Sonicwall

Download PDF

LogZilla App Store application: Sonicwall

Overview

SonicWall SonicOS is the operating system for SonicWall NSa, NSsp, NSv and TZ firewall appliances. SonicOS 6.x and 7.x emit syslog events for traffic flows, SSL VPN authentication, application control, content filtering, geo-IP blocking, and IPv6 anomalies. The parser handles the Default (key=value) syslog format and normalizes events into LogZilla tags for cross-vendor dashboards and triggers.

App Function

  • Parse SonicWall Default-format syslog from SonicOS 6.x and 7.x
  • Detect SonicWall traffic by message content, so a customized "Syslog ID" on the firewall does not break parsing
  • Extract source/destination IPs, MACs, ports, zones, NAT, applications, rules, and content-filter categories
  • Classify events by message ID into Auth / Network / Security / Web Event Classes and apply compliance framework tags
  • Strip vendor-embedded timestamp and per-event sequence counter to enable deduplication of repeated events

Vendor Documentation

Device Configuration

Configure the SonicWall to send syslog to LogZilla:

  1. Log into the SonicWall management interface
  2. Navigate to Device > Log > Syslog (SonicOS 7.x) or Log > Syslog (SonicOS 6.x)
  3. Under Syslog Servers, click Add
  4. Configure:
    • Name or IP Address: LogZilla server IP
    • Port: 514 (default) or any port LogZilla is listening on
    • Server Type: Syslog Server
  5. Under Syslog Settings, set:
    • Syslog Format: Default
    • Syslog Facility: Local Use 0 (or any local facility)
    • Syslog ID: leave as firewall (the default), or set it to a custom value. The parser detects SonicWall events by message content, so any value works.
  6. Click Accept / Save to apply

Verification

After saving, verify events appear in LogZilla under the program name SonicWall with the Vendor: SonicWall user tag.

Incoming Log Format

SonicWall Default-format messages are space-separated key=value pairs. The program field carries the configured Syslog ID (id=<value>) and the message body begins at sn=:

text
sn=<serial> time="<ts>" fw=<fw_ip> pri=<n> c=<category_id> gcat=<group>
m=<msg_id> msg="<text>" src=<ip>:<port>:<intf> srcZone=<zone>
natSrc=<ip>:<port> dst=<ip>:<port>:<intf> dstZone=<zone>
natDst=<ip>:<port> usr="<user>" proto=<proto>/<svc>
rule="<rule_name>" app=<id> appName='<app>' n=<seq>
fw_action="<action>"

Common fields:

FieldDescription
snDevice serial number
timeVendor timestamp (stripped from the message during parsing)
fwFirewall public/management IP
priSonicWall internal priority (0=emergency .. 7=debug)
cNumeric category code
gcatGroup category (2=network access, 3=geo-ip, 4=ssl-vpn, 6=traffic, 10=app-rules, 13=ssl-vpn-client)
mMessage ID (drives Event Class / Type classification)
src / dstIP:port:interface tuples
srcZone / dstZoneSonicWall security zone (LAN, WAN, SSLVPN, DMZ)
natSrc / natDstPost-NAT addresses
usrAuthenticated user (Unknown if unauthenticated)
protoProtocol family and service (tcp/https, udp/dns)
fw_actionFirewall verdict (forward, drop, deny, NA)
nPer-event sequence counter (stripped to enable deduplication)

Parsed Metadata Fields

Cross-Vendor Tags

TagSourceExample
VendorconstantSonicWall
ProductconstantFirewall
Event Classderived from m=Network, Security, Auth, Web
Event Typederived from m= + fw_actionAccess Control, Session, Policy Violation, Threat
Actionfw_action=forward, drop, NA
SrcIP / DstIPsrc= / dst=192.168.1.10
DstPorttranslated by namehttps, domain, dynamic
SrcInt / DstIntinterface portion of src= / dst=X0, X4
SrcMAC / DstMACsrcMac= / dstMac=00:00:5e:00:53:01
Protocolproto=TCP, UDP, ICMP
Userusr= (skipped when "Unknown")user1
Domaindstname=www.example.com
MitreId / MITRE Tacticderived from m=T1071 / Command and Control
Compliance - <framework>derived from Event Type1

Vendor-Specific Tags

TagSourceExample
SrcZone / DstZonesrcZone= / dstZone=LAN, WAN, SSLVPN
SonicWall App NameappName=General HTTPS
SonicWall App Categoryappcat=BUSINESS-APPS Microsoft Office 365
SonicWall CategoryCategory=Information Technology/Computers
SonicWall Rulerule=Default Access Rule

High-Cardinality Tags

The following tags can grow to thousands of unique values across a large deployment and are stored on disk:

  • SrcIP, DstIP
  • SrcMAC, DstMAC
  • User
  • Domain

Event Class / Type Mapping

m=DescriptionEvent ClassEvent Type
98Connection OpenedNetwork (Security if blocked)- / Access Control
537Connection ClosedNetwork (Security if blocked)- / Access Control
97Web site hitWeb-
263SSL VPN logoutAuthSession
580TCP SYN/FIN droppedSecurityAccess Control
793App Rules AlertSecurityPolicy Violation
1080SSL VPN remote loginAuthSession
1153SSL VPN session activityAuthSession
1154App Control Detection AlertSecurityPolicy Violation
1199Geo-IP responder blockedSecurityAccess Control
1430IPv6 extension headerNetwork-
14IPS Detection AlertSecurityThreat
608Possible scan/floodSecurityThreat

Log Examples

All examples use synthetic IPs (RFC 5737), MACs (RFC 7042), and a placeholder serial.

