From ca55e44b0bd7fe7234b3a971d51ee1f31d952a19 Mon Sep 17 00:00:00 2001 From: Wenceslas Lejeune Date: Tue, 5 May 2026 15:05:29 +0200 Subject: [PATCH 1/6] feat(sonicwall_sma):init blank package --- packages/sonicwall_sma/_dev/build/build.yml | 3 + .../sonicwall_sma/_dev/build/docs/README.md | 8 ++ .../_dev/deploy/docker/docker-compose.yml | 17 +++ .../deploy/docker/sample_logs/test-syslog.log | 0 packages/sonicwall_sma/changelog.yml | 6 + .../_dev/test/pipeline/test-common-config.yml | 3 + .../log/_dev/test/pipeline/test-log-admin.log | 0 .../log/_dev/test/system/test-tcp-config.yml | 10 ++ .../log/_dev/test/system/test-tls-config.yml | 61 +++++++++ .../log/_dev/test/system/test-udp-config.yml | 10 ++ .../data_stream/log/agent/stream/tcp.yml.hbs | 21 +++ .../data_stream/log/agent/stream/udp.yml.hbs | 18 +++ .../elasticsearch/ingest_pipeline/default.yml | 36 +++++ .../data_stream/log/fields/agent.yml | 0 .../data_stream/log/fields/base-fields.yml | 32 +++++ .../data_stream/log/fields/ecs.yml | 0 .../data_stream/log/fields/fields.yml | 3 + .../data_stream/log/manifest.yml | 123 ++++++++++++++++++ .../data_stream/log/sample_event.json | 3 + packages/sonicwall_sma/img/logo.svg | 1 + packages/sonicwall_sma/manifest.yml | 29 +++++ packages/sonicwall_sma/validation.yml | 3 + 22 files changed, 387 insertions(+) create mode 100644 packages/sonicwall_sma/_dev/build/build.yml create mode 100644 packages/sonicwall_sma/_dev/build/docs/README.md create mode 100644 packages/sonicwall_sma/_dev/deploy/docker/docker-compose.yml create mode 100644 packages/sonicwall_sma/_dev/deploy/docker/sample_logs/test-syslog.log create mode 100644 packages/sonicwall_sma/changelog.yml create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-admin.log create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tcp-config.yml create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tls-config.yml create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/system/test-udp-config.yml create mode 100644 packages/sonicwall_sma/data_stream/log/agent/stream/tcp.yml.hbs create mode 100644 packages/sonicwall_sma/data_stream/log/agent/stream/udp.yml.hbs create mode 100644 packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/default.yml create mode 100644 packages/sonicwall_sma/data_stream/log/fields/agent.yml create mode 100644 packages/sonicwall_sma/data_stream/log/fields/base-fields.yml create mode 100644 packages/sonicwall_sma/data_stream/log/fields/ecs.yml create mode 100644 packages/sonicwall_sma/data_stream/log/fields/fields.yml create mode 100644 packages/sonicwall_sma/data_stream/log/manifest.yml create mode 100644 packages/sonicwall_sma/data_stream/log/sample_event.json create mode 100644 packages/sonicwall_sma/img/logo.svg create mode 100644 packages/sonicwall_sma/manifest.yml create mode 100644 packages/sonicwall_sma/validation.yml diff --git a/packages/sonicwall_sma/_dev/build/build.yml b/packages/sonicwall_sma/_dev/build/build.yml new file mode 100644 index 00000000000..091473aeb21 --- /dev/null +++ b/packages/sonicwall_sma/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v9.3.0" diff --git a/packages/sonicwall_sma/_dev/build/docs/README.md b/packages/sonicwall_sma/_dev/build/docs/README.md new file mode 100644 index 00000000000..2daf60e54f1 --- /dev/null +++ b/packages/sonicwall_sma/_dev/build/docs/README.md @@ -0,0 +1,8 @@ +{{- generatedHeader }} +{{/* +This template can be used as a starting point for writing documentation for your new integration. For each section, fill in the details +described in the comments. + +Find more detailed documentation guidelines in https://www.elastic.co/docs/extend/integrations/documentation-guidelines +*/}} +# SonicWall Secure Mobile Access (SMA) Integration for Elastic diff --git a/packages/sonicwall_sma/_dev/deploy/docker/docker-compose.yml b/packages/sonicwall_sma/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..a806a6f2477 --- /dev/null +++ b/packages/sonicwall_sma/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,17 @@ +version: '2.3' +services: + sonicwall_sma-log-udp: + image: docker.elastic.co/observability/stream:v0.18.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/test-syslog.log + sonicwall_sma-log-tcp: + image: docker.elastic.co/observability/stream:v0.18.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9515 -p=tcp /sample_logs/test-syslog.log + sonicwall_sma-log-tls: + image: docker.elastic.co/observability/stream:v0.18.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9516 -p=tls --insecure /sample_logs/test-syslog.log diff --git a/packages/sonicwall_sma/_dev/deploy/docker/sample_logs/test-syslog.log b/packages/sonicwall_sma/_dev/deploy/docker/sample_logs/test-syslog.log new file mode 100644 index 00000000000..e69de29bb2d diff --git a/packages/sonicwall_sma/changelog.yml b/packages/sonicwall_sma/changelog.yml new file mode 100644 index 00000000000..b1d49ce17f5 --- /dev/null +++ b/packages/sonicwall_sma/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/12345 diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..772cb405878 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-admin.log b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-admin.log new file mode 100644 index 00000000000..e69de29bb2d diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..7bc516794f5 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,10 @@ +service: sonicwall_sma-log-tcp +service_notify_signal: SIGHUP +input: tcp +data_stream: + vars: + syslog_host: 0.0.0.0 + syslog_port: 9515 + preserve_original_event: true +assert: + hit_count: 86 diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tls-config.yml b/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tls-config.yml new file mode 100644 index 00000000000..20c2c469696 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tls-config.yml @@ -0,0 +1,61 @@ +service: sonicwall_sma-log-tls +service_notify_signal: SIGHUP +input: tcp +data_stream: + vars: + syslog_host: 0.0.0.0 + syslog_port: 9516 + preserve_original_event: true + ssl: |- + enabled: true + certificate: | + -----BEGIN CERTIFICATE----- + MIIDVDCCAjwCCQCsAbJdoUWCbjANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMC + RVMxEjAQBgNVBAgMCUJhcmNlbG9uYTESMBAGA1UEBwwJQmFyY2Vsb25hMRAwDgYD + VQQKDAdFbGFzdGljMQwwCgYDVQQLDANTRUkxFzAVBgNVBAMMDnNlaS5lbGFzdGlj + LmNvMSAwHgYJKoZIhvcNAQkBFhFhZHJpYW5AZWxhc3RpYy5jbzAeFw0yMTAzMjgx + OTI1NTZaFw0yMjA4MTAxOTI1NTZaMEcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJD + QTEUMBIGA1UECgwLTXlPcmcsIEluYy4xFTATBgNVBAMMDG15ZG9tYWluLmNvbTCC + ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOGY2KD2OOjg3vM+6B/tfzf1 + yBSmmDLLOXaQq1Zr4PcdIrGNmhloKbinLE5+glxr88eTGecEHlwu7oC1w801rvw+ + wWhTwD6M8kmya5AtgYHkMWZcJSkkvRWzlvLV2ULhfgSoXISsBSiURSzNOheNlXMs + V4KBXdPJ3R7ZuTMsAmJ4Hly0u0jZF3e/scnOfvtXedMRIZEsV9FxLQnqObQ+OLCi + d0/fr9wSmhJKCutEVDklks08txqX0aFdL7I019nt2oQsoRMHalDRt6+FnMhYzHjQ + nDPD8j9j/yWrBkys73j0I0lDD+jrCcbG3qxps4b8Nl6/nyU0LjwTT628gDGo27MC + AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAn/9XfBWXBy3QFbMaMlu7Qd4F1bb+JYbS + apXyUI98ygQKrEJKUU+0/UkaEq9Ao/5MEjYMsBgwUDCXAIOzwZoKHCTVco/AtywJ + TTq4CM/OP3lTm0eSKWJoXhlp6J58o/aWvfkzIOHKue8LTTvnk+Yf6zQC/JjR6NMK + DvImLT3HSU5jieizxrzzA/QZOtmsSjMCzghp4yRm1wRoTtZihiUq6gREbJoMUdRR + tlrjQ4HT/GzL0aj2gZhW71rNmJKUqN2fjnbozuz4fazzADNtdqxRf3TwzMbwNPOC + bPm9f0sot4tK0+KP2+dCXhxxW4+Dh1oJnoii90KiBySvtJSylJt+VQ== + -----END CERTIFICATE----- + key: | + -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEA4ZjYoPY46ODe8z7oH+1/N/XIFKaYMss5dpCrVmvg9x0isY2a + GWgpuKcsTn6CXGvzx5MZ5wQeXC7ugLXDzTWu/D7BaFPAPozySbJrkC2BgeQxZlwl + KSS9FbOW8tXZQuF+BKhchKwFKJRFLM06F42VcyxXgoFd08ndHtm5MywCYngeXLS7 + SNkXd7+xyc5++1d50xEhkSxX0XEtCeo5tD44sKJ3T9+v3BKaEkoK60RUOSWSzTy3 + GpfRoV0vsjTX2e3ahCyhEwdqUNG3r4WcyFjMeNCcM8PyP2P/JasGTKzvePQjSUMP + 6OsJxsberGmzhvw2Xr+fJTQuPBNPrbyAMajbswIDAQABAoIBAQCb/nnFC50cguoH + nzcZZLs0cdKxXOUfMmGAt9aSQrRji5UC21x0Nw+qbIZ5nIb963O9S918Xd+0dItd + GtLS4k0mhSptvoPPfNzI0wQHxT+pFqaGFi9n/Mx25iD5t5+s3ImsJNMctmo2vhf7 + O8nwoWl3I3E7f8LmgM5S19B1LvhTJ1mnevc38rw6r2TFaZJFeEvch9IMjsufYWin + Syj8IjngvmOtDIPGdUwJSBiW9HVWtrCR07+/y+F0MhV/mUOJic/k5DclMWWZjU/q + 2OJW8lO48YiuYejkwynsVHfJO8d49IJu+Hk0Eg8JIbdaBY4nRzf3unzcfYBGkiM+ + xPqzVeY5AoGBAPhWAPAIkcN645CqCBPGwQhfQboquQ5rURTJ6JOheEOFO4LqbNAt + UGQa+1oR8X9iEvO1yg0QA9q6pGR9Rd5zNpFIgC4ujeP3PXrX1PpV7dD3PtRpFAum + peQP3FEZMqZX/04m9kb341gW5a2WrwtScE8BqhyMenqx4jEUbijyauHFAoGBAOiP + MTYQjLh1zD3W7ZXyPGC3EH7BzvE3L9ar3w1WTSVm1EGyLeY5dd8ub6dtCpyaOHUd + q+FxzlRZH8/4gxqf6q3YWzV+7d57UlO4cLg7Fj92lJzdYGqcuCAMRnTnn8ThGV/V + XwCU/8pYIMZ0PS8culIr3GOJuZnY6lIKP0FMbHcXAoGADCzDPQFejBPhRj1fygBr + hEqPQV5I1lEil39SnLJE4CKPCVsO3KHsGAxOmFra2SDoxvP5pOxNFBMkbhzKKR7C + 5RqF1j3IDQ4ZAIXGVkOSNjV46hcAuZWA+o5ggcVXe1pDFQTJ/C65AZ+VwQ3rJQX0 + pZrySRYGBy/jY/6Za/5+iPUCgYBXv2+6DpSKJShjTO1oXnYZp/k5WrdSnJgYT9Fh + nuaM7je4chqPe67V/xdx/Nq8LBSRXBi2f9JyUQ6H0iTlruFFpxUDIlluUOnHXRhq + 6yCB4aRBa+YtU+TFctxC0AKgrq58Um3+Mjoxhv8W4lUTqatDxfjqNdUqD4aaXfNw + F/31EQKBgQDA2wPOtKUZQdYoTI8gF0wUI5zThiia2qpk6gLu4GFuIqea95fjzF4s + BdcwL671AnnDY3GUxcmX7n8/E4lFwQEf5G4IbKa+/fIm4y4wzkINHYnCeTvVPHUZ + rcZR4kw7O4cWsLR4NHJBosUVoaeoCizBB6xLREqISxIZuHKuEcYsRA== + -----END RSA PRIVATE KEY----- +assert: + hit_count: 86 diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-udp-config.yml new file mode 100644 index 00000000000..a6b547c45a3 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-udp-config.yml @@ -0,0 +1,10 @@ +service: sonicwall_sma-log-udp +service_notify_signal: SIGHUP +input: udp +data_stream: + vars: + syslog_host: 0.0.0.0 + syslog_port: 9514 + preserve_original_event: true +assert: + hit_count: 86 diff --git a/packages/sonicwall_sma/data_stream/log/agent/stream/tcp.yml.hbs b/packages/sonicwall_sma/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..10029e47490 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,21 @@ +host: "{{syslog_host}}:{{syslog_port}}" +{{#if tcp_options}} +{{tcp_options}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/agent/stream/udp.yml.hbs b/packages/sonicwall_sma/data_stream/log/agent/stream/udp.yml.hbs new file mode 100644 index 00000000000..b4f1258afaf --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,18 @@ +host: "{{syslog_host}}:{{syslog_port}}" +{{#if udp_options}} +{{udp_options}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..e5904ed2580 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,36 @@ +--- +description: Pipeline for parsing SonicWall Secure Mobile Access logs +processors: + - set: + field: ecs.version + value: '9.3.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - set: + field: observer.vendor + value: SonicWall + - set: + field: observer.product + value: Secure Mobile Access + - set: + field: observer.type + value: access-management + - remove: + field: + - _tmp + - message + ignore_missing: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/sonicwall_sma/data_stream/log/fields/agent.yml b/packages/sonicwall_sma/data_stream/log/fields/agent.yml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/packages/sonicwall_sma/data_stream/log/fields/base-fields.yml b/packages/sonicwall_sma/data_stream/log/fields/base-fields.yml new file mode 100644 index 00000000000..ee0f201311f --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/fields/base-fields.yml @@ -0,0 +1,32 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: sonicwall_sma +- name: event.dataset + type: constant_keyword + description: Event dataset + value: sonicwall_sma.log +- name: '@timestamp' + type: date + description: Event timestamp. +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + type: long + description: Log offset +- name: input.type + type: keyword + description: Input type diff --git a/packages/sonicwall_sma/data_stream/log/fields/ecs.yml b/packages/sonicwall_sma/data_stream/log/fields/ecs.yml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/packages/sonicwall_sma/data_stream/log/fields/fields.yml b/packages/sonicwall_sma/data_stream/log/fields/fields.yml new file mode 100644 index 00000000000..e25055238a2 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/fields/fields.yml @@ -0,0 +1,3 @@ +- name: sonicwall_sma + type: group + fields: \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/manifest.yml b/packages/sonicwall_sma/data_stream/log/manifest.yml new file mode 100644 index 00000000000..4a66487b9ef --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/manifest.yml @@ -0,0 +1,123 @@ +type: logs +title: SonicWall Secure Mobile Access logs +streams: + - input: udp + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9514 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - sonicwall_sma-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + default: | + #read_buffer: 100MiB + #max_message_size: 50KiB + #timeout: 300s + description: Specify custom configuration options for the UDP input. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: udp.yml.hbs + title: SonicWall Secure Mobile Access logs (udp) + description: Collect SonicWall Secure Mobile Access logs using udp input + - input: tcp + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9514 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - sonicwall_sma-log + - name: ssl + type: yaml + title: SSL Configuration + multi: false + required: false + show_user: true + description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details. + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #framing: rfc6587 + #max_message_size: 50KiB + #max_connections: 1 + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: tcp.yml.hbs + title: SonicWall Secure Mobile Access logs (tcp) + description: Collect SonicWall Secure Mobile Access logs using tcp input diff --git a/packages/sonicwall_sma/data_stream/log/sample_event.json b/packages/sonicwall_sma/data_stream/log/sample_event.json new file mode 100644 index 00000000000..0e0dcd235c4 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/sample_event.json @@ -0,0 +1,3 @@ +{ + +} \ No newline at end of file diff --git a/packages/sonicwall_sma/img/logo.svg b/packages/sonicwall_sma/img/logo.svg new file mode 100644 index 00000000000..fb1aded68a2 --- /dev/null +++ b/packages/sonicwall_sma/img/logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/sonicwall_sma/manifest.yml b/packages/sonicwall_sma/manifest.yml new file mode 100644 index 00000000000..5387bde1644 --- /dev/null +++ b/packages/sonicwall_sma/manifest.yml @@ -0,0 +1,29 @@ +name: sonicwall_sma +title: SonicWall Secure Mobile Access +version: "0.1.0" +description: Collect logs from SonicWall Secure Mobile Access with Elastic Agent. +type: integration +icons: + - src: /img/logo.svg + title: SonicWall logo + size: 32x32 + type: image/svg+xml +format_version: "3.0.3" +categories: [security] +conditions: + kibana: + version: "^8.13.0 || ^9.0.0" +policy_templates: + - name: sonicwall_sma + title: SonicWall Secure Mobile Access logs + description: Collect logs from SonicWall Secure Mobile Access instances + inputs: + - type: udp + title: "Collect SonicWall Secure Mobile Access logs (input: udp)" + description: "Collecting logs from SonicWall Secure Mobile Access instances (input: udp)" + - type: tcp + title: "Collect SonicWall Secure Mobile Access logs (input: tcp)" + description: "Collecting logs from SonicWall Secure Mobile Access instances (input: tcp)" +owner: + github: elastic/integration-experience + type: community diff --git a/packages/sonicwall_sma/validation.yml b/packages/sonicwall_sma/validation.yml new file mode 100644 index 00000000000..a96151416a6 --- /dev/null +++ b/packages/sonicwall_sma/validation.yml @@ -0,0 +1,3 @@ +errors: + exclude_checks: + - SVR00005 # Kibana version for saved tags. From ce3e6e93ae74e67e5f966107d789d2634dee15dd Mon Sep 17 00:00:00 2001 From: Wenceslas Lejeune Date: Wed, 6 May 2026 16:06:24 +0200 Subject: [PATCH 2/6] feat(sonicwall_sma): Add ingest pipelines for audit, auth, session, and system events --- .../sonicwall_sma/_dev/build/docs/README.md | 94 ++ .../log/_dev/test/pipeline/test-log-admin.log | 0 .../log/_dev/test/pipeline/test-log-audit.log | 2 + .../pipeline/test-log-audit.log-expected.json | 190 ++++ .../log/_dev/test/pipeline/test-log-auth.log | 1 + .../pipeline/test-log-auth.log-expected.json | 70 ++ .../log/_dev/test/pipeline/test-log-misc.log | 14 + .../pipeline/test-log-misc.log-expected.json | 962 ++++++++++++++++++ .../_dev/test/pipeline/test-log-session.log | 3 + .../test-log-session.log-expected.json | 222 ++++ .../_dev/test/pipeline/test-log-system.log | 3 + .../test-log-system.log-expected.json | 218 ++++ .../elasticsearch/ingest_pipeline/audit.yml | 223 ++++ .../elasticsearch/ingest_pipeline/auth.yml | 28 + .../elasticsearch/ingest_pipeline/default.yml | 74 +- .../elasticsearch/ingest_pipeline/misc.yml | 155 +++ .../elasticsearch/ingest_pipeline/session.yml | 107 ++ .../elasticsearch/ingest_pipeline/system.yml | 102 ++ .../data_stream/log/fields/agent.yml | 0 .../data_stream/log/fields/ecs.yml | 110 ++ .../data_stream/log/fields/fields.yml | 133 ++- 21 files changed, 2708 insertions(+), 3 deletions(-) delete mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-admin.log create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-audit.log create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-audit.log-expected.json create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-auth.log create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-auth.log-expected.json create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log-expected.json create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log-expected.json create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json create mode 100644 packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/audit.yml create mode 100644 packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/auth.yml create mode 100644 packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/misc.yml create mode 100644 packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/session.yml create mode 100644 packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/system.yml delete mode 100644 packages/sonicwall_sma/data_stream/log/fields/agent.yml diff --git a/packages/sonicwall_sma/_dev/build/docs/README.md b/packages/sonicwall_sma/_dev/build/docs/README.md index 2daf60e54f1..cd0cdc37da4 100644 --- a/packages/sonicwall_sma/_dev/build/docs/README.md +++ b/packages/sonicwall_sma/_dev/build/docs/README.md @@ -6,3 +6,97 @@ described in the comments. Find more detailed documentation guidelines in https://www.elastic.co/docs/extend/integrations/documentation-guidelines */}} # SonicWall Secure Mobile Access (SMA) Integration for Elastic + +## Overview +The SonicWall Secure Mobile Access (SMA) Integration for Elastic collects syslog events exported by SonicWall SMA appliances. +This integration helps security and operations teams monitor remote access activity, investigate authentication problems, review web and tunnel audit activity, and track tunnel health and transport issues reported by the SMA platform. + +### Compatibility +This integration is intended for SonicWall Secure Mobile Access appliances that can export syslog events in the log formats parsed by this package. +It supports SonicWall SMA audit, authentication, session, system, and miscellaneous kernel and tunnel messages delivered over UDP or TCP. + +### How it works +Elastic Agent listens for SonicWall SMA syslog traffic over UDP or