Dissect Parsing Error with Sonicwall Module [Filebeat 7.9.2]

RdrgPorto · February 11, 2021, 12:01pm

Hi, everyone

I have found some dissect parsing errors by using Sonicwall module module of Filebeat 7.9.2. Here you are some examples:

Feb 11 07:31:35 _gateway   id=firewall sn=<serial-number> time="2021-02-11 06:31:35 UTC" fw=<my-ip> pri=6 m=805 msg="Interface statistics report" n=1047533 if=U1 ucastRx=0 bcastRx=0 bytesRx=0 ucastTx=0 bcastTx=0 bytesTx=0
Feb 11 07:32:58 _gateway   id=firewall sn=<serial-number> time="2021-02-11 06:32:58 UTC" fw=<my-ip> pri=6 c=1024 m=537 msg="Connection Closed" app=49193 appName='General SNMP' n=201092856 src=<another-ip>:58911:X6 dst=<another-ip>:161:X2 srcMac=<another-mac> proto=udp/161 sent=107 rcvd=118 spkt=1 rpkt=1 dpi=1 cdur=30116 vpnpolicy="<policy>" rule="760 (SSGG->VPN)" fw_action="NA"
Feb 11 07:32:57 _gateway   id=firewall sn=<serial-number> time="2021-02-11 06:32:57 UTC" fw=<my-ip> pri=6 c=262144 m=98 msg="Connection Opened" app=49201 appName='General TCP' n=199545631 src=<another-ip>:58927:X0 dst=<another-ip>:6180:X1 proto=tcp/6180 sent=52 dpi=0 vpnpolicy="<policy>" fw_action="NA"

Sometimes, parsing is correct, for instance:

Feb 11 07:32:58 _gateway   id=firewall sn=<serial-number> time="2021-02-11 06:32:58 UTC" fw=<my-ip> pri=6 c=262144 m=98 msg="Connection Opened" app=6818 n=199545889 src=<another-ip>:62679:X9 dst=<another-ip>:53:X0 dstMac=<another-mac> proto=udp/dns sent=63 dpi=1 rule="164" fw_action="NA"

Which Sonicwalls models are supported? Is it necessary to configure anything on Sonicwall before sending information by Syslog?

Thanks in advance,

Update

I have created an issue on GitHub: Issue #24124

Rodrigo

wayneseymour · February 16, 2021, 9:42pm

@RdrgPorto how can I tell that the parsing is correct in the second snippet? Is it due to this stanza: msg="Connection Opened" in the text?

RdrgPorto · February 17, 2021, 6:54am

Hi, @wayneseymour

The parsing is correct because in Elastisearch the document does not show dissect parsing error and it appears all fields about the message.

It is not due to msg: "Connection Opened" because in the first snippet it has not parsed right with that stanza. One difference is field appName:

Feb 11 07:32:57 _gateway   id=firewall sn=<serial-number> time="2021-02-11 06:32:57 UTC" fw=<my-ip> pri=6 c=262144 m=98 msg="Connection Opened" app=49201 appName='General TCP' n=199545631 src=<another-ip>:58927:X0 dst=<another-ip>:6180:X1 proto=tcp/6180 sent=52 dpi=0 vpnpolicy="<policy>" fw_action="NA"
Feb 11 07:32:58 _gateway   id=firewall sn=<serial-number> time="2021-02-11 06:32:58 UTC" fw=<my-ip> pri=6 c=262144 m=98 msg="Connection Opened" app=6818 n=199545889 src=<another-ip>:62679:X9 dst=<another-ip>:53:X0 dstMac=<another-mac> proto=udp/dns sent=63 dpi=1 rule="164" fw_action="NA"

Regards

system · March 17, 2021, 8:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.