Connection Opened (m=98) - SonicOS 7 with custom Syslog ID

text
id=tz470 sn=0040104B0001 time="2026-01-15 10:34:10" fw=203.0.113.1 pri=6
c=262144 gcat=6 m=98 msg="Connection Opened"
src=192.168.1.10:59112:X0 srcZone=LAN natSrc=203.0.113.1:49147
dstMac=00:00:5e:00:53:01 dst=198.51.100.20:53:X4 dstZone=WAN
natDst=198.51.100.20:53 usr="Unknown" proto=udp/dns sent=82
rule="Default Access Rule" app=49169 appName='General DNS'
n=109246078 fw_action="forward" dpi=1

Connection Closed (m=537) - SonicOS 6 with default Syslog ID

text
id=firewall sn=0040104B0001 time="2026-01-15 10:34:10" fw=203.0.113.1
pri=6 c=1024 m=537 msg="Connection Closed"
srcMac=00:00:5e:00:53:02 src=192.168.1.55:57897:X0
dstMac=00:00:5e:00:53:01 dst=198.51.100.21:443:X4 usr="Unknown"
proto=tcp/https sent=14063 rcvd=8283 rule="Default Access Rule"
app=49177 appName='General HTTPS' n=112742081 fw_action="NA" dpi=1

Web Site Hit with Content Filter Category (m=97)

text
id=tz470 sn=0040104B0001 time="2026-01-15 10:34:10" fw=203.0.113.1 pri=6
c=1024 gcat=2 m=97 msg="Web site hit"
src=192.168.1.40:53525:X0 srcZone=LAN dst=198.51.100.40:80:X4
dstZone=WAN proto=tcp/http rule="Default Access Rule"
dstname=www.example.com Category="Information Technology/Computers"
n=13446700 fw_action="forward"

SSL VPN Login (m=1080)

text
id=tz470 sn=0040104B0001 time="2026-01-15 12:36:59" fw=203.0.113.1 pri=6
c=0 gcat=4 m=1080 msg="SSL VPN zone remote user login allowed"
src=198.51.100.60::X4 dst=203.0.113.1::X4 usr="user1" sess="GMS" dur=0
note="user1 via Client from 198.51.100.60" n=153 fw_action="NA"

Geo-IP Responder Block (m=1199)

text
id=tz470 sn=0040104B0001 time="2026-01-15 10:35:23" fw=203.0.113.1 pri=1
c=0 gcat=3 m=1199 src=192.168.1.77:50479:X0 srcZone=LAN
dst=198.51.100.70:443:X4 dstZone=WAN proto=tcp/https
rule="Block Inbound" app=49177 appName='General HTTPS'
msg="Responder from country blocked: Responder IP:198.51.100.70 Country Name:Reserved"
n=514722 fw_action="drop"

App Rules Alert (m=793)

text
id=tz470 sn=0040104B0001 time="2026-01-15 10:38:08" fw=203.0.113.1 pri=1
c=16 gcat=10 m=793 src=192.168.1.42:16327:X0 srcZone=LAN
dst=198.51.100.80:80:X4 dstZone=WAN proto=tcp/http
rule="Default Access Rule" app=49175 appName='General HTTP'
msg="App Rules Alert" af_polid=1 af_policy="Block TLD"
af_type="HTTP Client Request" af_service="HTTP" af_action="Reset/Drop"
n=46694 fw_action="NA"

Dashboards

A single dashboard, SonicWall, ships with the app and shows:

  • Today's blocked / security / SSL VPN counts
  • Events per second and event-class breakdown over time
  • Source / destination zones and protocols
  • Top source / destination IPs and ports
  • Top web hosts, applications, content filter categories
  • Top access rules, SSL VPN users, MITRE tactics
  • Recent events search widget

Triggers

TriggerFires on
SonicWall: Outbound Security BlockLAN-sourced traffic blocked by security policy (geo-IP, ACL deny)
SonicWall: App Rules BlockApplication firewall block (m=793, m=1154)
SonicWall: SSL VPN LoginSSL VPN authentication / session events
SonicWall: Inbound Connection BlockedWAN-sourced traffic dropped/denied/rejected
SonicWall: High Severity EventSyslog severity 0-3
Sonicwall | LogZilla Documentation