TCP. +The integration ingest pipeline parses the common SMA log header, routes events by event family, and maps the data to ECS fields for authentication, session, network, TLS, and web activity. + +## What data does this integration collect? +The SonicWall Secure Mobile Access integration collects log messages of the following types: +* Audit events for HTTP requests, VPN flow activity, transferred bytes, and session metadata. +* Authentication events such as SAML-related failures. +* Session lifecycle events including session start and TLS negotiation failures. +* System events such as user logins, session termination, and RPC or SSL handshake failures. +* Miscellaneous tunnel and kernel events such as probes, client version reporting, cipher negotiation, and tunnel resumption messages. + +### Supported use cases +This integration supports the following use cases: +* Monitor remote-access user activity, including logins, logouts, and session lifecycle changes. +* Investigate authentication problems such as SAML storage issues and TLS certificate failures. +* Review HTTP and VPN audit activity from the SMA portal and remote access tunnel flows. +* Track client tunnel health, probe failures, cipher negotiation, and client version details for troubleshooting. + +## What do I need to use this integration? +Before you deploy this integration, make sure you have: +* A SonicWall SMA appliance configured to forward syslog events. +* Network connectivity from the SonicWall SMA appliance to the Elastic Agent listener. +* The host and port you want Elastic Agent to listen on for SonicWall SMA syslog traffic. +* A TCP TLS certificate configuration if you plan to receive SonicWall SMA logs over encrypted TCP. + +## How do I deploy this integration? + +### Agent-based deployment + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + +Elastic Agent is required to stream data from the syslog receiver and ship the data to Elastic, where the events are processed by the integration ingest pipelines. + +### Onboard / configure +To set up the integration: +1. Install the SonicWall Secure Mobile Access integration in Fleet. +2. Choose the input you want to use. Use TCP for reliable delivery, with optional TLS, or UDP for lightweight syslog forwarding. +3. Configure the listening host and port in the integration policy. +4. On the SonicWall SMA appliance, configure an external syslog destination that points to the Elastic Agent host and port. +5. Select which SMA logs you want to export, including audit, authentication, session, system, and tunnel or kernel messages. +6. Enable the `Preserve original event` option if you want to keep the raw SMA log in `event.original` for troubleshooting. + +### Validation +After the integration is configured: +1. Trigger a known event on the SonicWall SMA appliance, such as a user login or logout, a web portal request, or a tunnel connection attempt. +2. Open Discover or the data stream view for `logs-sonicwall_sma.log-*`. +3. Confirm events are arriving and that fields such as `event.category`, `event.action`, `user.name`, `source.ip`, `destination.ip`, and `tls.cipher` are populated when applicable. +4. If parsing does not look correct, enable `Preserve original event` and review `event.original` alongside the parsed fields. + +## Troubleshooting + +For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems). + +Common vendor-specific checks: +* If no logs arrive, verify the SonicWall SMA syslog destination host, port, and transport protocol. +* If TCP with TLS is enabled, verify the Elastic Agent listener certificate configuration and confirm the SMA appliance trusts the configured certificate chain. +* If events arrive but are missing expected fields, enable `Preserve original event` and compare the raw event with the parsed fields in Discover. + +## Scaling + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. + +For higher-volume SonicWall SMA deployments: +* Prefer TCP when delivery guarantees are more important than minimal overhead. +* Use multiple Elastic Agent instances or a load-balanced syslog tier when collecting logs from several appliances. +* Separate high-volume syslog collection from other workload types when sustained tunnel or audit activity is expected. + +## Reference + +### log + +The `log` data stream provides SonicWall Secure Mobile Access audit, authentication, session, system, and miscellaneous tunnel events. + +#### log fields + +{{ fields "log" }} + +#### log sample event + +{{ event "log" }} + +### Inputs used +{{/* All inputs used by this package will be automatically listed here. */}} +{{ inputDocs }} \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-admin.log b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-admin.log deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-audit.log b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-audit.log new file mode 100644 index 00000000000..6ac53ddc5a7 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-audit.log @@ -0,0 +1,2 @@ +458 <182>1 2026-05-05T11:39:48+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1114486"] [05/May/2026:11:39:48.259055 +0000] SMA-Primary 000000 kt 00000000 Info Audit Src='192.0.2.1:64026' User='(user.name@example.org)@(Corp)' TunnelVersion='0x102' Command='Flow:TCP' Dest='192.0.2.1:443' Error='0' SrcBytes='3263' DstBytes='5170' Duration='1' PlatformPrefix='W' EquipmentId='0012_34FF_AD52_4462.' SessionKey='SMA-Primary:69f9d2c0:00000000' +473 <182>1 2026-05-05T13:46:54+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1668855"] [05/May/2026:13:46:55.014635 +0000] SMA-Primary 003548 ew 1000045b Info Audit VirtualHost='spf4.example.org' StartTime='05/May/2026 13:46:55 +0000' Src='192.0.2.1' User='-' Method='GET' HTTPVersion='0x3e9' Request='GET /__api__/logon/azertyuiop/totp HTTP/1.1' Status='200' Bytes='77' PlatformPrefix='' EquipmentId='-' ApplicationName='' SessionKey='' \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-audit.log-expected.json b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-audit.log-expected.json new file mode 100644 index 00000000000..7af640c57fe --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-audit.log-expected.json @@ -0,0 +1,190 @@ +{ + "expected": [ + { + "@timestamp": "2026-05-05T11:39:48.259Z", + "destination": { + "address": "192.0.2.1:443", + "bytes": 5170, + "ip": "192.0.2.1", + "port": 443 + }, + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "Flow:TCP", + "category": [ + "network" + ], + "code": "00000000", + "duration": 1000000000, + "kind": "event", + "original": "458 <182>1 2026-05-05T11:39:48+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1114486\"] [05/May/2026:11:39:48.259055 +0000] SMA-Primary 000000 kt 00000000 Info Audit Src='192.0.2.1:64026' User='(user.name@example.org)@(Corp)' TunnelVersion='0x102' Command='Flow:TCP' Dest='192.0.2.1:443' Error='0' SrcBytes='3263' DstBytes='5170' Duration='1' PlatformPrefix='W' EquipmentId='0012_34FF_AD52_4462.' SessionKey='SMA-Primary:69f9d2c0:00000000'", + "outcome": "success", + "sequence": 1114486, + "severity": 6, + "type": [ + "connection" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": "Src='192.0.2.1:64026' User='(user.name@example.org)@(Corp)' TunnelVersion='0x102' Command='Flow:TCP' Dest='192.0.2.1:443' Error='0' SrcBytes='3263' DstBytes='5170' Duration='1' PlatformPrefix='W' EquipmentId='0012_34FF_AD52_4462.' SessionKey='SMA-Primary:69f9d2c0:00000000'", + "network": { + "bytes": 8433, + "transport": "tcp" + }, + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "ip": [ + "192.0.2.1" + ], + "user": [ + "user.name@example.org" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Audit", + "component": "kt", + "equipment_id": "0012_34FF_AD52_4462.", + "platform_prefix": "W", + "session_key": "SMA-Primary:69f9d2c0:00000000", + "thread_id": "000000", + "tunnel": { + "version": "0x102" + } + } + }, + "source": { + "address": "192.0.2.1:64026", + "bytes": 3263, + "ip": "192.0.2.1", + "port": 64026 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "Corp", + "email": "user.name@example.org", + "name": "user.name@example.org" + } + }, + { + "@timestamp": "2026-05-05T13:46:55.014Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "GET", + "category": [ + "web" + ], + "code": "1000045b", + "kind": "event", + "original": "473 <182>1 2026-05-05T13:46:54+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1668855\"] [05/May/2026:13:46:55.014635 +0000] SMA-Primary 003548 ew 1000045b Info Audit VirtualHost='spf4.example.org' StartTime='05/May/2026 13:46:55 +0000' Src='192.0.2.1' User='-' Method='GET' HTTPVersion='0x3e9' Request='GET /__api__/logon/azertyuiop/totp HTTP/1.1' Status='200' Bytes='77' PlatformPrefix='' EquipmentId='-' ApplicationName='' SessionKey=''", + "outcome": "success", + "sequence": 1668855, + "severity": 6, + "start": "2026-05-05T13:46:55.000Z", + "type": [ + "access" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 77, + "status_code": 200 + }, + "version": "1.1" + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": "VirtualHost='spf4.example.org' StartTime='05/May/2026 13:46:55 +0000' Src='192.0.2.1' User='-' Method='GET' HTTPVersion='0x3e9' Request='GET /__api__/logon/azertyuiop/totp HTTP/1.1' Status='200' Bytes='77' PlatformPrefix='' EquipmentId='-' ApplicationName='' SessionKey=''", + "network": { + "protocol": "http" + }, + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "ip": [ + "192.0.2.1" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Audit", + "component": "ew", + "http": { + "version_hex": "0x3e9" + }, + "thread_id": "003548" + } + }, + "source": { + "address": "192.0.2.1", + "ip": "192.0.2.1" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "spf4.example.org", + "original": "/__api__/logon/azertyuiop/totp" + } + } + ] +} diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-auth.log b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-auth.log new file mode 100644 index 00000000000..60b913bc01a --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-auth.log @@ -0,0 +1 @@ +234 <179>1 2026-05-05T04:23:43+00:00 SMA-Primary.sma logserver - - [meta sequenceId="514004"] [05/May/2026:04:23:43.836470 +0000] SMA-Primary 003548 ew 1005a618 Error Auth ::SAML:: SAML Storage error : id/url or samlresponse missing \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-auth.log-expected.json b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-auth.log-expected.json new file mode 100644 index 00000000000..608757e6947 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-auth.log-expected.json @@ -0,0 +1,70 @@ +{ + "expected": [ + { + "@timestamp": "2026-05-05T04:23:43.836Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "saml-storage-error", + "category": [ + "authentication" + ], + "code": "1005a618", + "kind": "event", + "original": "234 <179>1 2026-05-05T04:23:43+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"514004\"] [05/May/2026:04:23:43.836470 +0000] SMA-Primary 003548 ew 1005a618 Error Auth ::SAML:: SAML Storage error : id/url or samlresponse missing", + "outcome": "failure", + "reason": "SAML Storage error : id/url or samlresponse missing", + "sequence": 514004, + "severity": 3, + "type": [ + "info" + ] + }, + "log": { + "level": "error", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 179, + "procid": "-", + "severity": { + "code": 3 + }, + "version": "1" + } + }, + "message": "::SAML:: SAML Storage error : id/url or samlresponse missing", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ] + }, + "sonicwall_sma": { + "log": { + "auth": { + "mechanism": "SAML" + }, + "category": "Auth", + "component": "ew", + "thread_id": "003548" + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log new file mode 100644 index 00000000000..ea3782fd6f7 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log @@ -0,0 +1,14 @@ +253 <180>1 2026-05-05T11:39:48+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1114487"] [05/May/2026:11:39:48.311273 +0000] SMA-Primary 000000 uk 0000020a Warning Misc PROBE::FAILED:rto=30640ms retries=0 +258 <182>1 2026-05-05T13:24:29+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1545996"] [05/May/2026:13:24:29.316387 +0000] SMA-Primary 000000 ev 0000020a Info Misc handler is UP (v4=192.0.2.1 v6=) username=user.name@example.org <4013fe51> +240 <182>1 2026-05-05T13:24:29+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1545995"] [05/May/2026:13:24:29.316383 +0000] SMA-Primary 000000 ev 0000020a Info Misc SSL:version=3.4 cipher=TLS_AES_256_GCM_SHA384 <4013fe51> +217 <182>1 2026-05-05T13:24:29+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1545975"] [05/May/2026:13:24:29.172569 +0000] SMA-Primary 000000 ev 0000020a Info Misc _send_mt_flow_dump_req <4013fe51> +226 <182>1 2026-05-05T13:24:29+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1545976"] [05/May/2026:13:24:29.172578 +0000] SMA-Primary 000000 ev 0000020a Info Misc Using ESPTunnel for all traffic <4013fe51> +225 <182>1 2026-05-05T13:24:29+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1545973"] [05/May/2026:13:24:29.090663 +0000] SMA-Primary 000000 ke 0000020a Info Misc ESP:tunnelMTUUpdate=1436(1500) <4013fe51> +209 <182>1 2026-05-05T13:24:28+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1545958"] [05/May/2026:13:24:28.696611 +0000] SMA-Primary 000000 ke 0000020a Info Misc ESP:aes256-gcm <4013fe51> +231 <182>1 2026-05-05T13:24:28+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1545892"] [05/May/2026:13:24:28.653420 +0000] SMA-Primary 000000 ev 0000020a Info Misc ESP is set on resumption request:f=0 <4013fe51> +270 <182>1 2026-05-05T13:14:51+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1490852"] [05/May/2026:13:14:51.421485 +0000] SMA-Primary 000000 uk 0000020a Info Misc PROBE::leaving Recovery state after 225s (rto=390ms) +257 <182>1 2026-05-05T13:14:39+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1488985"] [05/May/2026:13:14:39.735798 +0000] SMA-Primary 000000 ev 0000020a Info Misc Client OS Version=10.0.26100.1.amd64fre.ge_release.240331-1435 <4013cd8e> +219 <182>1 2026-05-05T13:14:39+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1488986"] [05/May/2026:13:14:39.735800 +0000] SMA-Primary 000000 ev 0000020a Info Misc Client Version=12.50.179 <4013cd8e> +289 <180>1 2026-05-05T13:35:43+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1604975"] [05/May/2026:13:35:43.986596 +0000] SMA-Primary 000000 ev 0000020a Warning Misc Tunnel Resumption deleting existing tunnel with same vaddr(s): 192.0.2.1 +269 <180>1 2026-05-05T13:36:14+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1608048"] [05/May/2026:13:36:14.330675 +0000] SMA-Primary 000000 ev 0000020a Warning Misc Incomplete message (only 1358 of 1366 bytes) of type DATA:creating TP frag <4013841d> +251 <180>1 2026-05-05T13:35:35+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1604181"] [05/May/2026:13:35:35.801459 +0000] SMA-Primary 000000 uk 0000020a Warning Misc PROBE::FAILED:rto=7260ms retries=0 \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log-expected.json b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log-expected.json new file mode 100644 index 00000000000..51eb683649f --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log-expected.json @@ -0,0 +1,962 @@ +{ + "expected": [ + { + "@timestamp": "2026-05-05T11:39:48.311Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "probe", + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "253 <180>1 2026-05-05T11:39:48+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1114487\"] [05/May/2026:11:39:48.311273 +0000] SMA-Primary 000000 uk 0000020a Warning Misc PROBE::FAILED:rto=30640ms retries=0", + "outcome": "failure", + "sequence": 1114487, + "severity": 4, + "type": [ + "info" + ] + }, + "log": { + "level": "warning", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 180, + "procid": "-", + "severity": { + "code": 4 + }, + "version": "1" + } + }, + "message": " PROBE::FAILED:rto=30640ms retries=0", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "user": [ + "user.name@example.org" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "component": "uk", + "probe": { + "id": "4013338d", + "retries": 0, + "rto_ms": 30640, + "state": "FAILED:rto=30640ms retries=0", + "type": "TUN" + }, + "thread_id": "000000" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "user.name@example.org" + } + }, + { + "@timestamp": "2026-05-05T13:24:29.316Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "handler-up", + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "258 <182>1 2026-05-05T13:24:29+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1545996\"] [05/May/2026:13:24:29.316387 +0000] SMA-Primary 000000 ev 0000020a Info Misc handler is UP (v4=192.0.2.1 v6=) username=user.name@example.org <4013fe51>", + "outcome": "success", + "sequence": 1545996, + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": " handler is UP (v4=192.0.2.1 v6=) username=user.name@example.org <4013fe51>", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "ip": [ + "192.0.2.1" + ], + "user": [ + "user.name@example.org" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "component": "ev", + "session": { + "id": "4013fe51" + }, + "thread_id": "000000" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "user.name@example.org" + } + }, + { + "@timestamp": "2026-05-05T13:24:29.316Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "ssl-negotiated", + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "240 <182>1 2026-05-05T13:24:29+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1545995\"] [05/May/2026:13:24:29.316383 +0000] SMA-Primary 000000 ev 0000020a Info Misc SSL:version=3.4 cipher=TLS_AES_256_GCM_SHA384 <4013fe51>", + "outcome": "success", + "sequence": 1545995, + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": " SSL:version=3.4 cipher=TLS_AES_256_GCM_SHA384 <4013fe51>", + "network": { + "protocol": "tls" + }, + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "component": "ev", + "session": { + "id": "4013fe51" + }, + "ssl": { + "version": "3.4" + }, + "thread_id": "000000" + } + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384" + } + }, + { + "@timestamp": "2026-05-05T13:24:29.172Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "217 <182>1 2026-05-05T13:24:29+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1545975\"] [05/May/2026:13:24:29.172569 +0000] SMA-Primary 000000 ev 0000020a Info Misc _send_mt_flow_dump_req <4013fe51>", + "sequence": 1545975, + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": " _send_mt_flow_dump_req <4013fe51>", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "component": "ev", + "thread_id": "000000" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2026-05-05T13:24:29.172Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "226 <182>1 2026-05-05T13:24:29+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1545976\"] [05/May/2026:13:24:29.172578 +0000] SMA-Primary 000000 ev 0000020a Info Misc Using ESPTunnel for all traffic <4013fe51>", + "sequence": 1545976, + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": " Using ESPTunnel for all traffic <4013fe51>", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "component": "ev", + "thread_id": "000000" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2026-05-05T13:24:29.090Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "tunnel-crypto", + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "225 <182>1 2026-05-05T13:24:29+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1545973\"] [05/May/2026:13:24:29.090663 +0000] SMA-Primary 000000 ke 0000020a Info Misc ESP:tunnelMTUUpdate=1436(1500) <4013fe51>", + "sequence": 1545973, + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": " ESP:tunnelMTUUpdate=1436(1500) <4013fe51>", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "component": "ke", + "crypto": "tunnelMTUUpdate=1436(1500)", + "session": { + "id": "4013fe51" + }, + "thread_id": "000000", + "tunnel": { + "mtu": { + "base": 1500, + "current": 1436 + } + } + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2026-05-05T13:24:28.696Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "tunnel-crypto", + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "209 <182>1 2026-05-05T13:24:28+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1545958\"] [05/May/2026:13:24:28.696611 +0000] SMA-Primary 000000 ke 0000020a Info Misc ESP:aes256-gcm <4013fe51>", + "sequence": 1545958, + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": " ESP:aes256-gcm <4013fe51>", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "component": "ke", + "crypto": "aes256-gcm", + "session": { + "id": "4013fe51" + }, + "thread_id": "000000" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2026-05-05T13:24:28.653Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "231 <182>1 2026-05-05T13:24:28+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1545892\"] [05/May/2026:13:24:28.653420 +0000] SMA-Primary 000000 ev 0000020a Info Misc ESP is set on resumption request:f=0 <4013fe51>", + "sequence": 1545892, + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": " ESP is set on resumption request:f=0 <4013fe51>", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "component": "ev", + "thread_id": "000000" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2026-05-05T13:14:51.421Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "probe", + "category": [ + "network" + ], + "code": "0000020a", + "duration": 225000000000, + "kind": "event", + "original": "270 <182>1 2026-05-05T13:14:51+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1490852\"] [05/May/2026:13:14:51.421485 +0000] SMA-Primary 000000 uk 0000020a Info Misc PROBE::leaving Recovery state after 225s (rto=390ms)", + "outcome": "success", + "sequence": 1490852, + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": " PROBE::leaving Recovery state after 225s (rto=390ms)", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "user": [ + "user.name@example.org" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "component": "uk", + "probe": { + "id": "1234567", + "rto_ms": 390, + "state": "leaving Recovery state after 225s (rto=390ms)", + "type": "ESP" + }, + "thread_id": "000000" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "user.name@example.org" + } + }, + { + "@timestamp": "2026-05-05T13:14:39.735Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "client-os-version", + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "257 <182>1 2026-05-05T13:14:39+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1488985\"] [05/May/2026:13:14:39.735798 +0000] SMA-Primary 000000 ev 0000020a Info Misc Client OS Version=10.0.26100.1.amd64fre.ge_release.240331-1435 <4013cd8e>", + "sequence": 1488985, + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": " Client OS Version=10.0.26100.1.amd64fre.ge_release.240331-1435 <4013cd8e>", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "client": { + "os_version": "10.0.26100.1.amd64fre.ge_release.240331-1435" + }, + "component": "ev", + "session": { + "id": "4013cd8e" + }, + "thread_id": "000000" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2026-05-05T13:14:39.735Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "client-version", + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "219 <182>1 2026-05-05T13:14:39+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1488986\"] [05/May/2026:13:14:39.735800 +0000] SMA-Primary 000000 ev 0000020a Info Misc Client Version=12.50.179 <4013cd8e>", + "sequence": 1488986, + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": " Client Version=12.50.179 <4013cd8e>", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "client": { + "version": "12.50.179" + }, + "component": "ev", + "session": { + "id": "4013cd8e" + }, + "thread_id": "000000" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2026-05-05T13:35:43.986Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "tunnel-resumption", + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "289 <180>1 2026-05-05T13:35:43+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1604975\"] [05/May/2026:13:35:43.986596 +0000] SMA-Primary 000000 ev 0000020a Warning Misc Tunnel Resumption deleting existing tunnel with same vaddr(s): 192.0.2.1 ", + "sequence": 1604975, + "severity": 4, + "type": [ + "info" + ] + }, + "log": { + "level": "warning", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 180, + "procid": "-", + "severity": { + "code": 4 + }, + "version": "1" + } + }, + "message": " Tunnel Resumption deleting existing tunnel with same vaddr(s): 192.0.2.1 ", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "ip": [ + "192.0.2.1" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "component": "ev", + "thread_id": "000000", + "tunnel": { + "new_id": "401439ef", + "old_id": "40142fb7" + } + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2026-05-05T13:36:14.330Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "incomplete-message", + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "269 <180>1 2026-05-05T13:36:14+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1608048\"] [05/May/2026:13:36:14.330675 +0000] SMA-Primary 000000 ev 0000020a Warning Misc Incomplete message (only 1358 of 1366 bytes) of type DATA:creating TP frag <4013841d>", + "outcome": "failure", + "reason": "creating TP frag", + "sequence": 1608048, + "severity": 4, + "type": [ + "info" + ] + }, + "log": { + "level": "warning", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 180, + "procid": "-", + "severity": { + "code": 4 + }, + "version": "1" + } + }, + "message": " Incomplete message (only 1358 of 1366 bytes) of type DATA:creating TP frag <4013841d>", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "component": "ev", + "message_type": "DATA", + "session": { + "id": "4013841d" + }, + "thread_id": "000000" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2026-05-05T13:35:35.801Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "probe", + "category": [ + "network" + ], + "code": "0000020a", + "kind": "event", + "original": "251 <180>1 2026-05-05T13:35:35+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1604181\"] [05/May/2026:13:35:35.801459 +0000] SMA-Primary 000000 uk 0000020a Warning Misc PROBE::FAILED:rto=7260ms retries=0", + "outcome": "failure", + "sequence": 1604181, + "severity": 4, + "type": [ + "info" + ] + }, + "log": { + "level": "warning", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 180, + "procid": "-", + "severity": { + "code": 4 + }, + "version": "1" + } + }, + "message": " PROBE::FAILED:rto=7260ms retries=0", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "user": [ + "user.name@example.org" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Misc", + "component": "uk", + "probe": { + "id": "1234567", + "retries": 0, + "rto_ms": 7260, + "state": "FAILED:rto=7260ms retries=0", + "type": "ESP" + }, + "thread_id": "000000" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "user.name@example.org" + } + } + ] +} diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log new file mode 100644 index 00000000000..0b6557bb3dd --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log @@ -0,0 +1,3 @@ +243 <182>1 2026-05-05T13:16:42+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1503416"] [05/May/2026:13:16:42.253915 +0000] SMA-Primary 003405 ps 00000000 Info Session Session Start: '(user.name@example.org)@(Corp)', authenticated. +306 <179>1 2026-05-05T13:39:48+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1628346"] [05/May/2026:13:39:48.100466 +0000] SMA-Primary 003548 ew 10000000 Error Session Inbound ExtraWeb/API SSL connection was rejected because no mutually acceptable protocol could be negotiated (192.0.2.1:14047) +229 <179>1 2026-05-05T13:25:13+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1549135"] [05/May/2026:13:25:13.136972 +0000] SMA-Primary 003548 ew 10000000 Error Session TLS fatal alert -- bad certificate (192.0.2.1:45988) \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log-expected.json b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log-expected.json new file mode 100644 index 00000000000..0ce08a79313 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log-expected.json @@ -0,0 +1,222 @@ +{ + "expected": [ + { + "@timestamp": "2026-05-05T13:16:42.253Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "session-start", + "category": [ + "session", + "authentication" + ], + "code": "00000000", + "kind": "event", + "original": "243 <182>1 2026-05-05T13:16:42+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1503416\"] [05/May/2026:13:16:42.253915 +0000] SMA-Primary 003405 ps 00000000 Info Session Session Start: '(user.name@example.org)@(Corp)', authenticated.", + "outcome": "success", + "sequence": 1503416, + "severity": 6, + "type": [ + "start" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": "Session Start: '(user.name@example.org)@(Corp)', authenticated.", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "user": [ + "user.name@example.org" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Session", + "component": "ps", + "thread_id": "003405" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "Corp", + "email": "user.name@example.org", + "name": "user.name@example.org" + } + }, + { + "@timestamp": "2026-05-05T13:39:48.100Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "tls-connection-rejected", + "category": [ + "network" + ], + "code": "10000000", + "kind": "event", + "original": "306 <179>1 2026-05-05T13:39:48+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1628346\"] [05/May/2026:13:39:48.100466 +0000] SMA-Primary 003548 ew 10000000 Error Session Inbound ExtraWeb/API SSL connection was rejected because no mutually acceptable protocol could be negotiated (192.0.2.1:14047)", + "outcome": "failure", + "reason": "no mutually acceptable protocol could be negotiated", + "sequence": 1628346, + "severity": 3, + "type": [ + "connection", + "denied" + ] + }, + "log": { + "level": "error", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 179, + "procid": "-", + "severity": { + "code": 3 + }, + "version": "1" + } + }, + "message": "Inbound ExtraWeb/API SSL connection was rejected because no mutually acceptable protocol could be negotiated (192.0.2.1:14047)", + "network": { + "protocol": "tls" + }, + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "ip": [ + "192.0.2.1" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Session", + "component": "ew", + "thread_id": "003548" + } + }, + "source": { + "ip": "192.0.2.1", + "port": 14047 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2026-05-05T13:25:13.136Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "tls-fatal-alert", + "category": [ + "network" + ], + "code": "10000000", + "kind": "event", + "original": "229 <179>1 2026-05-05T13:25:13+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1549135\"] [05/May/2026:13:25:13.136972 +0000] SMA-Primary 003548 ew 10000000 Error Session TLS fatal alert -- bad certificate (192.0.2.1:45988)", + "outcome": "failure", + "reason": "bad certificate", + "sequence": 1549135, + "severity": 3, + "type": [ + "connection" + ] + }, + "log": { + "level": "error", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 179, + "procid": "-", + "severity": { + "code": 3 + }, + "version": "1" + } + }, + "message": "TLS fatal alert -- bad certificate (192.0.2.1:45988)", + "network": { + "protocol": "tls" + }, + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "ip": [ + "192.0.2.1" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Session", + "component": "ew", + "thread_id": "003548" + } + }, + "source": { + "ip": "192.0.2.1", + "port": 45988 + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log new file mode 100644 index 00000000000..c919ff9f54a --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log @@ -0,0 +1,3 @@ +224 <182>1 2026-05-05T13:24:26+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1545825"] [05/May/2026:13:24:26.979461 +0000] SMA-Primary 003405 ps 00000001 Info System Session End: '(user.name@example.org)@(Corp)' +271 <182>1 2026-05-05T13:14:42+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1489571"] [05/May/2026:13:14:42.321293 +0000] SMA-Primary 003405 ps 00000000 Info System '(user.name@example.org)@(Corp)' logged in from 192.0.2.1 and was assigned to 'DV-Corp'. +201 <180>1 2026-05-05T13:23:25+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1540947"] [05/May/2026:13:23:25.396776 +0000] SMA-Primary 003405 ps 00000001 Warning System RPC: SSL Handshake Failed. \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json new file mode 100644 index 00000000000..aeaf57d3fb4 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json @@ -0,0 +1,218 @@ +{ + "expected": [ + { + "@timestamp": "2026-05-05T13:24:26.979Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "session-end", + "category": [ + "session", + "authentication" + ], + "code": "00000001", + "kind": "event", + "original": "224 <182>1 2026-05-05T13:24:26+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1545825\"] [05/May/2026:13:24:26.979461 +0000] SMA-Primary 003405 ps 00000001 Info System Session End: '(user.name@example.org)@(Corp)'", + "outcome": "success", + "sequence": 1545825, + "severity": 6, + "type": [ + "end" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": "Session End: '(user.name@example.org)@(Corp)'", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "user": [ + "user.name@example.org" + ] + }, + "sonicwall_sma": { + "log": { + "category": "System", + "component": "ps", + "thread_id": "003405" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "Corp", + "email": "user.name@example.org", + "name": "user.name@example.org" + } + }, + { + "@timestamp": "2026-05-05T13:14:42.321Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "user-login", + "category": [ + "authentication" + ], + "code": "00000000", + "kind": "event", + "original": "271 <182>1 2026-05-05T13:14:42+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1489571\"] [05/May/2026:13:14:42.321293 +0000] SMA-Primary 003405 ps 00000000 Info System '(user.name@example.org)@(Corp)' logged in from 192.0.2.1 and was assigned to 'DV-Corp'.", + "outcome": "success", + "sequence": 1489571, + "severity": 6, + "type": [ + "start" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "message": "'(user.name@example.org)@(Corp)' logged in from 192.0.2.1 and was assigned to 'DV-Corp'.", + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "ip": [ + "192.0.2.1" + ], + "user": [ + "user.name@example.org" + ] + }, + "sonicwall_sma": { + "log": { + "assigned_domain": "DV-Corp", + "category": "System", + "component": "ps", + "thread_id": "003405" + } + }, + "source": { + "ip": "192.0.2.1" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "Corp", + "email": "user.name@example.org", + "name": "user.name@example.org" + } + }, + { + "@timestamp": "2026-05-05T13:23:25.396Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "rpc", + "category": [ + "network" + ], + "code": "00000001", + "kind": "event", + "original": "201 <180>1 2026-05-05T13:23:25+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1540947\"] [05/May/2026:13:23:25.396776 +0000] SMA-Primary 003405 ps 00000001 Warning System RPC: SSL Handshake Failed.", + "outcome": "failure", + "reason": "SSL Handshake Failed.", + "sequence": 1540947, + "severity": 4, + "type": [ + "connection" + ] + }, + "log": { + "level": "warning", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 180, + "procid": "-", + "severity": { + "code": 4 + }, + "version": "1" + } + }, + "message": "RPC: SSL Handshake Failed.", + "network": { + "protocol": "tls" + }, + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ] + }, + "sonicwall_sma": { + "log": { + "category": "System", + "component": "ps", + "thread_id": "003405" + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} diff --git a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/audit.yml b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/audit.yml new file mode 100644 index 00000000000..5c92fc548f8 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/audit.yml @@ -0,0 +1,223 @@ +--- +description: Pipeline for parsing SonicWall SMA audit events +processors: + - kv: + field: message + field_split: " (?