rcvd=12352 result=403 dstname=www.suntrust.com Category="Online Banking"
MITRE ATT&CK Mappings
| Event | MITRE ID | Tactic |
|---|---|---|
| Traffic blocked (drop/deny) | T1071 | Command and Control |
| Port/network scan detected | T1046 | Discovery |
| Flood attack detected | T1499 | Impact |
| Malware detected | T1204 | Execution |
Triggers
| Trigger | Description |
|---|---|
SonicWall: MITRE ATT&CK Threat Detected | Any MITRE-mapped threat |
SonicWall: Traffic Blocked (T1071) | Blocked traffic (C2/exfiltration) |
SonicWall: High Severity Event | Priority 0-3 events |
SonicWall: Malware or Phishing Detected | Malware/phishing/spyware category |
SonicWall: VPN/User Activity | Events with user authentication |