Filebeat sonicwall module not parsing correctly many messages

Rodrigo_Bernardo · March 24, 2021, 3:15pm

Hello there,

Our Sonicwall generates this message:
<110> id=yyyy sn=C0EAE4F9FB00 time="2021-03-24 14:35:31 UTC" fw=xx.xx.xx.xx pri=6 c=262144 m=98 msg="Connection Opened" app=49177 appName="General HTTPS" n=218510470 src=xx.xx.xx.xx:55329:X22-V2100 dst=xx.xx.xx.xx:443:X20 proto=tcp/https sent=52

and the parser does this:
observer.ingress.interface.name: X22-V2100 dst=xx.xx.xx.xx:443:X20 proto=tcp/https sent=52

by doing that we lose the destination, proto and sent fields.

We are using filebeat 7.11.2

Do you have any ideas on this? Is this a bug? How do we report?

Thanks,
Rodrigo.

donasmello · March 29, 2021, 10:02pm

I have also had some parsing issues with the sonicwall module that is being pushed from the integration using fleet management. I was getting a dissect error message with every log message. I ended up starting to work on my own filbeat module since I'm hoping that we can move all of our sonicwall deployments to elastic. It works on the firewall that I have been testing on with firmware version 6.5.4.7. My first time contributing to beats and the documentation I have seen goes with the current method of creating filbeat modules vs. the new integration methods. -- at least I don't see any references to the integration fleet methods. Still plan on creating the pull request in the next day or two. I modeled mine after the Fortinet firewall integration module which works well for Fortigates and it seems much simpler than the current SonicWall one. I haven't seen any other posts indicating that someone is working on the sonicwall module so hopefully mine will be helpful

donasmello · March 29, 2021, 11:52pm

github.com

elastic/integrations/blob/master/CONTRIBUTING.md

# Contributing Guide

This page is intended for contributors to the [Package Registry](https://github.com/elastic/package-registry/) and Elastic Integrations.

## Table of Contents

* [Definitions](/docs/definitions.md) - learn basic terms used in the universe of integrations, packages, data streams
* [Sample package: Nginx](/packages/nginx) - use as an inspiration for new packages, look at files, folders, test resources
* [Developer workflow: build and test integration](/docs/developer_workflow_design_build_test_integration.md) - step-by-step guide on how to build and test an integration
* [Developer workflow: promote and release integration](/docs/developer_workflow_promote_release_integration.md) - step-by-step guide on how to promote and release an integration
* [Fine-tune integration](/docs/fine_tune_integration.md) - fill missing items, correct structure, review manifests
* [Testing and validation](/docs/testing_and_validation.md) - run the Elastic stack, use test runners
* [Tips for building integrations](/docs/tips_for_building_integrations.md) - see your local changes in Kibana, follow best practices

I did actually find this for reference if anyone stumbles on this for developing integrations. I just didn’t google very well. Will start working on this as well.

jamie.hynds · March 30, 2021, 10:59am

Thanks for working on this @donasmello. Look forward to seeing your PR!

If you have any questions on contributing just let us know. Incase you weren't aware, we have an Elastic Contributor Program to reward contributors

legoguy1000 · April 7, 2021, 10:10pm

Did u end up working this change and opening a PR?