=[A-Za-z][A-Za-z0-9]+='?)" + value_split: '=' + trim_value: "'" + target_field: _temp.audit + ignore_missing: true + ignore_failure: true + - rename: + field: _temp.audit.Src + target_field: source.address + ignore_missing: true + - rename: + field: _temp.audit.Dest + target_field: destination.address + ignore_missing: true + - rename: + field: _temp.audit.VirtualHost + target_field: url.domain + ignore_missing: true + if: ctx._temp?.audit?.VirtualHost != null && ctx._temp.audit.VirtualHost != '-' && ctx._temp.audit.VirtualHost != '' + - rename: + field: _temp.audit.ApplicationName + target_field: sonicwall_sma.log.application_name + ignore_missing: true + if: ctx._temp?.audit?.ApplicationName != null && ctx._temp.audit.ApplicationName != '' + - rename: + field: _temp.audit.PlatformPrefix + target_field: sonicwall_sma.log.platform_prefix + ignore_missing: true + if: ctx._temp?.audit?.PlatformPrefix != null && ctx._temp.audit.PlatformPrefix != '' + - rename: + field: _temp.audit.EquipmentId + target_field: sonicwall_sma.log.equipment_id + ignore_missing: true + if: ctx._temp?.audit?.EquipmentId != null && ctx._temp.audit.EquipmentId != '-' + - rename: + field: _temp.audit.SessionKey + target_field: sonicwall_sma.log.session_key + ignore_missing: true + if: ctx._temp?.audit?.SessionKey != null && ctx._temp.audit.SessionKey != '' + - rename: + field: _temp.audit.TunnelVersion + target_field: sonicwall_sma.log.tunnel.version + ignore_missing: true + - rename: + field: _temp.audit.HTTPVersion + target_field: sonicwall_sma.log.http.version_hex + ignore_missing: true + - dissect: + field: _temp.audit.User + pattern: '(%{user.email})@(%{user.domain})' + if: ctx._temp?.audit?.User != null && ctx._temp.audit.User != '-' + ignore_failure: true + - set: + field: user.name + copy_from: user.email + if: ctx.user?.email != null && ctx.user?.name == null + ignore_empty_value: true + - date: + field: _temp.audit.StartTime + target_field: event.start + formats: + - dd/MMM/yyyy HH:mm:ss Z + if: ctx._temp?.audit?.StartTime != null + ignore_failure: true + - dissect: + field: _temp.audit.Request + pattern: '%{http.request.method} %{url.original} HTTP/%{http.version}' + if: ctx._temp?.audit?.Request != null + ignore_failure: true + - set: + field: http.request.method + copy_from: _temp.audit.Method + if: ctx.http?.request?.method == null && ctx._temp?.audit?.Method != null + ignore_empty_value: true + - convert: + field: _temp.audit.Status + target_field: http.response.status_code + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: _temp.audit.Bytes + target_field: http.response.bytes + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: _temp.audit.SrcBytes + target_field: source.bytes + type: long + ignore_missing: true + ignore_failure: true + - convert: + field: _temp.audit.DstBytes + target_field: destination.bytes + type: long + ignore_missing: true + ignore_failure: true + - grok: + field: source.address + patterns: + - '^%{IP:source.ip}:%{POSINT:source.port:long}$' + - '^%{IP:source.ip}$' + ignore_missing: true + ignore_failure: true + - grok: + field: destination.address + patterns: + - '^%{IP:destination.ip}:%{POSINT:destination.port:long}$' + - '^%{IP:destination.ip}$' + ignore_missing: true + ignore_failure: true + - set: + field: event.action + copy_from: _temp.audit.Command + if: ctx._temp?.audit?.Command != null + ignore_empty_value: true + - grok: + field: _temp.audit.Command + patterns: + - '^%{DATA:_temp.audit.command_family}:%{WORD:network.transport}$' + if: ctx._temp?.audit?.Command != null + ignore_failure: true + - lowercase: + field: network.transport + ignore_missing: true + - append: + field: event.category + value: network + allow_duplicates: false + if: ctx._temp?.audit?.Command != null + - append: + field: event.type + value: connection + allow_duplicates: false + if: ctx._temp?.audit?.Command != null + - append: + field: event.category + value: web + allow_duplicates: false + if: ctx._temp?.audit?.Request != null + - append: + field: event.type + value: access + allow_duplicates: false + if: ctx._temp?.audit?.Request != null + - set: + field: network.protocol + value: http + if: ctx._temp?.audit?.Request != null + - set: + field: event.action + copy_from: http.request.method + if: ctx.event?.action == null && ctx.http?.request?.method != null + ignore_empty_value: true + - set: + field: event.outcome + value: success + if: ctx._temp?.audit?.Error == '0' + - set: + field: event.outcome + value: failure + if: ctx._temp?.audit?.Error != null && ctx._temp.audit.Error != '0' + - set: + field: error.code + copy_from: _temp.audit.Error + if: ctx._temp?.audit?.Error != null && ctx._temp.audit.Error != '0' + ignore_empty_value: true + - set: + field: event.outcome + value: success + if: ctx.event?.outcome == null && ctx.http?.response?.status_code != null && ctx.http.response.status_code < 400 + - set: + field: event.outcome + value: failure + if: ctx.event?.outcome == null && ctx.http?.response?.status_code != null && ctx.http.response.status_code >= 400 + - script: + lang: painless + if: ctx._temp?.audit?.Duration != null + source: | + try { + def seconds = Double.parseDouble(ctx._temp.audit.Duration.toString()); + ctx.event = ctx.event != null ? ctx.event : new HashMap(); + ctx.event.duration = (long)(seconds * 1000000000L); + } catch (Exception ignored) { + } + - script: + lang: painless + if: ctx.source?.bytes != null || ctx.destination?.bytes != null + source: | + long total = 0L; + if (ctx.source?.bytes != null) { + total += ((Number) ctx.source.bytes).longValue(); + } + if (ctx.destination?.bytes != null) { + total += ((Number) ctx.destination.bytes).longValue(); + } + ctx.network = ctx.network != null ? ctx.network : new HashMap(); + ctx.network.bytes = total; + - append: + field: related.ip + value: '{{{source.ip}}}' + allow_duplicates: false + if: ctx.source?.ip != null + - append: + field: related.ip + value: '{{{destination.ip}}}' + allow_duplicates: false + if: ctx.destination?.ip != null + - append: + field: related.user + value: '{{{user.name}}}' + allow_duplicates: false + if: ctx.user?.name != null + - remove: + field: + - _temp.audit + ignore_missing: true \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/auth.yml b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/auth.yml new file mode 100644 index 00000000000..e38d88775da --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/auth.yml @@ -0,0 +1,28 @@ +--- +description: Pipeline for parsing SonicWall SMA authentication events +processors: + - append: + field: event.category + value: authentication + allow_duplicates: false + - append: + field: event.type + value: info + allow_duplicates: false + - set: + field: event.outcome + value: failure + if: ctx.log?.level == 'error' || ctx.log?.level == 'warning' + - grok: + field: message + patterns: + - '^::%{DATA:sonicwall_sma.log.auth.mechanism}:: %{GREEDYDATA:event.reason}$' + ignore_failure: true + - set: + field: event.action + value: saml-storage-error + if: ctx.message != null && ctx.message.contains('SAML Storage error') + - set: + field: event.action + value: authentication-error + if: ctx.event?.action == null \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/default.yml index e5904ed2580..29e1d65587b 100644 --- a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -9,6 +9,37 @@ processors: target_field: event.original ignore_missing: true if: ctx.event?.original == null + - grok: + field: event.original + patterns: + - '^(?:%{NUMBER:_temp.octet_count} )?<%{NONNEGINT:log.syslog.priority:long}>%{NONNEGINT:log.syslog.version} %{TIMESTAMP_ISO8601:_temp.syslog.timestamp} %{NOTSPACE:log.syslog.hostname} %{NOTSPACE:log.syslog.appname} %{NOTSPACE:log.syslog.procid} %{NOTSPACE:log.syslog.msgid} \[meta sequenceId="%{NUMBER:event.sequence:long}"\] \[%{DATA:_temp.sonicwall_sma.event_time}\] %{GREEDYDATA:_temp.sonicwall_sma.payload}$' + - dissect: + field: _temp.sonicwall_sma.payload + pattern: '%{observer.name} %{sonicwall_sma.log.thread_id} %{sonicwall_sma.log.component} %{event.code} %{log.level->} %{sonicwall_sma.log.category->} %{message}' + - date: + field: _temp.sonicwall_sma.event_time + target_field: '@timestamp' + formats: + - dd/MMM/yyyy:HH:mm:ss.SSSSSS Z + - dd/MMM/yyyy:HH:mm:ss Z + - lowercase: + field: log.level + ignore_missing: true + - script: + lang: painless + source: | + if (ctx.log?.syslog?.priority != null) { + def severity = new HashMap(); + severity['code'] = ctx.log.syslog.priority & 0x7; + ctx.log.syslog['severity'] = severity; + def facility = new HashMap(); + facility['code'] = ctx.log.syslog.priority >> 3; + ctx.log.syslog['facility'] = facility; + } + - set: + field: observer.hostname + copy_from: log.syslog.hostname + ignore_empty_value: true - set: field: observer.vendor value: SonicWall @@ -18,10 +49,49 @@ processors: - set: field: observer.type value: access-management + - set: + field: event.kind + value: event + - set: + field: event.severity + value: 3 + if: ctx.log?.level == 'error' + - set: + field: event.severity + value: 4 + if: ctx.log?.level == 'warning' + - set: + field: event.severity + value: 6 + if: ctx.log?.level == 'info' + - pipeline: + name: '{{ IngestPipeline "audit" }}' + if: ctx.sonicwall_sma?.log?.category == 'Audit' + - pipeline: + name: '{{ IngestPipeline "auth" }}' + if: ctx.sonicwall_sma?.log?.category == 'Auth' + - pipeline: + name: '{{ IngestPipeline "misc" }}' + if: ctx.sonicwall_sma?.log?.category == 'Misc' + - pipeline: + name: '{{ IngestPipeline "session" }}' + if: ctx.sonicwall_sma?.log?.category == 'Session' + - pipeline: + name: '{{ IngestPipeline "system" }}' + if: ctx.sonicwall_sma?.log?.category == 'System' + - append: + field: related.hosts + value: '{{{observer.name}}}' + allow_duplicates: false + if: ctx.observer?.name != null + - append: + field: related.hosts + value: '{{{observer.hostname}}}' + allow_duplicates: false + if: ctx.observer?.hostname != null - remove: field: - - _tmp - - message + - _temp ignore_missing: true on_failure: - set: diff --git a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/misc.yml b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/misc.yml new file mode 100644 index 00000000000..292d71b3703 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/misc.yml @@ -0,0 +1,155 @@ +--- +description: Pipeline for parsing SonicWall SMA miscellaneous events +processors: + - append: + field: event.category + value: network + allow_duplicates: false + - append: + field: event.type + value: info + allow_duplicates: false + - grok: + field: message + patterns: + - '^ PROBE:<%{WORD:sonicwall_sma.log.probe.type}:%{DATA:sonicwall_sma.log.probe.id}:%{DATA:user.name}>:%{GREEDYDATA:sonicwall_sma.log.probe.state}$' + ignore_failure: true + - set: + field: event.action + value: probe + if: ctx.sonicwall_sma?.log?.probe?.state != null + - set: + field: event.outcome + value: failure + if: ctx.sonicwall_sma?.log?.probe?.state != null && ctx.sonicwall_sma.log.probe.state.contains('FAILED') + - set: + field: event.outcome + value: success + if: ctx.sonicwall_sma?.log?.probe?.state != null && ctx.sonicwall_sma.log.probe.state.contains('leaving Recovery state') + - grok: + field: sonicwall_sma.log.probe.state + patterns: + - '^FAILED:rto=%{NUMBER:sonicwall_sma.log.probe.rto_ms:long}ms retries=%{NUMBER:sonicwall_sma.log.probe.retries:long}$' + - '^%{GREEDYDATA:_temp.misc.probe_phase} after %{NUMBER:_temp.misc.probe_duration_seconds:double}s \(rto=%{NUMBER:sonicwall_sma.log.probe.rto_ms:long}ms\)$' + if: ctx.sonicwall_sma?.log?.probe?.state != null + ignore_failure: true + - script: + lang: painless + if: ctx._temp?.misc?.probe_duration_seconds != null + source: | + try { + def seconds = Double.parseDouble(ctx._temp.misc.probe_duration_seconds.toString()); + ctx.event = ctx.event != null ? ctx.event : new HashMap(); + ctx.event.duration = (long)(seconds * 1000000000L); + } catch (Exception ignored) { + } + - grok: + field: message + patterns: + - '^ handler is UP \(v4=%{IP:_temp.misc.related_ip} v6=%{DATA:_temp.misc.related_ip_v6}\) username=%{DATA:user.name} <%{DATA:sonicwall_sma.log.session.id}>$' + if: ctx.event?.action == null + ignore_failure: true + - set: + field: event.action + value: handler-up + if: ctx.sonicwall_sma?.log?.session?.id != null && ctx.message != null && ctx.message.contains('handler is UP') + - set: + field: event.outcome + value: success + if: ctx.event?.action == 'handler-up' + - grok: + field: message + patterns: + - '^ SSL:version=%{DATA:sonicwall_sma.log.ssl.version} cipher=%{DATA:tls.cipher} <%{DATA:sonicwall_sma.log.session.id}>$' + if: ctx.message != null && ctx.message.contains('SSL:version=') + ignore_failure: true + - set: + field: event.action + value: ssl-negotiated + if: ctx.tls?.cipher != null + - set: + field: network.protocol + value: tls + if: ctx.tls?.cipher != null + - set: + field: event.outcome + value: success + if: ctx.tls?.cipher != null + - grok: + field: message + patterns: + - '^ Client OS Version=%{GREEDYDATA:sonicwall_sma.log.client.os_version} <%{DATA:sonicwall_sma.log.session.id}>$' + if: ctx.message != null && ctx.message.contains('Client OS Version=') + ignore_failure: true + - set: + field: event.action + value: client-os-version + if: ctx.sonicwall_sma?.log?.client?.os_version != null + - grok: + field: message + patterns: + - '^ Client Version=%{GREEDYDATA:sonicwall_sma.log.client.version} <%{DATA:sonicwall_sma.log.session.id}>$' + if: ctx.message != null && ctx.message.contains('Client Version=') + ignore_failure: true + - set: + field: event.action + value: client-version + if: ctx.sonicwall_sma?.log?.client?.version != null + - grok: + field: message + patterns: + - '^ Tunnel Resumption deleting existing tunnel with same vaddr\(s\): %{IP:_temp.misc.related_ip} $' + if: ctx.message != null && ctx.message.contains('Tunnel Resumption deleting existing tunnel') + ignore_failure: true + - set: + field: event.action + value: tunnel-resumption + if: ctx.sonicwall_sma?.log?.tunnel?.old_id != null && ctx.sonicwall_sma?.log?.tunnel?.new_id != null + - grok: + field: message + patterns: + - '^ ESP:tunnelMTUUpdate=%{NUMBER:sonicwall_sma.log.tunnel.mtu.current:long}\(%{NUMBER:sonicwall_sma.log.tunnel.mtu.base:long}\) <%{DATA:sonicwall_sma.log.session.id}>$' + if: ctx.message != null && ctx.message.contains('ESP:tunnelMTUUpdate=') + ignore_failure: true + - set: + field: event.action + value: mtu-update + if: ctx.sonicwall_sma?.log?.tunnel?.mtu?.current != null + - grok: + field: message + patterns: + - '^ ESP:%{DATA:sonicwall_sma.log.crypto} <%{DATA:sonicwall_sma.log.session.id}>$' + if: ctx.message != null && ctx.message.startsWith(' ESP:') + ignore_failure: true + - set: + field: event.action + value: tunnel-crypto + if: ctx.sonicwall_sma?.log?.crypto != null + - grok: + field: message + patterns: + - '^ Incomplete message \(only %{NUMBER:_temp.misc.incomplete_actual:long} of %{NUMBER:_temp.misc.incomplete_expected:long} bytes\) of type %{DATA:sonicwall_sma.log.message_type}:%{GREEDYDATA:event.reason} <%{DATA:sonicwall_sma.log.session.id}>$' + if: ctx.message != null && ctx.message.contains('Incomplete message') + ignore_failure: true + - set: + field: event.action + value: incomplete-message + if: ctx.sonicwall_sma?.log?.message_type != null + - set: + field: event.outcome + value: failure + if: ctx.event?.action == 'incomplete-message' + - append: + field: related.ip + value: '{{{_temp.misc.related_ip}}}' + allow_duplicates: false + if: ctx._temp?.misc?.related_ip != null + - append: + field: related.user + value: '{{{user.name}}}' + allow_duplicates: false + if: ctx.user?.name != null + - remove: + field: + - _temp.misc + ignore_missing: true \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/session.yml b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/session.yml new file mode 100644 index 00000000000..8adc753f195 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/session.yml @@ -0,0 +1,107 @@ +--- +description: Pipeline for parsing SonicWall SMA session events +processors: + - dissect: + field: message + pattern: "Session Start: '(%{user.email})@(%{user.domain})', authenticated." + if: ctx.message != null && ctx.message.startsWith('Session Start:') + ignore_failure: true + - set: + field: user.name + copy_from: user.email + if: ctx.user?.email != null && ctx.user?.name == null + ignore_empty_value: true + - set: + field: event.action + value: session-start + if: ctx.message != null && ctx.message.startsWith('Session Start:') + - append: + field: event.category + value: session + allow_duplicates: false + if: ctx.message != null && ctx.message.startsWith('Session Start:') + - append: + field: event.category + value: authentication + allow_duplicates: false + if: ctx.message != null && ctx.message.startsWith('Session Start:') + - append: + field: event.type + value: start + allow_duplicates: false + if: ctx.message != null && ctx.message.startsWith('Session Start:') + - set: + field: event.outcome + value: success + if: ctx.message != null && ctx.message.startsWith('Session Start:') + - grok: + field: message + patterns: + - '^Inbound ExtraWeb/API SSL connection was rejected because %{GREEDYDATA:event.reason} \(%{IP:source.ip}:%{POSINT:source.port:long}\)$' + if: ctx.message != null && ctx.message.startsWith('Inbound ExtraWeb/API SSL connection was rejected') + ignore_failure: true + - set: + field: event.action + value: tls-connection-rejected + if: ctx.message != null && ctx.message.startsWith('Inbound ExtraWeb/API SSL connection was rejected') + - append: + field: event.category + value: network + allow_duplicates: false + if: ctx.event?.action == 'tls-connection-rejected' + - append: + field: event.type + value: connection + allow_duplicates: false + if: ctx.event?.action == 'tls-connection-rejected' + - append: + field: event.type + value: denied + allow_duplicates: false + if: ctx.event?.action == 'tls-connection-rejected' + - set: + field: network.protocol + value: tls + if: ctx.event?.action == 'tls-connection-rejected' + - set: + field: event.outcome + value: failure + if: ctx.event?.action == 'tls-connection-rejected' + - grok: + field: message + patterns: + - '^TLS fatal alert -- %{GREEDYDATA:event.reason} \(%{IP:source.ip}:%{POSINT:source.port:long}\)$' + if: ctx.message != null && ctx.message.startsWith('TLS fatal alert --') + ignore_failure: true + - set: + field: event.action + value: tls-fatal-alert + if: ctx.message != null && ctx.message.startsWith('TLS fatal alert --') + - append: + field: event.category + value: network + allow_duplicates: false + if: ctx.event?.action == 'tls-fatal-alert' + - append: + field: event.type + value: connection + allow_duplicates: false + if: ctx.event?.action == 'tls-fatal-alert' + - set: + field: network.protocol + value: tls + if: ctx.event?.action == 'tls-fatal-alert' + - set: + field: event.outcome + value: failure + if: ctx.event?.action == 'tls-fatal-alert' + - append: + field: related.ip + value: '{{{source.ip}}}' + allow_duplicates: false + if: ctx.source?.ip != null + - append: + field: related.user + value: '{{{user.name}}}' + allow_duplicates: false + if: ctx.user?.name != null \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/system.yml b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/system.yml new file mode 100644 index 00000000000..a6b0d36e6c8 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/system.yml @@ -0,0 +1,102 @@ +--- +description: Pipeline for parsing SonicWall SMA system events +processors: + - dissect: + field: message + pattern: "Session End: '(%{user.email})@(%{user.domain})'" + if: ctx.message != null && ctx.message.startsWith('Session End:') + ignore_failure: true + - set: + field: user.name + copy_from: user.email + if: ctx.user?.email != null && ctx.user?.name == null + ignore_empty_value: true + - set: + field: event.action + value: session-end + if: ctx.message != null && ctx.message.startsWith('Session End:') + - append: + field: event.category + value: session + allow_duplicates: false + if: ctx.message != null && ctx.message.startsWith('Session End:') + - append: + field: event.category + value: authentication + allow_duplicates: false + if: ctx.message != null && ctx.message.startsWith('Session End:') + - append: + field: event.type + value: end + allow_duplicates: false + if: ctx.message != null && ctx.message.startsWith('Session End:') + - set: + field: event.outcome + value: success + if: ctx.message != null && ctx.message.startsWith('Session End:') + - dissect: + field: message + pattern: "'(%{user.email})@(%{user.domain})' logged in from %{source.ip} and was assigned to '%{sonicwall_sma.log.assigned_domain}'." + if: ctx.message != null && ctx.message.contains(' logged in from ') + ignore_failure: true + - set: + field: user.name + copy_from: user.email + if: ctx.user?.email != null && ctx.user?.name == null + ignore_empty_value: true + - set: + field: event.action + value: user-login + if: ctx.message != null && ctx.message.contains(' logged in from ') + - append: + field: event.category + value: authentication + allow_duplicates: false + if: ctx.message != null && ctx.message.contains(' logged in from ') + - append: + field: event.type + value: start + allow_duplicates: false + if: ctx.message != null && ctx.message.contains(' logged in from ') + - set: + field: event.outcome + value: success + if: ctx.message != null && ctx.message.contains(' logged in from ') + - grok: + field: message + patterns: + - '^RPC: %{GREEDYDATA:event.reason}$' + if: ctx.message != null && ctx.message.startsWith('RPC:') + ignore_failure: true + - set: + field: event.action + value: rpc + if: ctx.message != null && ctx.message.startsWith('RPC:') + - append: + field: event.category + value: network + allow_duplicates: false + if: ctx.event?.action == 'rpc' + - append: + field: