SonicOS
Rule Function
This rule sets up SonicWall meta tags and normalizes the date/time from the message portion of the logged event.
Vendor Documentation
SonicWall™ SonicOS 6.2.5 / 6.2.7 / 6.2.9 Log Events
Incoming Log Format
The log format is comprised of space-separated key-value fields.
User Tags
| Tagged | Tag Name | Field Name | Example | Description |
|---|---|---|---|---|
| ☑ | appcat |
appcat |
eth0 |
application category |
| ☑ | appName |
appName |
General TCP |
application name |
| ☑ | msg |
msg |
Connection Closed |
message type |
| ☑ | fw_action |
fw_action |
NA |
action taken by the firewall |
| ☑ | Category |
Category |
Online Banking |
category of request |
| ☑ | rule |
rule |
22 (LAN->WAN) |
firewall rule match |
src |
192.168.168.10:52589:X0 |
source IP address | ||
dst |
172.27.14.5:53:X0-V51 |
destination IP address | ||
srcMac |
98:90:96:de:f1:78 |
source MAC address | ||
dstMac |
ec:f4:bb:fb:f7:f6 |
destination MAC address | ||
proto |
udp/dns |
connection protocol | ||
time |
2018-02-06 16:11:09 |
datetime of request |
SonicWall does not provide documentation for the following fields:
| Tagged | Tag Name | Field Name | Example | Description |
|---|---|---|---|---|
sn |
0017C5178994 |
|||
fw |
64.107.153.15 |
|||
pri |
6 |
|||
c |
1024 |
|||
m |
537 |
|||
app |
48 |
|||
f |
2 |
|||
n |
11782330 |
|||
op |
1 |
|||
rcvd |
146 |
|||
result |
403 |
|||
dstname |
www.suntrust.com |
|||
arg |
/favicon.ico |
|||
code |
20 |
Log Examples
TCP connection opened
sn=C0EAE48F5084 fw=209.106.205.33 pri=6 c=262144 m=98 msg="Connection Opened" app=49169 appName="General DNS" n=1157227522 src=10.10.24.11:63045:X16-V5 dst=8.8.8.8:53:X1 dstMac=04:62:73:2c:02:00 proto=udp/dns sent=120 dpi=1 rule="22 (LAN->WAN)" fw_action="NA"
TCP connection closed
sn=0017C5178994 time="2018-02-06 16:11:09" fw=64.107.153.15 pri=6 c=1024 m=537 msg="Connection Closed" f=2 n=11782330 src=192.168.97.214:60622:X0-V999 dst=172.27.14.5:53:X0-V51 proto=udp/dns sent=56 rcvd=146
Forbidden HTTPS request
sn=18B1690729A8 time="2016-06-16 17:21:40 UTC" fw=10.205.123.15 pri=6 c=1024 m=97 app=48 n=9 src=192.168.168.10:52589:X0 dst=69.192.240.232:443:X1:a69-192-240-232.deploy.akamaitechnologies.com srcMac=98:90:96:de:f1:78 dstMac=ec:f4:bb:fb:f7:f6 proto=tcp/https op=1 sent=798 rcvd=12352 result=403 dstname=www.suntrust.com arg=/favicon.ico code=20 Category="Online Banking"