Filebeat sonicwall module not parsing correctly many messages

Rodrigo_Bernardo · March 24, 2021, 3:15pm

Hello there,

Our Sonicwall generates this message:
<110> id=yyyy sn=C0EAE4F9FB00 time="2021-03-24 14:35:31 UTC" fw=xx.xx.xx.xx pri=6 c=262144 m=98 msg="Connection Opened" app=49177 appName="General HTTPS" n=218510470 src=xx.xx.xx.xx:55329:X22-V2100 dst=xx.xx.xx.xx:443:X20 proto=tcp/https sent=52

and the parser does this:
observer.ingress.interface.name: X22-V2100 dst=xx.xx.xx.xx:443:X20 proto=tcp/https sent=52

by doing that we lose the destination, proto and sent fields.

We are using filebeat 7.11.2

Do you have any ideas on this? Is this a bug? How do we report?

Thanks,
Rodrigo.

donasmello · March 29, 2021, 10:02pm

I have also had some parsing issues with the sonicwall module that is being pushed from the integration using fleet management. I was getting a dissect error message with every log message. I ended up starting to work on my own filbeat module since I'm hoping that we can move all of our sonicwall deployments to elastic. It works on the firewall that I have been testing on with firmware version 6.5.4.7. My first time contributing to beats and the documentation I have seen goes with the current method of creating filbeat modules vs. the new integration methods. -- at least I don't see any references to the integration fleet methods. Still plan on creating the pull request in the next day or two. I modeled mine after the Fortinet firewall integration module which works well for Fortigates and it seems much simpler than the current SonicWall one. I haven't seen any other posts indicating that someone is working on the sonicwall module so hopefully mine will be helpful

donasmello · March 29, 2021, 11:52pm

github.com

elastic/integrations/blob/master/CONTRIBUTING.md

# Contributing Guide

This page is intended for contributors to the [Package Registry](https://github.com/elastic/package-registry/) and Elastic Integrations.

## Table of Contents

* [Definitions](/docs/definitions.md) - learn basic terms used in the universe of integrations, packages, data streams
* [Sample package: Nginx](/packages/nginx) - use as an inspiration for new packages, look at files, folders, test resources
* [Developer workflow: build and test integration](/docs/developer_workflow_design_build_test_integration.md) - step-by-step guide on how to build and test an integration
* [Developer workflow: promote and release integration](/docs/developer_workflow_promote_release_integration.md) - step-by-step guide on how to promote and release an integration
* [Fine-tune integration](/docs/fine_tune_integration.md) - fill missing items, correct structure, review manifests
* [Testing and validation](/docs/testing_and_validation.md) - run the Elastic stack, use test runners
* [Tips for building integrations](/docs/tips_for_building_integrations.md) - see your local changes in Kibana, follow best practices

I did actually find this for reference if anyone stumbles on this for developing integrations. I just didn’t google very well. Will start working on this as well.

jamie.hynds · March 30, 2021, 10:59am

Thanks for working on this @donasmello. Look forward to seeing your PR!

If you have any questions on contributing just let us know. Incase you weren't aware, we have an Elastic Contributor Program to reward contributors

legoguy1000 · April 7, 2021, 10:10pm

Did u end up working this change and opening a PR?

donasmello · April 19, 2021, 3:42am

Yes I have been working on the update for the fleet integration. I haven’t opened the PR yet but was hoping to this week.

donasmello · April 24, 2021, 6:28pm

I was able to validate the logs that I collect from a lab sonicwall I have using the integration updates I made. I submitted the PR today. My first time submitting so there might be issues but hopefully anything that comes up I can work through.

github.com/elastic/integrations

Sonicwall Integration Enhancement

Type of Change: Enhancement ## What does this PR do? I was having issues with the Sonicwall integration parsing logs for Sonicwall firewalls on firmware 6.5.x. Was getting a dissect parse error for every log. I referenced the Fortinet firewall integration to update the Sonicwall firewall integration to parse Sonicwall firewall logs. Pointed a lab Sonicwall firewall to a host with the integration installed and validated log collection. ## Checklist - [x ] I have reviewed [tips for building integrations](https://github.com/elastic/integrations/blob/master/docs/tips_for_building_integrations.md) and this pull request is aligned with them. - [x ] I have verified that all data streams collect metrics or logs. - [ x] I have added an entry to my package's `changelog.yml` file. ## Author's Checklist - [ ] Validate that the sonicwall integration works via elastic-package registry using the log file method. Can use example logs in the test file. ## How to test this PR locally Follow the contributing guide and use the sonicwall integration https://github.com/elastic/integrations/blob/master/CONTRIBUTING.md ## Related issues https://discuss.elastic.co/t/filebeat-sonicwall-module-not-parsing-correctly-many-messages/268232/5

elastic:master ← donasmello:master

opened 06:25PM - 24 Apr 21 UTC

donasmello

+226 -31660

system · May 22, 2021, 8:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.