event.type + value: connection + allow_duplicates: false + if: ctx.event?.action == 'rpc' + - set: + field: network.protocol + value: tls + if: ctx.event?.action == 'rpc' && ctx.event?.reason != null && ctx.event.reason.contains('SSL') + - set: + field: event.outcome + value: failure + if: ctx.event?.action == 'rpc' && ctx.log?.level != 'info' + - append: + field: related.ip + value: '{{{source.ip}}}' + allow_duplicates: false + if: ctx.source?.ip != null + - append: + field: related.user + value: '{{{user.name}}}' + allow_duplicates: false + if: ctx.user?.name != null \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/fields/agent.yml b/packages/sonicwall_sma/data_stream/log/fields/agent.yml deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/packages/sonicwall_sma/data_stream/log/fields/ecs.yml b/packages/sonicwall_sma/data_stream/log/fields/ecs.yml index e69de29bb2d..09df4156470 100644 --- a/packages/sonicwall_sma/data_stream/log/fields/ecs.yml +++ b/packages/sonicwall_sma/data_stream/log/fields/ecs.yml @@ -0,0 +1,110 @@ +- external: ecs + name: destination.address +- external: ecs + name: destination.bytes +- external: ecs + name: destination.ip +- external: ecs + name: destination.port +- external: ecs + name: ecs.version +- external: ecs + name: error.code +- external: ecs + name: error.message +- external: ecs + name: event.action +- external: ecs + name: event.category +- external: ecs + name: event.code +- external: ecs + name: event.duration +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.outcome +- external: ecs + name: event.reason +- external: ecs + name: event.sequence +- external: ecs + name: event.severity +- external: ecs + name: event.start +- external: ecs + name: event.type +- external: ecs + name: http.request.method +- external: ecs + name: http.response.bytes +- external: ecs + name: http.response.status_code +- external: ecs + name: http.version +- external: ecs + name: log.level +- external: ecs + name: log.syslog.appname +- external: ecs + name: log.syslog.facility.code +- external: ecs + name: log.syslog.hostname +- external: ecs + name: log.syslog.msgid +- external: ecs + name: log.syslog.priority +- external: ecs + name: log.syslog.procid +- external: ecs + name: log.syslog.severity.code +- external: ecs + name: log.syslog.version +- external: ecs + name: message +- external: ecs + name: network.bytes +- external: ecs + name: network.protocol +- external: ecs + name: network.transport +- external: ecs + name: observer.hostname +- external: ecs + name: observer.name +- external: ecs + name: observer.product +- external: ecs + name: observer.type +- external: ecs + name: observer.vendor +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: source.address +- external: ecs + name: source.bytes +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: tags +- external: ecs + name: tls.cipher +- external: ecs + name: url.domain +- external: ecs + name: url.original +- external: ecs + name: user.domain +- external: ecs + name: user.email +- external: ecs + name: user.name diff --git a/packages/sonicwall_sma/data_stream/log/fields/fields.yml b/packages/sonicwall_sma/data_stream/log/fields/fields.yml index e25055238a2..3e5112cfe49 100644 --- a/packages/sonicwall_sma/data_stream/log/fields/fields.yml +++ b/packages/sonicwall_sma/data_stream/log/fields/fields.yml @@ -1,3 +1,134 @@ - name: sonicwall_sma type: group - fields: \ No newline at end of file + fields: + - name: log + type: group + fields: + - name: application_name + type: keyword + description: | + Application name reported by the SonicWall SMA audit event. + - name: assigned_domain + type: keyword + description: | + Domain or realm assigned to the authenticated user. + - name: category + type: keyword + description: | + SonicWall SMA event family. + - name: component + type: keyword + description: | + SonicWall SMA component code from the log header. + - name: crypto + type: keyword + description: | + Tunnel cryptographic algorithm reported by the client tunnel. + - name: equipment_id + type: keyword + description: | + Equipment identifier reported by the SonicWall SMA appliance. + - name: message_type + type: keyword + description: | + Kernel message type reported in incomplete-message events. + - name: platform_prefix + type: keyword + description: | + Platform prefix reported by the SonicWall SMA appliance. + - name: thread_id + type: keyword + description: | + SonicWall SMA thread or worker identifier from the log header. + - name: auth + type: group + fields: + - name: mechanism + type: keyword + description: | + Authentication mechanism extracted from the SonicWall SMA message. + - name: client + type: group + fields: + - name: os_version + type: keyword + description: | + Reported client operating system version. + - name: version + type: keyword + description: | + Reported SonicWall SMA client version. + - name: http + type: group + fields: + - name: version_hex + type: keyword + description: | + SonicWall SMA hexadecimal HTTP version identifier. + - name: probe + type: group + fields: + - name: id + type: keyword + description: | + Probe identifier reported by the SonicWall SMA kernel. + - name: retries + type: long + description: | + Probe retry count reported by the SonicWall SMA kernel. + - name: rto_ms + type: long + description: | + Probe retransmission timeout in milliseconds. + - name: state + type: keyword + description: | + Probe status or transition state. + - name: type + type: keyword + description: | + Probe transport type. + - name: session + type: group + fields: + - name: id + type: keyword + description: | + Short-lived SonicWall SMA tunnel session identifier. + - name: session_key + type: keyword + description: | + SonicWall SMA session key. + - name: ssl + type: group + fields: + - name: version + type: keyword + description: | + SonicWall SMA SSL version reported by the tunnel kernel message. + - name: tunnel + type: group + fields: + - name: new_id + type: keyword + description: | + New tunnel identifier reported during tunnel resumption. + - name: old_id + type: keyword + description: | + Previous tunnel identifier reported during tunnel resumption. + - name: version + type: keyword + description: | + Tunnel protocol version reported by SonicWall SMA. + - name: mtu + type: group + fields: + - name: base + type: long + description: | + Base MTU reported by the SonicWall SMA tunnel. + - name: current + type: long + description: | + Current MTU reported by the SonicWall SMA tunnel. \ No newline at end of file From 93c0f5e6b5376c3632a9bafc79c70fb95f1ba210 Mon Sep 17 00:00:00 2001 From: Wenceslas Lejeune Date: Thu, 7 May 2026 16:25:50 +0200 Subject: [PATCH 3/6] feat(sonicwall_sma): Upgrade SonicWall SMA integration to parse more events --- .../sonicwall_sma/_dev/build/docs/README.md | 19 +- .../deploy/docker/sample_logs/test-syslog.log | 7 + .../pipeline/test-log-audit.log-expected.json | 6 +- .../pipeline/test-log-auth.log-expected.json | 3 +- .../pipeline/test-log-misc.log-expected.json | 40 +- .../_dev/test/pipeline/test-log-policy.log | 2 + .../test-log-policy.log-expected.json | 150 +++++++ .../_dev/test/pipeline/test-log-session.log | 4 +- .../test-log-session.log-expected.json | 154 +++++++- .../_dev/test/pipeline/test-log-system.log | 6 +- .../test-log-system.log-expected.json | 230 ++++++++++- .../log/_dev/test/system/test-tcp-config.yml | 2 +- .../log/_dev/test/system/test-tls-config.yml | 2 +- .../log/_dev/test/system/test-udp-config.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 67 +++- .../elasticsearch/ingest_pipeline/policy.yml | 90 +++++ .../elasticsearch/ingest_pipeline/session.yml | 41 +- .../elasticsearch/ingest_pipeline/system.yml | 82 ++++ .../data_stream/log/fields/ecs.yml | 12 + .../data_stream/log/fields/fields.yml | 50 +++ .../data_stream/log/sample_event.json | 73 +++- packages/sonicwall_sma/docs/README.md | 365 ++++++++++++++++++ 22 files changed, 1370 insertions(+), 37 deletions(-) create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-policy.log create mode 100644 packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-policy.log-expected.json create mode 100644 packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/policy.yml create mode 100644 packages/sonicwall_sma/docs/README.md diff --git a/packages/sonicwall_sma/_dev/build/docs/README.md b/packages/sonicwall_sma/_dev/build/docs/README.md index cd0cdc37da4..528e0f8fd91 100644 --- a/packages/sonicwall_sma/_dev/build/docs/README.md +++ b/packages/sonicwall_sma/_dev/build/docs/README.md @@ -54,9 +54,22 @@ To set up the integration: 1. Install the SonicWall Secure Mobile Access integration in Fleet. 2. Choose the input you want to use. Use TCP for reliable delivery, with optional TLS, or UDP for lightweight syslog forwarding. 3. Configure the listening host and port in the integration policy. -4. On the SonicWall SMA appliance, configure an external syslog destination that points to the Elastic Agent host and port. -5. Select which SMA logs you want to export, including audit, authentication, session, system, and tunnel or kernel messages. -6. Enable the `Preserve original event` option if you want to keep the raw SMA log in `event.original` for troubleshooting. +4. Enable the `Preserve original event` option if you want to keep the raw SMA log in `event.original` for troubleshooting. + +#### SonicWall SMA syslog configuration +To send log files from the SonicWall SMA appliance to Elastic, you need to [configure a syslog export policy in the SMA](https://www.sonicwall.com/support/technical-documentation/docs/sma_1000-12-4-admin_guide/Content/Administration/sending-log-files-to-a-syslog-server.htm) management interface. + +Depending of your appliance model and software version, the exact navigation may differ. + +**For older SMA software versions:** +1. In SMA management interface, go to **Log > Settings** +2. Under **Log & Alert levels** section, define the severity level of log messages you want to receive in Elastic. +3. In the **Syslog settings**, type the IP address and the port of your Elastic Agent listener as **Primary syslog server**. + +**For newer SMA software versions:** +1. In the AMC, navigate to **Monitoring > Logging**. The **View Logs** page displays. +2. Click the **Configure Logging** tab. +3. Under **Syslog configuration**, type the IP address and port numbers for the Elastic Agent listener. ### Validation After the integration is configured: diff --git a/packages/sonicwall_sma/_dev/deploy/docker/sample_logs/test-syslog.log b/packages/sonicwall_sma/_dev/deploy/docker/sample_logs/test-syslog.log index e69de29bb2d..dcf73eeced6 100644 --- a/packages/sonicwall_sma/_dev/deploy/docker/sample_logs/test-syslog.log +++ b/packages/sonicwall_sma/_dev/deploy/docker/sample_logs/test-syslog.log @@ -0,0 +1,7 @@ +224 <182>1 2026-05-05T13:24:26+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1545825"] [05/May/2026:13:24:26.979461 +0000] SMA-Primary 003405 ps 00000001 Info System Session End: '(user.name@example.org)@(Corp)' +271 <182>1 2026-05-05T13:14:42+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1489571"] [05/May/2026:13:14:42.321293 +0000] SMA-Primary 003405 ps 00000000 Info System '(user.name@example.org)@(Corp)' logged in from 192.0.2.1 and was assigned to 'DV-Corp'. +201 <180>1 2026-05-05T13:23:25+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1540947"] [05/May/2026:13:23:25.396776 +0000] SMA-Primary 003405 ps 00000001 Warning System RPC: SSL Handshake Failed. +[08/Nov/2016:07:16:24.312477 +0000] E-Class SMASSLVPN 002764 up 00000001 Info System CFG Pool Init STATIC/NAT id=1 name='HQ-pool2' gid='AV1160554493976A' ndns=2 nwins=2 nsuffix=0 +[09/Nov/2016:21:28:14.610949 +0000] E-Class SMASSLVPN 001539 ps 10000042 Info System Auth: CRL-CERT: Cert verification status = 0, err = 20 'unable to get local issuer certificate' +[04/Oct/2016:22:29:23.867093 +0000] E-Class SMASSLVPN 027186 uk 00000001 Verbose System ::API::QAABA145dFYNZimCKNWHB7p2q2Y=::(timwillis)@(Students)::CLIENT:: Interrogation: Evaluation of OPSWATAV AV1128462569762A [NortonAV.dll,Symantec Corp.,Symantec Client Security,>=,9.x,,,,,FALSE] results: FALSE +[04/Oct/2016:22:29:23.875781 +0000] E-Class SMASSLVPN 027186 uk 00000001 Verbose System ::API::QAABA145dFYNZimCKNWHB7p2q2Y=::(timwillis)@(Students):: Classified into zone: Default zone \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-audit.log-expected.json b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-audit.log-expected.json index 7af640c57fe..b3aa673b550 100644 --- a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-audit.log-expected.json +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-audit.log-expected.json @@ -44,7 +44,6 @@ "version": "1" } }, - "message": "Src='192.0.2.1:64026' User='(user.name@example.org)@(Corp)' TunnelVersion='0x102' Command='Flow:TCP' Dest='192.0.2.1:443' Error='0' SrcBytes='3263' DstBytes='5170' Duration='1' PlatformPrefix='W' EquipmentId='0012_34FF_AD52_4462.' SessionKey='SMA-Primary:69f9d2c0:00000000'", "network": { "bytes": 8433, "transport": "tcp" @@ -72,6 +71,8 @@ "log": { "category": "Audit", "component": "kt", + "component_name": "kernel tunnel component", + "context_id": "00000000", "equipment_id": "0012_34FF_AD52_4462.", "platform_prefix": "W", "session_key": "SMA-Primary:69f9d2c0:00000000", @@ -144,7 +145,6 @@ "version": "1" } }, - "message": "VirtualHost='spf4.example.org' StartTime='05/May/2026 13:46:55 +0000' Src='192.0.2.1' User='-' Method='GET' HTTPVersion='0x3e9' Request='GET /__api__/logon/azertyuiop/totp HTTP/1.1' Status='200' Bytes='77' PlatformPrefix='' EquipmentId='-' ApplicationName='' SessionKey=''", "network": { "protocol": "http" }, @@ -168,6 +168,8 @@ "log": { "category": "Audit", "component": "ew", + "component_name": "Web proxy service", + "context_id": "1000045b", "http": { "version_hex": "0x3e9" }, diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-auth.log-expected.json b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-auth.log-expected.json index 608757e6947..25bb02a7e95 100644 --- a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-auth.log-expected.json +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-auth.log-expected.json @@ -38,7 +38,6 @@ "version": "1" } }, - "message": "::SAML:: SAML Storage error : id/url or samlresponse missing", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -59,6 +58,8 @@ }, "category": "Auth", "component": "ew", + "component_name": "Web proxy service", + "context_id": "1005a618", "thread_id": "003548" } }, diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log-expected.json b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log-expected.json index 51eb683649f..7b10dbe0c67 100644 --- a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log-expected.json +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log-expected.json @@ -37,7 +37,6 @@ "version": "1" } }, - "message": " PROBE::FAILED:rto=30640ms retries=0", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -58,6 +57,8 @@ "log": { "category": "Misc", "component": "uk", + "component_name": "unknown", + "context_id": "0000020a", "probe": { "id": "4013338d", "retries": 0, @@ -112,7 +113,6 @@ "version": "1" } }, - "message": " handler is UP (v4=192.0.2.1 v6=) username=user.name@example.org <4013fe51>", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -136,6 +136,8 @@ "log": { "category": "Misc", "component": "ev", + "component_name": "network tunnel service", + "context_id": "0000020a", "session": { "id": "4013fe51" }, @@ -186,7 +188,6 @@ "version": "1" } }, - "message": " SSL:version=3.4 cipher=TLS_AES_256_GCM_SHA384 <4013fe51>", "network": { "protocol": "tls" }, @@ -207,6 +208,8 @@ "log": { "category": "Misc", "component": "ev", + "component_name": "network tunnel service", + "context_id": "0000020a", "session": { "id": "4013fe51" }, @@ -258,7 +261,6 @@ "version": "1" } }, - "message": " _send_mt_flow_dump_req <4013fe51>", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -276,6 +278,8 @@ "log": { "category": "Misc", "component": "ev", + "component_name": "network tunnel service", + "context_id": "0000020a", "thread_id": "000000" } }, @@ -318,7 +322,6 @@ "version": "1" } }, - "message": " Using ESPTunnel for all traffic <4013fe51>", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -336,6 +339,8 @@ "log": { "category": "Misc", "component": "ev", + "component_name": "network tunnel service", + "context_id": "0000020a", "thread_id": "000000" } }, @@ -379,7 +384,6 @@ "version": "1" } }, - "message": " ESP:tunnelMTUUpdate=1436(1500) <4013fe51>", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -397,6 +401,7 @@ "log": { "category": "Misc", "component": "ke", + "context_id": "0000020a", "crypto": "tunnelMTUUpdate=1436(1500)", "session": { "id": "4013fe51" @@ -450,7 +455,6 @@ "version": "1" } }, - "message": " ESP:aes256-gcm <4013fe51>", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -468,6 +472,7 @@ "log": { "category": "Misc", "component": "ke", + "context_id": "0000020a", "crypto": "aes256-gcm", "session": { "id": "4013fe51" @@ -514,7 +519,6 @@ "version": "1" } }, - "message": " ESP is set on resumption request:f=0 <4013fe51>", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -532,6 +536,8 @@ "log": { "category": "Misc", "component": "ev", + "component_name": "network tunnel service", + "context_id": "0000020a", "thread_id": "000000" } }, @@ -577,7 +583,6 @@ "version": "1" } }, - "message": " PROBE::leaving Recovery state after 225s (rto=390ms)", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -598,6 +603,8 @@ "log": { "category": "Misc", "component": "uk", + "component_name": "unknown", + "context_id": "0000020a", "probe": { "id": "1234567", "rto_ms": 390, @@ -650,7 +657,6 @@ "version": "1" } }, - "message": " Client OS Version=10.0.26100.1.amd64fre.ge_release.240331-1435 <4013cd8e>", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -671,6 +677,8 @@ "os_version": "10.0.26100.1.amd64fre.ge_release.240331-1435" }, "component": "ev", + "component_name": "network tunnel service", + "context_id": "0000020a", "session": { "id": "4013cd8e" }, @@ -717,7 +725,6 @@ "version": "1" } }, - "message": " Client Version=12.50.179 <4013cd8e>", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -738,6 +745,8 @@ "version": "12.50.179" }, "component": "ev", + "component_name": "network tunnel service", + "context_id": "0000020a", "session": { "id": "4013cd8e" }, @@ -784,7 +793,6 @@ "version": "1" } }, - "message": " Tunnel Resumption deleting existing tunnel with same vaddr(s): 192.0.2.1 ", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -805,6 +813,8 @@ "log": { "category": "Misc", "component": "ev", + "component_name": "network tunnel service", + "context_id": "0000020a", "thread_id": "000000", "tunnel": { "new_id": "401439ef", @@ -854,7 +864,6 @@ "version": "1" } }, - "message": " Incomplete message (only 1358 of 1366 bytes) of type DATA:creating TP frag <4013841d>", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -872,6 +881,8 @@ "log": { "category": "Misc", "component": "ev", + "component_name": "network tunnel service", + "context_id": "0000020a", "message_type": "DATA", "session": { "id": "4013841d" @@ -920,7 +931,6 @@ "version": "1" } }, - "message": " PROBE::FAILED:rto=7260ms retries=0", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -941,6 +951,8 @@ "log": { "category": "Misc", "component": "uk", + "component_name": "unknown", + "context_id": "0000020a", "probe": { "id": "1234567", "retries": 0, diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-policy.log b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-policy.log new file mode 100644 index 00000000000..7c2f168be3f --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-policy.log @@ -0,0 +1,2 @@ +[09/Nov/2016:02:45:32.282637 +0000] E-Class SMASSLVPN 002421 ps 100004b3 Info EWACL User '(192.168.136.70 (Dominique Daba))@(Students)' connecting from '192.168.136.70:37975' matched rule 'accessRule(AV1091719670706:preauth access rule)', access to '127.0.0.1:455' is permitted +[09/Nov/2016:04:27:40.965127 +0000] E-Class SMASSLVPN 002873 ps 00000003 Info WPACL User '(kevin figment)@(Students)' connecting from '192.168.136.70:0' found no matching access rule, access to 'www.seattletimes.com:80' is denied. \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-policy.log-expected.json b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-policy.log-expected.json new file mode 100644 index 00000000000..cfed2850d45 --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-policy.log-expected.json @@ -0,0 +1,150 @@ +{ + "expected": [ + { + "@timestamp": "2016-11-09T02:45:32.282Z", + "destination": { + "address": "127.0.0.1:455", + "ip": "127.0.0.1", + "port": 455 + }, + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "policy-match", + "category": [ + "network" + ], + "code": "100004b3", + "kind": "event", + "original": "[09/Nov/2016:02:45:32.282637 +0000] E-Class SMASSLVPN 002421 ps 100004b3 Info EWACL User '(192.168.136.70 (Dominique Daba))@(Students)' connecting from '192.168.136.70:37975' matched rule 'accessRule(AV1091719670706:preauth access rule)', access to '127.0.0.1:455' is permitted", + "outcome": "success", + "severity": 6, + "type": [ + "access", + "allowed" + ] + }, + "log": { + "level": "info" + }, + "observer": { + "name": "E-Class SMASSLVPN", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "E-Class SMASSLVPN" + ], + "ip": [ + "192.168.136.70", + "127.0.0.1" + ], + "user": [ + "Dominique Daba" + ] + }, + "rule": { + "id": "AV1091719670706", + "name": "preauth access rule", + "ruleset": "EWACL" + }, + "sonicwall_sma": { + "log": { + "category": "EWACL", + "component": "ps", + "component_name": "policy service", + "context_id": "100004b3", + "thread_id": "002421", + "user_identity": "(192.168.136.70 (Dominique Daba))@(Students)" + } + }, + "source": { + "address": "192.168.136.70:37975", + "ip": "192.168.136.70", + "port": 37975 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Dominique Daba", + "group": { + "name": "Students" + }, + "name": "Dominique Daba" + } + }, + { + "@timestamp": "2016-11-09T04:27:40.965Z", + "destination": { + "address": "www.seattletimes.com:80", + "domain": "www.seattletimes.com", + "port": 80 + }, + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "policy-no-match", + "category": [ + "network" + ], + "code": "00000003", + "kind": "event", + "original": "[09/Nov/2016:04:27:40.965127 +0000] E-Class SMASSLVPN 002873 ps 00000003 Info WPACL User '(kevin figment)@(Students)' connecting from '192.168.136.70:0' found no matching access rule, access to 'www.seattletimes.com:80' is denied.", + "outcome": "failure", + "reason": "no matching access rule", + "severity": 6, + "type": [ + "access", + "denied" + ] + }, + "log": { + "level": "info" + }, + "observer": { + "name": "E-Class SMASSLVPN", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "E-Class SMASSLVPN" + ], + "user": [ + "kevin figment" + ] + }, + "rule": { + "ruleset": "WPACL" + }, + "sonicwall_sma": { + "log": { + "category": "WPACL", + "component": "ps", + "component_name": "policy service", + "context_id": "00000003", + "thread_id": "002873", + "user_identity": "(kevin figment)@(Students)" + } + }, + "source": { + "address": "192.168.136.70:0" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "group": { + "name": "Students" + }, + "name": "kevin figment" + } + } + ] +} diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log index 0b6557bb3dd..5d6a2eb3aa4 100644 --- a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log @@ -1,3 +1,5 @@ 243 <182>1 2026-05-05T13:16:42+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1503416"] [05/May/2026:13:16:42.253915 +0000] SMA-Primary 003405 ps 00000000 Info Session Session Start: '(user.name@example.org)@(Corp)', authenticated. 306 <179>1 2026-05-05T13:39:48+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1628346"] [05/May/2026:13:39:48.100466 +0000] SMA-Primary 003548 ew 10000000 Error Session Inbound ExtraWeb/API SSL connection was rejected because no mutually acceptable protocol could be negotiated (192.0.2.1:14047) -229 <179>1 2026-05-05T13:25:13+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1549135"] [05/May/2026:13:25:13.136972 +0000] SMA-Primary 003548 ew 10000000 Error Session TLS fatal alert -- bad certificate (192.0.2.1:45988) \ No newline at end of file +229 <179>1 2026-05-05T13:25:13+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1549135"] [05/May/2026:13:25:13.136972 +0000] SMA-Primary 003548 ew 10000000 Error Session TLS fatal alert -- bad certificate (192.0.2.1:45988) +[09/Nov/2016:02:45:32.712860 +0000] E-Class SMASSLVPN 002421 ps 10000531 Info Session Authentication for user '(192.168.136.70 (Guest))@(Students)' SUCCESS for realm 'Visitors' +229 <179>1 2026-05-05T13:25:13+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1549135"] [09/Nov/2016:02:45:32.712860 +0000] E-Class SMASSLVPN 002421 ps 10000531 Info Session Authentication for user '(192.168.136.70 (Guest))@(Students)' SUCCESS for realm 'Visitors' \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log-expected.json b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log-expected.json index 0ce08a79313..8e991c204aa 100644 --- a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log-expected.json +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-session.log-expected.json @@ -38,7 +38,6 @@ "version": "1" } }, - "message": "Session Start: '(user.name@example.org)@(Corp)', authenticated.", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -59,6 +58,8 @@ "log": { "category": "Session", "component": "ps", + "component_name": "policy service", + "context_id": "00000000", "thread_id": "003405" } }, @@ -66,8 +67,10 @@ "preserve_original_event" ], "user": { - "domain": "Corp", "email": "user.name@example.org", + "group": { + "name": "Corp" + }, "name": "user.name@example.org" } }, @@ -110,7 +113,6 @@ "version": "1" } }, - "message": "Inbound ExtraWeb/API SSL connection was rejected because no mutually acceptable protocol could be negotiated (192.0.2.1:14047)", "network": { "protocol": "tls" }, @@ -134,6 +136,8 @@ "log": { "category": "Session", "component": "ew", + "component_name": "Web proxy service", + "context_id": "10000000", "thread_id": "003548" } }, @@ -183,7 +187,6 @@ "version": "1" } }, - "message": "TLS fatal alert -- bad certificate (192.0.2.1:45988)", "network": { "protocol": "tls" }, @@ -207,6 +210,8 @@ "log": { "category": "Session", "component": "ew", + "component_name": "Web proxy service", + "context_id": "10000000", "thread_id": "003548" } }, @@ -217,6 +222,147 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2016-11-09T02:45:32.712Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "authentication", + "category": [ + "authentication", + "session" + ], + "code": "10000531", + "kind": "event", + "original": "[09/Nov/2016:02:45:32.712860 +0000] E-Class SMASSLVPN 002421 ps 10000531 Info Session Authentication for user '(192.168.136.70 (Guest))@(Students)' SUCCESS for realm 'Visitors'", + "outcome": "success", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info" + }, + "observer": { + "name": "E-Class SMASSLVPN", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "E-Class SMASSLVPN" + ], + "user": [ + "Guest" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Session", + "component": "ps", + "component_name": "policy service", + "context_id": "10000531", + "realm": "Visitors", + "thread_id": "002421", + "user_identity": "(192.168.136.70 (Guest))@(Students)" + } + }, + "source": { + "ip": "192.168.136.70" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Guest", + "group": { + "name": "Students" + }, + "name": "Guest" + } + }, + { + "@timestamp": "2016-11-09T02:45:32.712Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "authentication", + "category": [ + "authentication", + "session" + ], + "code": "10000531", + "kind": "event", + "original": "229 <179>1 2026-05-05T13:25:13+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1549135\"] [09/Nov/2016:02:45:32.712860 +0000] E-Class SMASSLVPN 002421 ps 10000531 Info Session Authentication for user '(192.168.136.70 (Guest))@(Students)' SUCCESS for realm 'Visitors'", + "outcome": "success", + "sequence": 1549135, + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 179, + "procid": "-", + "severity": { + "code": 3 + }, + "version": "1" + } + }, + "observer": { + "hostname": "SMA-Primary.sma", + "name": "E-Class SMASSLVPN", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "E-Class SMASSLVPN", + "SMA-Primary.sma" + ], + "user": [ + "Guest" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Session", + "component": "ps", + "component_name": "policy service", + "context_id": "10000531", + "realm": "Visitors", + "thread_id": "002421", + "user_identity": "(192.168.136.70 (Guest))@(Students)" + } + }, + "source": { + "ip": "192.168.136.70" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "Guest", + "group": { + "name": "Students" + }, + "name": "Guest" + } } ] } diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log index c919ff9f54a..dcf73eeced6 100644 --- a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log @@ -1,3 +1,7 @@ 224 <182>1 2026-05-05T13:24:26+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1545825"] [05/May/2026:13:24:26.979461 +0000] SMA-Primary 003405 ps 00000001 Info System Session End: '(user.name@example.org)@(Corp)' 271 <182>1 2026-05-05T13:14:42+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1489571"] [05/May/2026:13:14:42.321293 +0000] SMA-Primary 003405 ps 00000000 Info System '(user.name@example.org)@(Corp)' logged in from 192.0.2.1 and was assigned to 'DV-Corp'. -201 <180>1 2026-05-05T13:23:25+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1540947"] [05/May/2026:13:23:25.396776 +0000] SMA-Primary 003405 ps 00000001 Warning System RPC: SSL Handshake Failed. \ No newline at end of file +201 <180>1 2026-05-05T13:23:25+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1540947"] [05/May/2026:13:23:25.396776 +0000] SMA-Primary 003405 ps 00000001 Warning System RPC: SSL Handshake Failed. +[08/Nov/2016:07:16:24.312477 +0000] E-Class SMASSLVPN 002764 up 00000001 Info System CFG Pool Init STATIC/NAT id=1 name='HQ-pool2' gid='AV1160554493976A' ndns=2 nwins=2 nsuffix=0 +[09/Nov/2016:21:28:14.610949 +0000] E-Class SMASSLVPN 001539 ps 10000042 Info System Auth: CRL-CERT: Cert verification status = 0, err = 20 'unable to get local issuer certificate' +[04/Oct/2016:22:29:23.867093 +0000] E-Class SMASSLVPN 027186 uk 00000001 Verbose System ::API::QAABA145dFYNZimCKNWHB7p2q2Y=::(timwillis)@(Students)::CLIENT:: Interrogation: Evaluation of OPSWATAV AV1128462569762A [NortonAV.dll,Symantec Corp.,Symantec Client Security,>=,9.x,,,,,FALSE] results: FALSE +[04/Oct/2016:22:29:23.875781 +0000] E-Class SMASSLVPN 027186 uk 00000001 Verbose System ::API::QAABA145dFYNZimCKNWHB7p2q2Y=::(timwillis)@(Students):: Classified into zone: Default zone \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json index aeaf57d3fb4..709fe8d8723 100644 --- a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-system.log-expected.json @@ -38,7 +38,6 @@ "version": "1" } }, - "message": "Session End: '(user.name@example.org)@(Corp)'", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -59,6 +58,8 @@ "log": { "category": "System", "component": "ps", + "component_name": "policy service", + "context_id": "00000001", "thread_id": "003405" } }, @@ -108,7 +109,6 @@ "version": "1" } }, - "message": "'(user.name@example.org)@(Corp)' logged in from 192.0.2.1 and was assigned to 'DV-Corp'.", "observer": { "hostname": "SMA-Primary.sma", "name": "SMA-Primary", @@ -133,6 +133,8 @@ "assigned_domain": "DV-Corp", "category": "System", "component": "ps", + "component_name": "policy service", + "context_id": "00000000", "thread_id": "003405" } }, @@ -186,7 +188,6 @@ "version": "1" } }, - "message": "RPC: SSL Handshake Failed.", "network": { "protocol": "tls" }, @@ -207,12 +208,235 @@ "log": { "category": "System", "component": "ps", + "component_name": "policy service", + "context_id": "00000001", "thread_id": "003405" } }, "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2016-11-08T07:16:24.312Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "cfg-pool-init", + "category": [ + "configuration" + ], + "code": "00000001", + "kind": "event", + "original": "[08/Nov/2016:07:16:24.312477 +0000] E-Class SMASSLVPN 002764 up 00000001 Info System CFG Pool Init STATIC/NAT id=1 name='HQ-pool2' gid='AV1160554493976A' ndns=2 nwins=2 nsuffix=0", + "severity": 6, + "type": [ + "creation" + ] + }, + "log": { + "level": "info" + }, + "observer": { + "name": "E-Class SMASSLVPN", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "E-Class SMASSLVPN" + ] + }, + "sonicwall_sma": { + "log": { + "category": "System", + "component": "up", + "component_name": "network tunnel policy server daemon", + "context_id": "00000001", + "thread_id": "002764" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2016-11-09T21:28:14.610Z", + "ecs": { + "version": "9.3.0" + }, + "error": { + "code": "20" + }, + "event": { + "action": "client-certificate-verification", + "category": [ + "authentication" + ], + "code": "10000042", + "kind": "event", + "original": "[09/Nov/2016:21:28:14.610949 +0000] E-Class SMASSLVPN 001539 ps 10000042 Info System Auth: CRL-CERT: Cert verification status = 0, err = 20 'unable to get local issuer certificate'", + "outcome": "failure", + "reason": "unable to get local issuer certificate", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "info" + }, + "observer": { + "name": "E-Class SMASSLVPN", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "E-Class SMASSLVPN" + ] + }, + "sonicwall_sma": { + "log": { + "auth": { + "cert_status": 0 + }, + "category": "System", + "component": "ps", + "component_name": "policy service", + "context_id": "10000042", + "thread_id": "001539" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2016-10-04T22:29:23.867Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "epc-interrogation", + "category": [ + "host" + ], + "code": "00000001", + "kind": "event", + "original": "[04/Oct/2016:22:29:23.867093 +0000] E-Class SMASSLVPN 027186 uk 00000001 Verbose System ::API::QAABA145dFYNZimCKNWHB7p2q2Y=::(timwillis)@(Students)::CLIENT:: Interrogation: Evaluation of OPSWATAV AV1128462569762A [NortonAV.dll,Symantec Corp.,Symantec Client Security,>=,9.x,,,,,FALSE] results: FALSE", + "severity": 7, + "type": [ + "info" + ] + }, + "log": { + "level": "verbose" + }, + "observer": { + "name": "E-Class SMASSLVPN", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "E-Class SMASSLVPN" + ], + "user": [ + "timwillis" + ] + }, + "sonicwall_sma": { + "log": { + "api": { + "session_id": "QAABA145dFYNZimCKNWHB7p2q2Y=" + }, + "category": "System", + "component": "uk", + "component_name": "unknown", + "context_id": "00000001", + "epc": { + "details": "NortonAV.dll,Symantec Corp.,Symantec Client Security,>=,9.x,,,,,FALSE", + "id": "AV1128462569762A", + "result": "FALSE", + "type": "OPSWATAV" + }, + "thread_id": "027186", + "user_identity": "(timwillis)@(Students)" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "group": { + "name": "Students" + }, + "name": "timwillis" + } + }, + { + "@timestamp": "2016-10-04T22:29:23.875Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "epc-zone-classification", + "category": [ + "host" + ], + "code": "00000001", + "kind": "event", + "original": "[04/Oct/2016:22:29:23.875781 +0000] E-Class SMASSLVPN 027186 uk 00000001 Verbose System ::API::QAABA145dFYNZimCKNWHB7p2q2Y=::(timwillis)@(Students):: Classified into zone: Default zone", + "severity": 7, + "type": [ + "change" + ] + }, + "log": { + "level": "verbose" + }, + "observer": { + "name": "E-Class SMASSLVPN", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "E-Class SMASSLVPN" + ], + "user": [ + "timwillis" + ] + }, + "sonicwall_sma": { + "log": { + "api": { + "session_id": "QAABA145dFYNZimCKNWHB7p2q2Y=" + }, + "category": "System", + "component": "uk", + "component_name": "unknown", + "context_id": "00000001", + "thread_id": "027186", + "user_identity": "(timwillis)@(Students)", + "zone": "Default zone" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "group": { + "name": "Students" + }, + "name": "timwillis" + } } ] } diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tcp-config.yml index 7bc516794f5..bccb3b31a55 100644 --- a/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -7,4 +7,4 @@ data_stream: syslog_port: 9515 preserve_original_event: true assert: - hit_count: 86 + hit_count: 7 diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tls-config.yml b/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tls-config.yml index 20c2c469696..969909873c7 100644 --- a/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tls-config.yml +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-tls-config.yml @@ -58,4 +58,4 @@ data_stream: rcZR4kw7O4cWsLR4NHJBosUVoaeoCizBB6xLREqISxIZuHKuEcYsRA== -----END RSA PRIVATE KEY----- assert: - hit_count: 86 + hit_count: 7 \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-udp-config.yml index a6b547c45a3..6856c611a25 100644 --- a/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/system/test-udp-config.yml @@ -7,4 +7,4 @@ data_stream: syslog_port: 9514 preserve_original_event: true assert: - hit_count: 86 + hit_count: 7 \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 29e1d65587b..31c9ef2ba63 100644 --- a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -13,9 +13,12 @@ processors: field: event.original patterns: - '^(?:%{NUMBER:_temp.octet_count} )?