Sonicwall
LogZilla App Store application: Sonicwall
Overview
The SonicWall SonicOS app processes firewall logs and extracts security metadata for network monitoring and analysis. The app normalizes timestamps and creates user tags for firewall actions, application identification, and traffic analysis.
Vendor Documentation
- SonicWall SonicOS 7.1 Device Settings Administration Guide
- SonicOS Standard Administrator's Guide
- SonicOS 7.1 System Administration Guide
- SonicWall Technical Documentation
Incoming Log Format
SonicWall SonicOS uses space-separated key-value pairs in its log format. Each log entry contains multiple fields providing detailed information about network traffic, security events, and firewall actions.
Parsed Metadata Fields
Primary Fields
| Tagged | Tag Name | Field Name | Example | Description |
|---|---|---|---|---|
| ☑ | appcat | appcat | Web Applications | Application category |
| ☑ | appName | appName | General TCP | Application name |
| ☑ | msg | msg | Connection Closed | Message type |
| ☑ | fw_action | fw_action | allow | Action taken by firewall |
| ☑ | Category | Category | Online Banking | Content category |
| ☑ | rule | rule | 22 (LAN->WAN) | Firewall rule match |
src | src | 192.168.168.10:52589:X0 | Source IP and port | |
dst | dst | 172.27.14.5:53:X0-V51 | Destination IP and port | |
srcMac | srcMac | 98:90:96:de:f1:78 | Source MAC address | |
dstMac | dstMac | ec:f4:bb:fb:f7:f6 | Destination MAC address | |
proto | proto | udp/dns | Connection protocol | |
time | time | 2018-02-06 16:11:09 | Event timestamp |
Additional Fields
SonicWall includes additional fields with limited documentation:
| Tagged | Field Name | Example | Likely Description |
|---|---|---|---|
sn | 0017C5178994 | Device serial number | |
fw | 64.107.153.15 | Firewall IP address | |
pri | 6 | Log priority level | |
c | 1024 | Connection identifier | |
m | 537 | Message identifier | |
app | 48 | Application ID | |
f | 2 | Flag value | |
n | 11782330 | Session number | |
op | 1 | Operation code | |
rcvd | 146 | Bytes received | |
sent | 120 | Bytes sent | |
result | 403 | HTTP result code | |
dstname | www.suntrust.com | Destination hostname | |
arg | /favicon.ico | URL argument | |
code | 20 | Event code |
High-Cardinality (HC) Tags
src(Source IP)dst(Destination IP)
Log Examples
TCP Connection Opened
textsn=C0EAE48F5084 fw=209.106.205.33 pri=6 c=262144 m=98 msg="Connection Opened" app=49169 appName="General DNS" n=1157227522 src=10.10.24.11:63045:X16-V5 dst=8.8.8.8:53:X1 dstMac=04:62:73:2c:02:00 proto=udp/dns sent=120 dpi=1 rule="22 (LAN->WAN)" fw_action="NA"
TCP Connection Closed
textsn=0017C5178994 time="2018-02-06 16:11:09" fw=64.107.153.15 pri=6 c=1024 m=537 msg="Connection Closed" f=2 n=11782330 src=192.168.97.214:60622:X0-V999 dst=172.27.14.5:53:X0-V51 proto=udp/dns sent=56 rcvd=146
Forbidden HTTPS Request
textsn=18B1690729A8 time="2016-06-16 17:21:40 UTC" fw=10.205.123.15 pri=6 c=1024 m=97 app=48 n=9 src=192.168.168.10:52589:X0 dst=69.192.240.232:443:X1:a69-192-240-232.deploy.akamaitechnologies.com srcMac=98:90:96:de:f1:78 dstMac=ec:f4:bb:fb:f7:f6 proto=tcp/https op=1 sent=798 rcvd=12352 result=403 dstname=www.suntrust.com arg=/favicon.ico code=20 Category="Online Banking"