Logstash categorizing all Sonicwall events as "Emergency"

Elastic Stack Logstash
1

I am using logstash to capture syslogs from a sonicwall firewall in order to transmit to Wazuh cloud.

Our default configuration is :

input {
   syslog {
      port => "514"
	  type => "sonicwall"
   }
}

output {
   file {
      path => "D:\\logstash\\logs\\logstash.log"
      codec => "json_lines" 
   }
}

With the above configuration, everything in the logstash output is looking like an emergency in the log file.

I am attempting to have logstash reflect the correct priority from the sonciwall but i'm not sure how to do this, so i engaged chatgpt which has directed me to grok filters. I have modified my conf file and gotten different output, but it doesnt seem to be quite what i need.

Before making the ChatGPT changes, the output of the logstash log looked similar to this :

`{"log":{"syslog":{"facility":{"name":"kernel","code":0},"priority":0,"severity":{"name":"Emergency","code":0}}},"@timestamp":"2024-12-10T17:25:55.532395300Z","type":"sonicwall",`

After the chatgpt changes, the output looks similar to this :

`{"event":{"original":"<129>  id=TZ670    sn=2CB8ED6CF06C time=\"2025-02-10 08:57:52\" fw=xxx.xxx.xxx.xxx pri=1 c=0 gcat=3 m=1199 srcMac=a4:bb:6d:9c:43:04 src=192.168.1.47:51052:X0 srcZone=LAN natSrc=xxx.xxx.xxx.xxx:7917 dstMac=2c:b8:ed:6c:f0:6c dst=40.100.141.162:443:X6 dstZone=WAN natDst=40.100.141.162:443 proto=tcp/https rcvd=52 rule=\"Custom Access Rule_22\" app=11 msg=\"Responder from country blocked: Responder IP:40.100.141.162 Country Name:India\" n=16482 fw_action=\"drop\""},"tags":["_grokparsefailure_sysloginput","_grokparsefailure"],"@timestamp":"2025-02-10T14:57:52.402129500Z","type":"sonicwall","log":{"syslog":{"facility":{"code":0,"name":"kernel"},"severity":{"code":0,"name":"Emergency"},"priority":0}},"message":"<129>  id=TZ670    sn=2CB8ED6CF06C time=\"2025-02-10 08:57:52\" fw=xxx.xxx.xxx.xxx pri=1 c=0 gcat=3 m=1199 srcMac=a4:bb:6d:9c:43:04 src=192.168.1.47:51052:X0 srcZone=LAN natSrc=xxx.xxx.xxx.xxx:7917 dstMac=2c:b8:ed:6c:f0:6c dst=40.100.141.162:443:X6 dstZone=WAN natDst=40.100.141.162:443 proto=tcp/https rcvd=52 rule=\"Custom Access Rule_22\" app=11 msg=\"Responder from country blocked: Responder IP:40.100.141.162 Country Name:India\" n=16482 fw_action=\"drop\"","service":{"type":"system"},"@version":"1","host":{"ip":"xxx.xxx.xxx.xxx"}}`

The above seems to show an error. Can anyone direct me to proper help that would allow me to accurately reflect the sonicwall priority in the logstash output file, prior to transmitting to wazuh?

2

Your event has a "_grokparsefailure_sysloginput" tag. The grok has failed because your syslog message is not in RFC3164 format. It's more RFC5424-ish. You could try setting the grok_pattern option on the input. Perhaps something like

grok_pattern => "<%{POSINT:[log][syslog][priority]:int}>%{GREEDYDATA:message}"

Setting the severity to kernel.emergency for messages when it fails to parse the severity / priority rather than user.notice is unfortunate.

3

This was fixed on github this morning.