<%{NONNEGINT:log.syslog.priority:long}>%{NONNEGINT:log.syslog.version} %{TIMESTAMP_ISO8601:_temp.syslog.timestamp} %{NOTSPACE:log.syslog.hostname} %{NOTSPACE:log.syslog.appname} %{NOTSPACE:log.syslog.procid} %{NOTSPACE:log.syslog.msgid} \[meta sequenceId="%{NUMBER:event.sequence:long}"\] \[%{DATA:_temp.sonicwall_sma.event_time}\] %{GREEDYDATA:_temp.sonicwall_sma.payload}$' - - dissect: + - '^\[%{DATA:_temp.sonicwall_sma.event_time}\] %{GREEDYDATA:_temp.sonicwall_sma.payload}$' + - grok: field: _temp.sonicwall_sma.payload - pattern: '%{observer.name} %{sonicwall_sma.log.thread_id} %{sonicwall_sma.log.component} %{event.code} %{log.level->} %{sonicwall_sma.log.category->} %{message}' + patterns: + - '^\[%{DATA:_temp.sonicwall_sma.event_time}\] %{DATA:observer.name} %{NONNEGINT:sonicwall_sma.log.thread_id} %{WORD:sonicwall_sma.log.component} %{NOTSPACE:event.code} %{WORD:log.level} +%{WORD:sonicwall_sma.log.category} +%{GREEDYDATA:message}$' + - '^%{DATA:observer.name} %{NONNEGINT:sonicwall_sma.log.thread_id} %{WORD:sonicwall_sma.log.component} %{NOTSPACE:event.code} %{WORD:log.level} +%{WORD:sonicwall_sma.log.category} +%{GREEDYDATA:message}$' - date: field: _temp.sonicwall_sma.event_time target_field: '@timestamp' @@ -49,6 +52,36 @@ processors: - set: field: observer.type value: access-management + - set: + field: sonicwall_sma.log.context_id + copy_from: event.code + if: ctx.event?.code != null + ignore_empty_value: true + - script: + lang: painless + if: ctx.sonicwall_sma?.log?.component != null + source: | + def componentNames = [ + 'ap': 'API server', + 'cp': 'SMA distributed cache client', + 'dc': 'SMA distributed cache server', + 'ev': 'network tunnel service', + 'ew': 'Web proxy service', + 'fm': 'failover monitor', + 'kp': 'network tunnel kernel mode policy server interface', + 'ks': 'network tunnel kernel mode interface to SSL daemon', + 'kt': 'kernel tunnel component', + 'ls': 'log server', + 'ps': 'policy service', + 'pt': 'ping/traceroute tools', + 'uk': 'unknown', + 'up': 'network tunnel policy server daemon', + 'us': 'network tunnel user space SSL daemon' + ]; + def componentName = componentNames[ctx.sonicwall_sma.log.component]; + if (componentName != null) { + ctx.sonicwall_sma.log.component_name = componentName; + } - set: field: event.kind value: event @@ -64,6 +97,10 @@ processors: field: event.severity value: 6 if: ctx.log?.level == 'info' + - set: + field: event.severity + value: 7 + if: ctx.log?.level == 'verbose' - pipeline: name: '{{ IngestPipeline "audit" }}' if: ctx.sonicwall_sma?.log?.category == 'Audit' @@ -73,12 +110,32 @@ processors: - pipeline: name: '{{ IngestPipeline "misc" }}' if: ctx.sonicwall_sma?.log?.category == 'Misc' + - pipeline: + name: '{{ IngestPipeline "policy" }}' + if: "['EWACL', 'WPACL', 'CSACL', 'NEACL'].contains(ctx.sonicwall_sma?.log?.category)" - pipeline: name: '{{ IngestPipeline "session" }}' if: ctx.sonicwall_sma?.log?.category == 'Session' - pipeline: name: '{{ IngestPipeline "system" }}' if: ctx.sonicwall_sma?.log?.category == 'System' + - grok: + field: sonicwall_sma.log.user_identity + patterns: + - '^\(%{IP:_temp.identity.source_ip} \(%{DATA:user.full_name}\)\)@\(%{DATA:user.group.name}\)$' + - '^\(%{DATA:user.name}\)@\(%{DATA:user.group.name}\)$' + ignore_failure: true + ignore_missing: true + - set: + field: user.name + copy_from: user.full_name + if: ctx.user?.name == null && ctx.user?.full_name != null + ignore_empty_value: true + - set: + field: source.ip + copy_from: _temp.identity.source_ip + if: ctx.source?.ip == null && ctx._temp?.identity?.source_ip != null + ignore_empty_value: true - append: field: related.hosts value: '{{{observer.name}}}' @@ -89,9 +146,15 @@ processors: value: '{{{observer.hostname}}}' allow_duplicates: false if: ctx.observer?.hostname != null + - append: + field: related.user + value: '{{{user.name}}}' + allow_duplicates: false + if: ctx.user?.name != null - remove: field: - _temp + - message ignore_missing: true on_failure: - set: diff --git a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/policy.yml b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/policy.yml new file mode 100644 index 00000000000..81ab1791aee --- /dev/null +++ b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/policy.yml @@ -0,0 +1,90 @@ +--- +description: Pipeline for parsing SonicWall SMA access policy decisions +processors: + - set: + field: rule.ruleset + copy_from: sonicwall_sma.log.category + if: ctx.sonicwall_sma?.log?.category != null + ignore_empty_value: true + - grok: + field: message + patterns: + - "^User '%{GREEDYDATA:sonicwall_sma.log.user_identity}' connecting from '%{DATA:source.address}' matched rule '%{DATA:_temp.policy.rule}', access to '%{DATA:destination.address}' is %{WORD:_temp.policy.decision}\\.?$" + - "^User '%{GREEDYDATA:sonicwall_sma.log.user_identity}' connecting from '%{DATA:source.address}' found no matching access rule, access to '%{DATA:destination.address}' is %{WORD:_temp.policy.decision}\\.?$" + ignore_failure: true + - set: + field: event.action + value: policy-match + if: ctx._temp?.policy?.rule != null + - set: + field: event.action + value: policy-no-match + if: ctx.event?.action == null && ctx.message != null && ctx.message.contains('found no matching access rule') + - set: + field: event.reason + value: no matching access rule + if: ctx.event?.action == 'policy-no-match' + - grok: + field: _temp.policy.rule + patterns: + - '^accessRule\(%{DATA:rule.id}:%{DATA:rule.name}\)$' + if: ctx._temp?.policy?.rule != null + ignore_failure: true + - grok: + field: source.address + patterns: + - '^%{IP:source.ip}:%{POSINT:source.port:long}$' + - '^%{IP:source.ip}$' + ignore_failure: true + ignore_missing: true + - grok: + field: destination.address + patterns: + - '^%{IP:destination.ip}:%{POSINT:destination.port:long}$' + - '^%{HOSTNAME:destination.domain}:%{POSINT:destination.port:long}$' + - '^%{IP:destination.ip}$' + - '^%{HOSTNAME:destination.domain}$' + ignore_failure: true + ignore_missing: true + - append: + field: event.category + value: network + allow_duplicates: false + if: ctx.event?.action != null + - append: + field: event.type + value: access + allow_duplicates: false + if: ctx.event?.action != null + - set: + field: event.outcome + value: success + if: ctx._temp?.policy?.decision != null && ctx._temp.policy.decision.toLowerCase() == 'permitted' + - set: + field: event.outcome + value: failure + if: ctx._temp?.policy?.decision != null && ctx._temp.policy.decision.toLowerCase() == 'denied' + - append: + field: event.type + value: allowed + allow_duplicates: false + if: ctx.event?.outcome == 'success' + - append: + field: event.type + value: denied + allow_duplicates: false + if: ctx.event?.outcome == 'failure' + - append: + field: related.ip + value: '{{{source.ip}}}' + allow_duplicates: false + if: ctx.source?.ip != null + - append: + field: related.ip + value: '{{{destination.ip}}}' + allow_duplicates: false + if: ctx.destination?.ip != null + - remove: + field: + - _temp.policy + ignore_missing: true \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/session.yml b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/session.yml index 8adc753f195..8484b6c2343 100644 --- a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/session.yml +++ b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/session.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing SonicWall SMA session events processors: - dissect: field: message - pattern: "Session Start: '(%{user.email})@(%{user.domain})', authenticated." + pattern: "Session Start: '(%{user.email})@(%{user.group.name})', authenticated." if: ctx.message != null && ctx.message.startsWith('Session Start:') ignore_failure: true - set: @@ -34,6 +34,39 @@ processors: field: event.outcome value: success if: ctx.message != null && ctx.message.startsWith('Session Start:') + - grok: + field: message + patterns: + - "^Authentication for user '%{GREEDYDATA:sonicwall_sma.log.user_identity}' %{WORD:_temp.session.auth_result} for realm '%{DATA:sonicwall_sma.log.realm}'$" + if: ctx.message != null && ctx.message.startsWith('Authentication for user ') + ignore_failure: true + - set: + field: event.action + value: authentication + if: ctx._temp?.session?.auth_result != null + - append: + field: event.category + value: authentication + allow_duplicates: false + if: ctx._temp?.session?.auth_result != null + - append: + field: event.category + value: session + allow_duplicates: false + if: ctx._temp?.session?.auth_result != null + - append: + field: event.type + value: info + allow_duplicates: false + if: ctx._temp?.session?.auth_result != null + - set: + field: event.outcome + value: success + if: ctx._temp?.session?.auth_result == 'SUCCESS' + - set: + field: event.outcome + value: failure + if: ctx._temp?.session?.auth_result != null && ctx._temp.session.auth_result != 'SUCCESS' - grok: field: message patterns: @@ -104,4 +137,8 @@ processors: field: related.user value: '{{{user.name}}}' allow_duplicates: false - if: ctx.user?.name != null \ No newline at end of file + if: ctx.user?.name != null + - remove: + field: + - _temp.session + ignore_missing: true \ No newline at end of file diff --git a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/system.yml b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/system.yml index a6b0d36e6c8..c870c851092 100644 --- a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/system.yml +++ b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/system.yml @@ -1,6 +1,20 @@ --- description: Pipeline for parsing SonicWall SMA system events processors: + - set: + field: event.action + value: cfg-pool-init + if: ctx.message != null && ctx.message.startsWith('CFG Pool Init ') + - append: + field: event.category + value: configuration + allow_duplicates: false + if: ctx.event?.action == 'cfg-pool-init' + - append: + field: event.type + value: creation + allow_duplicates: false + if: ctx.event?.action == 'cfg-pool-init' - dissect: field: message pattern: "Session End: '(%{user.email})@(%{user.domain})'" @@ -62,6 +76,34 @@ processors: field: event.outcome value: success if: ctx.message != null && ctx.message.contains(' logged in from ') + - grok: + field: message + patterns: + - "^Auth: CRL-CERT: Cert verification status = %{NUMBER:sonicwall_sma.log.auth.cert_status:long}, err = %{NUMBER:error.code} '%{DATA:event.reason}'$" + if: "ctx.message != null && ctx.message.startsWith('Auth: CRL-CERT:')" + ignore_failure: true + - set: + field: event.action + value: client-certificate-verification + if: ctx.sonicwall_sma?.log?.auth?.cert_status != null + - append: + field: event.category + value: authentication + allow_duplicates: false + if: ctx.event?.action == 'client-certificate-verification' + - append: + field: event.type + value: info + allow_duplicates: false + if: ctx.event?.action == 'client-certificate-verification' + - set: + field: event.outcome + value: success + if: ctx.event?.action == 'client-certificate-verification' && ctx.error?.code == '0' + - set: + field: event.outcome + value: failure + if: ctx.event?.action == 'client-certificate-verification' && ctx.error?.code != null && ctx.error.code != '0' - grok: field: message patterns: @@ -90,6 +132,46 @@ processors: field: event.outcome value: failure if: ctx.event?.action == 'rpc' && ctx.log?.level != 'info' + - grok: + field: message + patterns: + - '^::API::%{DATA:sonicwall_sma.log.api.session_id}::%{GREEDYDATA:sonicwall_sma.log.user_identity}::CLIENT:: Interrogation: Evaluation of %{WORD:sonicwall_sma.log.epc.type} %{NOTSPACE:sonicwall_sma.log.epc.id} \[%{GREEDYDATA:sonicwall_sma.log.epc.details}\] results: %{WORD:sonicwall_sma.log.epc.result}$' + if: "ctx.message != null && ctx.message.contains('::CLIENT:: Interrogation: Evaluation of ')" + ignore_failure: true + - set: + field: event.action + value: epc-interrogation + if: ctx.sonicwall_sma?.log?.epc?.id != null + - append: + field: event.category + value: host + allow_duplicates: false + if: ctx.event?.action == 'epc-interrogation' + - append: + field: event.type + value: info + allow_duplicates: false + if: ctx.event?.action == 'epc-interrogation' + - grok: + field: message + patterns: + - '^::API::%{DATA:sonicwall_sma.log.api.session_id}::%{GREEDYDATA:sonicwall_sma.log.user_identity}:: Classified into zone: %{GREEDYDATA:sonicwall_sma.log.zone}$' + if: "ctx.message != null && ctx.message.contains(':: Classified into zone: ')" + ignore_failure: true + - set: + field: event.action + value: epc-zone-classification + if: ctx.sonicwall_sma?.log?.zone != null + - append: + field: event.category + value: host + allow_duplicates: false + if: ctx.event?.action == 'epc-zone-classification' + - append: + field: event.type + value: change + allow_duplicates: false + if: ctx.event?.action == 'epc-zone-classification' - append: field: related.ip value: '{{{source.ip}}}' diff --git a/packages/sonicwall_sma/data_stream/log/fields/ecs.yml b/packages/sonicwall_sma/data_stream/log/fields/ecs.yml index 09df4156470..fc081c37c67 100644 --- a/packages/sonicwall_sma/data_stream/log/fields/ecs.yml +++ b/packages/sonicwall_sma/data_stream/log/fields/ecs.yml @@ -2,6 +2,8 @@ name: destination.address - external: ecs name: destination.bytes +- external: ecs + name: destination.domain - external: ecs name: destination.ip - external: ecs @@ -80,6 +82,12 @@ name: observer.type - external: ecs name: observer.vendor +- external: ecs + name: rule.id +- external: ecs + name: rule.name +- external: ecs + name: rule.ruleset - external: ecs name: related.hosts - external: ecs @@ -106,5 +114,9 @@ name: user.domain - external: ecs name: user.email +- external: ecs + name: user.full_name +- external: ecs + name: user.group.name - external: ecs name: user.name diff --git a/packages/sonicwall_sma/data_stream/log/fields/fields.yml b/packages/sonicwall_sma/data_stream/log/fields/fields.yml index 3e5112cfe49..76f12c41d4d 100644 --- a/packages/sonicwall_sma/data_stream/log/fields/fields.yml +++ b/packages/sonicwall_sma/data_stream/log/fields/fields.yml @@ -8,6 +8,10 @@ type: keyword description: | Application name reported by the SonicWall SMA audit event. + - name: context_id + type: keyword + description: | + SonicWall SMA context identifier used to correlate related log entries. - name: assigned_domain type: keyword description: | @@ -20,6 +24,10 @@ type: keyword description: | SonicWall SMA component code from the log header. + - name: component_name + type: keyword + description: | + Human-readable SonicWall SMA application name derived from the component code. - name: crypto type: keyword description: | @@ -36,17 +44,59 @@ type: keyword description: | Platform prefix reported by the SonicWall SMA appliance. + - name: realm + type: keyword + description: | + Realm referenced by the SonicWall SMA authentication message. - name: thread_id type: keyword description: | SonicWall SMA thread or worker identifier from the log header. + - name: user_identity + type: keyword + description: | + Raw SonicWall SMA user identity string before ECS normalization. + - name: zone + type: keyword + description: | + Zone classification assigned by the SonicWall SMA EPC process. + - name: api + type: group + fields: + - name: session_id + type: keyword + description: | + API correlation identifier reported in verbose EPC log entries. - name: auth type: group fields: + - name: cert_status + type: long + description: | + Certificate verification status reported by SonicWall SMA. - name: mechanism type: keyword description: | Authentication mechanism extracted from the SonicWall SMA message. + - name: epc + type: group + fields: + - name: details + type: keyword + description: | + EPC evaluation details reported by SonicWall SMA. + - name: id + type: keyword + description: | + EPC evaluation identifier. + - name: result + type: keyword + description: | + EPC evaluation result. + - name: type + type: keyword + description: | + EPC evaluation type. - name: client type: group fields: diff --git a/packages/sonicwall_sma/data_stream/log/sample_event.json b/packages/sonicwall_sma/data_stream/log/sample_event.json index 0e0dcd235c4..c4b3befcac4 100644 --- a/packages/sonicwall_sma/data_stream/log/sample_event.json +++ b/packages/sonicwall_sma/data_stream/log/sample_event.json @@ -1,3 +1,74 @@ { - + "@timestamp": "2026-05-05T13:16:42.253Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "session-start", + "category": [ + "session", + "authentication" + ], + "code": "00000000", + "kind": "event", + "original": "243 <182>1 2026-05-05T13:16:42+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1503416\"] [05/May/2026:13:16:42.253915 +0000] SMA-Primary 003405 ps 00000000 Info Session Session Start: '(user.name@example.org)@(Corp)', authenticated.", + "outcome": "success", + "sequence": 1503416, + "severity": 6, + "type": [ + "start" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "user": [ + "user.name@example.org" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Session", + "component": "ps", + "component_name": "policy service", + "context_id": "00000000", + "thread_id": "003405" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "user.name@example.org", + "group": { + "name": "Corp" + }, + "name": "user.name@example.org" + } } \ No newline at end of file diff --git a/packages/sonicwall_sma/docs/README.md b/packages/sonicwall_sma/docs/README.md new file mode 100644 index 00000000000..9f0f04daea9 --- /dev/null +++ b/packages/sonicwall_sma/docs/README.md @@ -0,0 +1,365 @@ + + + +# SonicWall Secure Mobile Access (SMA) Integration for Elastic + +## Overview +The SonicWall Secure Mobile Access (SMA) Integration for Elastic collects syslog events exported by SonicWall SMA appliances. +This integration helps security and operations teams monitor remote access activity, investigate authentication problems, review web and tunnel audit activity, and track tunnel health and transport issues reported by the SMA platform. + +### Compatibility +This integration is intended for SonicWall Secure Mobile Access appliances that can export syslog events in the log formats parsed by this package. +It supports SonicWall SMA audit, authentication, session, system, and miscellaneous kernel and tunnel messages delivered over UDP or TCP. + +### How it works +Elastic Agent listens for SonicWall SMA syslog traffic over UDP or TCP. +The integration ingest pipeline parses the common SMA log header, routes events by event family, and maps the data to ECS fields for authentication, session, network, TLS, and web activity. + +## What data does this integration collect? +The SonicWall Secure Mobile Access integration collects log messages of the following types: +* Audit events for HTTP requests, VPN flow activity, transferred bytes, and session metadata. +* Authentication events such as SAML-related failures. +* Session lifecycle events including session start and TLS negotiation failures. +* System events such as user logins, session termination, and RPC or SSL handshake failures. +* Miscellaneous tunnel and kernel events such as probes, client version reporting, cipher negotiation, and tunnel resumption messages. + +### Supported use cases +This integration supports the following use cases: +* Monitor remote-access user activity, including logins, logouts, and session lifecycle changes. +* Investigate authentication problems such as SAML storage issues and TLS certificate failures. +* Review HTTP and VPN audit activity from the SMA portal and remote access tunnel flows. +* Track client tunnel health, probe failures, cipher negotiation, and client version details for troubleshooting. + +## What do I need to use this integration? +Before you deploy this integration, make sure you have: +* A SonicWall SMA appliance configured to forward syslog events. +* Network connectivity from the SonicWall SMA appliance to the Elastic Agent listener. +* The host and port you want Elastic Agent to listen on for SonicWall SMA syslog traffic. +* A TCP TLS certificate configuration if you plan to receive SonicWall SMA logs over encrypted TCP. + +## How do I deploy this integration? + +### Agent-based deployment + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + +Elastic Agent is required to stream data from the syslog receiver and ship the data to Elastic, where the events are processed by the integration ingest pipelines. + +### Onboard / configure +To set up the integration: +1. Install the SonicWall Secure