Filebeat sonicwall module not parsing correctly many messages

Hello there,

Our Sonicwall generates this message:
<110> id=yyyy sn=C0EAE4F9FB00 time="2021-03-24 14:35:31 UTC" fw=xx.xx.xx.xx pri=6 c=262144 m=98 msg="Connection Opened" app=49177 appName="General HTTPS" n=218510470 src=xx.xx.xx.xx:55329:X22-V2100 dst=xx.xx.xx.xx:443:X20 proto=tcp/https sent=52

and the parser does this:
observer.ingress.interface.name: X22-V2100 dst=xx.xx.xx.xx:443:X20 proto=tcp/https sent=52

by doing that we lose the destination, proto and sent fields.

We are using filebeat 7.11.2

Do you have any ideas on this? Is this a bug? How do we report?

Thanks,
Rodrigo.

I have also had some parsing issues with the sonicwall module that is being pushed from the integration using fleet management. I was getting a dissect error message with every log message. I ended up starting to work on my own filbeat module since I'm hoping that we can move all of our sonicwall deployments to elastic. It works on the firewall that I have been testing on with firmware version 6.5.4.7. My first time contributing to beats and the documentation I have seen goes with the current method of creating filbeat modules vs. the new integration methods. -- at least I don't see any references to the integration fleet methods. Still plan on creating the pull request in the next day or two. I modeled mine after the Fortinet firewall integration module which works well for Fortigates and it seems much simpler than the current SonicWall one. I haven't seen any other posts indicating that someone is working on the sonicwall module so hopefully mine will be helpful

I did actually find this for reference if anyone stumbles on this for developing integrations. I just didnā€™t google very well. Will start working on this as well.

Thanks for working on this @donasmello. Look forward to seeing your PR!

If you have any questions on contributing just let us know. Incase you weren't aware, we have an Elastic Contributor Program to reward contributors :slight_smile:

Did u end up working this change and opening a PR?

Yes I have been working on the update for the fleet integration. I havenā€™t opened the PR yet but was hoping to this week.

I was able to validate the logs that I collect from a lab sonicwall I have using the integration updates I made. I submitted the PR today. My first time submitting so there might be issues but hopefully anything that comes up I can work through.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.