Skip to content


Rule Function

This rule sets up SonicWall meta tags and normalizes the date/time from the message portion of the logged event.

Vendor Documentation

SonicWall™ SonicOS 6.2.5 / 6.2.7 / 6.2.9 Log Events

Incoming Log Format

The log format is comprised of space-separated key-value fields.

User Tags

Tagged Tag Name Field Name Example Description
appcat appcat eth0 application category
appName appName General TCP application name
msg msg Connection Closed message type
fw_action fw_action NA action taken by the firewall
Category Category Online Banking category of request
rule rule 22 (LAN->WAN) firewall rule match
src source IP address
dst destination IP address
srcMac 98:90:96:de:f1:78 source MAC address
dstMac ec:f4:bb:fb:f7:f6 destination MAC address
proto udp/dns connection protocol
time 2018-02-06 16:11:09 datetime of request

SonicWall does not provide documentation for the following fields:

Tagged Tag Name Field Name Example Description
sn 0017C5178994
pri 6
c 1024
m 537
app 48
f 2
n 11782330
op 1
rcvd 146
result 403
arg /favicon.ico
code 20

Log Examples

TCP connection opened

sn=C0EAE48F5084 fw= pri=6 c=262144 m=98 msg="Connection Opened" app=49169 appName="General DNS" n=1157227522 src= dst= dstMac=04:62:73:2c:02:00 proto=udp/dns sent=120 dpi=1 rule="22 (LAN->WAN)" fw_action="NA"

TCP connection closed

sn=0017C5178994 time="2018-02-06 16:11:09" fw= pri=6 c=1024 m=537 msg="Connection Closed" f=2 n=11782330 src= dst= proto=udp/dns sent=56 rcvd=146 

Forbidden HTTPS request

sn=18B1690729A8 time="2016-06-16 17:21:40 UTC" fw= pri=6 c=1024 m=97 app=48 n=9 src= srcMac=98:90:96:de:f1:78 dstMac=ec:f4:bb:fb:f7:f6 proto=tcp/https op=1 sent=798 rcvd=12352 result=403 arg=/favicon.ico code=20 Category="Online Banking"