Mobile Access integration in Fleet. +2. Choose the input you want to use. Use TCP for reliable delivery, with optional TLS, or UDP for lightweight syslog forwarding. +3. Configure the listening host and port in the integration policy. +4. Enable the `Preserve original event` option if you want to keep the raw SMA log in `event.original` for troubleshooting. + +#### SonicWall SMA syslog configuration +To send log files from the SonicWall SMA appliance to Elastic, you need to [configure a syslog export policy in the SMA](https://www.sonicwall.com/support/technical-documentation/docs/sma_1000-12-4-admin_guide/Content/Administration/sending-log-files-to-a-syslog-server.htm) management interface. + +Depending of your appliance model and software version, the exact navigation may differ. + +**For older SMA software versions:** +1. In SMA management interface, go to **Log > Settings** +2. Under **Log & Alert levels** section, define the severity level of log messages you want to receive in Elastic. +3. In the **Syslog settings**, type the IP address and the port of your Elastic Agent listener as **Primary syslog server**. + +**For newer SMA software versions:** +1. In the AMC, navigate to **Monitoring > Logging**. The **View Logs** page displays. +2. Click the **Configure Logging** tab. +3. Under **Syslog configuration**, type the IP address and port numbers for the Elastic Agent listener. + +### Validation +After the integration is configured: +1. Trigger a known event on the SonicWall SMA appliance, such as a user login or logout, a web portal request, or a tunnel connection attempt. +2. Open Discover or the data stream view for `logs-sonicwall_sma.log-*`. +3. Confirm events are arriving and that fields such as `event.category`, `event.action`, `user.name`, `source.ip`, `destination.ip`, and `tls.cipher` are populated when applicable. +4. If parsing does not look correct, enable `Preserve original event` and review `event.original` alongside the parsed fields. + +## Troubleshooting + +For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems). + +Common vendor-specific checks: +* If no logs arrive, verify the SonicWall SMA syslog destination host, port, and transport protocol. +* If TCP with TLS is enabled, verify the Elastic Agent listener certificate configuration and confirm the SMA appliance trusts the configured certificate chain. +* If events arrive but are missing expected fields, enable `Preserve original event` and compare the raw event with the parsed fields in Discover. + +## Scaling + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. + +For higher-volume SonicWall SMA deployments: +* Prefer TCP when delivery guarantees are more important than minimal overhead. +* Use multiple Elastic Agent instances or a load-balanced syslog tier when collecting logs from several appliances. +* Separate high-volume syslog collection from other workload types when sustained tunnel or audit activity is expected. + +## Reference + +### log + +The `log` data stream provides SonicWall Secure Mobile Access audit, authentication, session, system, and miscellaneous tunnel events. + +#### log fields + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Input type | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | +| log.syslog.msgid | An identifier for the type of Syslog message, if available. Only applicable for RFC 5424 messages. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.procid | The process name or ID that originated the Syslog message, if available. | keyword | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| sonicwall_sma.log.api.session_id | API correlation identifier reported in verbose EPC log entries. | keyword | +| sonicwall_sma.log.application_name | Application name reported by the SonicWall SMA audit event. | keyword | +| sonicwall_sma.log.assigned_domain | Domain or realm assigned to the authenticated user. | keyword | +| sonicwall_sma.log.auth.cert_status | Certificate verification status reported by SonicWall SMA. | long | +| sonicwall_sma.log.auth.mechanism | Authentication mechanism extracted from the SonicWall SMA message. | keyword | +| sonicwall_sma.log.category | SonicWall SMA event family. | keyword | +| sonicwall_sma.log.client.os_version | Reported client operating system version. | keyword | +| sonicwall_sma.log.client.version | Reported SonicWall SMA client version. | keyword | +| sonicwall_sma.log.component | SonicWall SMA component code from the log header. | keyword | +| sonicwall_sma.log.component_name | Human-readable SonicWall SMA application name derived from the component code. | keyword | +| sonicwall_sma.log.context_id | SonicWall SMA context identifier used to correlate related log entries. | keyword | +| sonicwall_sma.log.crypto | Tunnel cryptographic algorithm reported by the client tunnel. | keyword | +| sonicwall_sma.log.epc.details | EPC evaluation details reported by SonicWall SMA. | keyword | +| sonicwall_sma.log.epc.id | EPC evaluation identifier. | keyword | +| sonicwall_sma.log.epc.result | EPC evaluation result. | keyword | +| sonicwall_sma.log.epc.type | EPC evaluation type. | keyword | +| sonicwall_sma.log.equipment_id | Equipment identifier reported by the SonicWall SMA appliance. | keyword | +| sonicwall_sma.log.http.version_hex | SonicWall SMA hexadecimal HTTP version identifier. | keyword | +| sonicwall_sma.log.message_type | Kernel message type reported in incomplete-message events. | keyword | +| sonicwall_sma.log.platform_prefix | Platform prefix reported by the SonicWall SMA appliance. | keyword | +| sonicwall_sma.log.probe.id | Probe identifier reported by the SonicWall SMA kernel. | keyword | +| sonicwall_sma.log.probe.retries | Probe retry count reported by the SonicWall SMA kernel. | long | +| sonicwall_sma.log.probe.rto_ms | Probe retransmission timeout in milliseconds. | long | +| sonicwall_sma.log.probe.state | Probe status or transition state. | keyword | +| sonicwall_sma.log.probe.type | Probe transport type. | keyword | +| sonicwall_sma.log.realm | Realm referenced by the SonicWall SMA authentication message. | keyword | +| sonicwall_sma.log.session.id | Short-lived SonicWall SMA tunnel session identifier. | keyword | +| sonicwall_sma.log.session_key | SonicWall SMA session key. | keyword | +| sonicwall_sma.log.ssl.version | SonicWall SMA SSL version reported by the tunnel kernel message. | keyword | +| sonicwall_sma.log.thread_id | SonicWall SMA thread or worker identifier from the log header. | keyword | +| sonicwall_sma.log.tunnel.mtu.base | Base MTU reported by the SonicWall SMA tunnel. | long | +| sonicwall_sma.log.tunnel.mtu.current | Current MTU reported by the SonicWall SMA tunnel. | long | +| sonicwall_sma.log.tunnel.new_id | New tunnel identifier reported during tunnel resumption. | keyword | +| sonicwall_sma.log.tunnel.old_id | Previous tunnel identifier reported during tunnel resumption. | keyword | +| sonicwall_sma.log.tunnel.version | Tunnel protocol version reported by SonicWall SMA. | keyword | +| sonicwall_sma.log.user_identity | Raw SonicWall SMA user identity string before ECS normalization. | keyword | +| sonicwall_sma.log.zone | Zone classification assigned by the SonicWall SMA EPC process. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| tls.cipher | String indicating the cipher used during the current connection. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.name | Name of the group. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + + +#### log sample event + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2026-05-05T13:16:42.253Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "action": "session-start", + "category": [ + "session", + "authentication" + ], + "code": "00000000", + "kind": "event", + "original": "243 <182>1 2026-05-05T13:16:42+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1503416\"] [05/May/2026:13:16:42.253915 +0000] SMA-Primary 003405 ps 00000000 Info Session Session Start: '(user.name@example.org)@(Corp)', authenticated.", + "outcome": "success", + "sequence": 1503416, + "severity": 6, + "type": [ + "start" + ] + }, + "log": { + "level": "info", + "syslog": { + "appname": "logserver", + "facility": { + "code": 22 + }, + "hostname": "SMA-Primary.sma", + "msgid": "-", + "priority": 182, + "procid": "-", + "severity": { + "code": 6 + }, + "version": "1" + } + }, + "observer": { + "hostname": "SMA-Primary.sma", + "name": "SMA-Primary", + "product": "Secure Mobile Access", + "type": "access-management", + "vendor": "SonicWall" + }, + "related": { + "hosts": [ + "SMA-Primary", + "SMA-Primary.sma" + ], + "user": [ + "user.name@example.org" + ] + }, + "sonicwall_sma": { + "log": { + "category": "Session", + "component": "ps", + "component_name": "policy service", + "context_id": "00000000", + "thread_id": "003405" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "user.name@example.org", + "group": { + "name": "Corp" + }, + "name": "user.name@example.org" + } +} +``` + +### Inputs used + +These inputs can be used with this integration: +
+tcp + +## Setup + +For more details about the TCP input settings, check the [Filebeat documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-tcp). + +### Collecting logs from TCP + +To collect logs via TCP, select **Collect logs via TCP** and configure the following parameters: + +**Required Settings:** +- Host +- Port + +**Common Optional Settings:** +- Max Message Size - Maximum size of incoming messages +- Max Connections - Maximum number of concurrent connections +- Timeout - How long to wait for data before closing idle connections +- Line Delimiter - Character(s) that separate log messages + +## SSL/TLS Configuration + +To enable encrypted connections, configure the following SSL settings: + +**SSL Settings:** +- Enable SSL - Toggle to enable SSL/TLS encryption +- Certificate - Path to the SSL certificate file (`.crt` or `.pem`) +- Certificate Key - Path to the private key file (`.key`) +- Certificate Authorities - Path to CA certificate file for client certificate validation (optional) +- Client Authentication - Require client certificates (`none`, `optional`, or `required`) +- Supported Protocols - TLS versions to support (e.g., `TLSv1.2`, `TLSv1.3`) + +**Example SSL Configuration:** +```yaml +ssl.enabled: true +ssl.certificate: "/path/to/server.crt" +ssl.key: "/path/to/server.key" +ssl.certificate_authorities: ["/path/to/ca.crt"] +ssl.client_authentication: "optional" +``` +
+
+udp + +## Setup + +For more details about the UDP input settings, check the [Filebeat documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-udp). + +### Collecting logs from UDP + +To collect logs via UDP, select **Collect logs via UDP** and configure the following parameters: + +**Required Settings:** +- Host +- Port + +**Common Optional Settings:** +- Max Message Size - Maximum size of UDP packets to accept (default: 10KB, max: 64KB) +- Read Buffer - UDP socket read buffer size for handling bursts of messages +- Read Timeout - How long to wait for incoming packets before checking for shutdown +
From f8be56c550c9b21a70767dc02e08e2e16734f75d Mon Sep 17 00:00:00 2001 From: Wenceslas Lejeune Date: Thu, 7 May 2026 16:36:52 +0200 Subject: [PATCH 4/6] feat(sonicwall_sma): Update changelog link for initial release --- packages/sonicwall_sma/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/sonicwall_sma/changelog.yml b/packages/sonicwall_sma/changelog.yml index b1d49ce17f5..dcbf06d6c6c 100644 --- a/packages/sonicwall_sma/changelog.yml +++ b/packages/sonicwall_sma/changelog.yml @@ -3,4 +3,4 @@ changes: - description: initial release type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/12345 + link: https://github.com/elastic/integrations/pull/18877 From 91f295e903f3d76dc7e750b3dccd1ad2de68e8eb Mon Sep 17 00:00:00 2001 From: Wenceslas Lejeune Date: Thu, 7 May 2026 17:53:34 +0200 Subject: [PATCH 5/6] fix(sonicwall_sma): Standardize session id handling in log --- .../pipeline/test-log-misc.log-expected.json | 16 ++++++++++++---- .../log/elasticsearch/ingest_pipeline/misc.yml | 6 +++--- .../data_stream/log/fields/fields.yml | 10 +--------- packages/sonicwall_sma/docs/README.md | 4 +--- 4 files changed, 17 insertions(+), 19 deletions(-) diff --git a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log-expected.json b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log-expected.json index 7b10dbe0c67..484f435fb77 100644 --- a/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log-expected.json +++ b/packages/sonicwall_sma/data_stream/log/_dev/test/pipeline/test-log-misc.log-expected.json @@ -60,12 +60,14 @@ "component_name": "unknown", "context_id": "0000020a", "probe": { - "id": "4013338d", "retries": 0, "rto_ms": 30640, "state": "FAILED:rto=30640ms retries=0", "type": "TUN" }, + "session": { + "id": "4013338d" + }, "thread_id": "000000" } }, @@ -606,11 +608,13 @@ "component_name": "unknown", "context_id": "0000020a", "probe": { - "id": "1234567", "rto_ms": 390, "state": "leaving Recovery state after 225s (rto=390ms)", "type": "ESP" }, + "session": { + "id": "1234567" + }, "thread_id": "000000" } }, @@ -815,9 +819,11 @@ "component": "ev", "component_name": "network tunnel service", "context_id": "0000020a", + "session": { + "id": "401439ef" + }, "thread_id": "000000", "tunnel": { - "new_id": "401439ef", "old_id": "40142fb7" } } @@ -954,12 +960,14 @@ "component_name": "unknown", "context_id": "0000020a", "probe": { - "id": "1234567", "retries": 0, "rto_ms": 7260, "state": "FAILED:rto=7260ms retries=0", "type": "ESP" }, + "session": { + "id": "1234567" + }, "thread_id": "000000" } }, diff --git a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/misc.yml b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/misc.yml index 292d71b3703..2be00b64bce 100644 --- a/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/misc.yml +++ b/packages/sonicwall_sma/data_stream/log/elasticsearch/ingest_pipeline/misc.yml @@ -12,7 +12,7 @@ processors: - grok: field: message patterns: - - '^ PROBE:<%{WORD:sonicwall_sma.log.probe.type}:%{DATA:sonicwall_sma.log.probe.id}:%{DATA:user.name}>:%{GREEDYDATA:sonicwall_sma.log.probe.state}$' + - '^ PROBE:<%{WORD:sonicwall_sma.log.probe.type}:%{DATA:sonicwall_sma.log.session.id}:%{DATA:user.name}>:%{GREEDYDATA:sonicwall_sma.log.probe.state}$' ignore_failure: true - set: field: event.action @@ -98,13 +98,13 @@ processors: - grok: field: message patterns: - - '^ Tunnel Resumption deleting existing tunnel with same vaddr\(s\): %{IP:_temp.misc.related_ip} $' + - '^ Tunnel Resumption deleting existing tunnel with same vaddr\(s\): %{IP:_temp.misc.related_ip} $' if: ctx.message != null && ctx.message.contains('Tunnel Resumption deleting existing tunnel') ignore_failure: true - set: field: event.action value: tunnel-resumption - if: ctx.sonicwall_sma?.log?.tunnel?.old_id != null && ctx.sonicwall_sma?.log?.tunnel?.new_id != null + if: ctx.sonicwall_sma?.log?.tunnel?.old_id != null && ctx.sonicwall_sma?.log?.session?.id != null - grok: field: message patterns: diff --git a/packages/sonicwall_sma/data_stream/log/fields/fields.yml b/packages/sonicwall_sma/data_stream/log/fields/fields.yml index 76f12c41d4d..ec88342168f 100644 --- a/packages/sonicwall_sma/data_stream/log/fields/fields.yml +++ b/packages/sonicwall_sma/data_stream/log/fields/fields.yml @@ -118,10 +118,6 @@ - name: probe type: group fields: - - name: id - type: keyword - description: | - Probe identifier reported by the SonicWall SMA kernel. - name: retries type: long description: | @@ -144,7 +140,7 @@ - name: id type: keyword description: | - Short-lived SonicWall SMA tunnel session identifier. + SonicWall SMA tunnel probe session identifier. - name: session_key type: keyword description: | @@ -159,10 +155,6 @@ - name: tunnel type: group fields: - - name: new_id - type: keyword - description: | - New tunnel identifier reported during tunnel resumption. - name: old_id type: keyword description: | diff --git a/packages/sonicwall_sma/docs/README.md b/packages/sonicwall_sma/docs/README.md index 9f0f04daea9..f434d615051 100644 --- a/packages/sonicwall_sma/docs/README.md +++ b/packages/sonicwall_sma/docs/README.md @@ -182,19 +182,17 @@ The `log` data stream provides SonicWall Secure Mobile Access audit, authenticat | sonicwall_sma.log.http.version_hex | SonicWall SMA hexadecimal HTTP version identifier. | keyword | | sonicwall_sma.log.message_type | Kernel message type reported in incomplete-message events. | keyword | | sonicwall_sma.log.platform_prefix | Platform prefix reported by the SonicWall SMA appliance. | keyword | -| sonicwall_sma.log.probe.id | Probe identifier reported by the SonicWall SMA kernel. | keyword | | sonicwall_sma.log.probe.retries | Probe retry count reported by the SonicWall SMA kernel. | long | | sonicwall_sma.log.probe.rto_ms | Probe retransmission timeout in milliseconds. | long | | sonicwall_sma.log.probe.state | Probe status or transition state. | keyword | | sonicwall_sma.log.probe.type | Probe transport type. | keyword | | sonicwall_sma.log.realm | Realm referenced by the SonicWall SMA authentication message. | keyword | -| sonicwall_sma.log.session.id | Short-lived SonicWall SMA tunnel session identifier. | keyword | +| sonicwall_sma.log.session.id | SonicWall SMA tunnel probe session identifier. | keyword | | sonicwall_sma.log.session_key | SonicWall SMA session key. | keyword | | sonicwall_sma.log.ssl.version | SonicWall SMA SSL version reported by the tunnel kernel message. | keyword | | sonicwall_sma.log.thread_id | SonicWall SMA thread or worker identifier from the log header. | keyword | | sonicwall_sma.log.tunnel.mtu.base | Base MTU reported by the SonicWall SMA tunnel. | long | | sonicwall_sma.log.tunnel.mtu.current | Current MTU reported by the SonicWall SMA tunnel. | long | -| sonicwall_sma.log.tunnel.new_id | New tunnel identifier reported during tunnel resumption. | keyword | | sonicwall_sma.log.tunnel.old_id | Previous tunnel identifier reported during tunnel resumption. | keyword | | sonicwall_sma.log.tunnel.version | Tunnel protocol version reported by SonicWall SMA. | keyword | | sonicwall_sma.log.user_identity | Raw SonicWall SMA user identity string before ECS normalization. | keyword | From 3ae92f6e8b825d6ad588545ad0832faf3e25a596 Mon Sep 17 00:00:00 2001 From: Wenceslas Lejeune Date: Thu, 7 May 2026 17:53:47 +0200 Subject: [PATCH 6/6] feat(sonicwall_sma): Bump version to 0.1.1 in changelog and manifest --- packages/sonicwall_sma/changelog.yml | 2 +- packages/sonicwall_sma/manifest.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/sonicwall_sma/changelog.yml b/packages/sonicwall_sma/changelog.yml index dcbf06d6c6c..1e946204860 100644 --- a/packages/sonicwall_sma/changelog.yml +++ b/packages/sonicwall_sma/changelog.yml @@ -1,5 +1,5 @@ # newer versions go on top -- version: "0.1.0" +- version: "0.1.1" changes: - description: initial release type: enhancement # can be one of: enhancement, bugfix, breaking-change diff --git a/packages/sonicwall_sma/manifest.yml b/packages/sonicwall_sma/manifest.yml index 5387bde1644..664aaeaf90e 100644 --- a/packages/sonicwall_sma/manifest.yml +++ b/packages/sonicwall_sma/manifest.yml @@ -1,6 +1,6 @@ name: sonicwall_sma title: SonicWall Secure Mobile Access -version: "0.1.0" +version: "0.1.1" description: Collect logs from SonicWall Secure Mobile Access with Elastic Agent. type: integration icons: