elastic · IOITI · May 5, 2026 · May 6, 2026 · May 7, 2026 · May 7, 2026
@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: "git@v9.3.0"
@@ -0,0 +1,115 @@
+{{- generatedHeader }}
+{{/*
+This template can be used as a starting point for writing documentation for your new integration. For each section, fill in the details
+described in the comments.
+
+Find more detailed documentation guidelines in https://www.elastic.co/docs/extend/integrations/documentation-guidelines
+*/}}
+# SonicWall Secure Mobile Access (SMA) Integration for Elastic
+
+## Overview
+The SonicWall Secure Mobile Access (SMA) Integration for Elastic collects syslog events exported by SonicWall SMA appliances.
+This integration helps security and operations teams monitor remote access activity, investigate authentication problems, review web and tunnel audit activity, and track tunnel health and transport issues reported by the SMA platform.
+
+### Compatibility
+This integration is intended for SonicWall Secure Mobile Access appliances that can export syslog events in the log formats parsed by this package.
+It supports SonicWall SMA audit, authentication, session, system, and miscellaneous kernel and tunnel messages delivered over UDP or TCP.
+
+### How it works
+Elastic Agent listens for SonicWall SMA syslog traffic over UDP or TCP.
+The integration ingest pipeline parses the common SMA log header, routes events by event family, and maps the data to ECS fields for authentication, session, network, TLS, and web activity.
+
+## What data does this integration collect?
+The SonicWall Secure Mobile Access integration collects log messages of the following types:
+* Audit events for HTTP requests, VPN flow activity, transferred bytes, and session metadata.
+* Authentication events such as SAML-related failures.
+* Session lifecycle events including session start and TLS negotiation failures.
+* System events such as user logins, session termination, and RPC or SSL handshake failures.
+* Miscellaneous tunnel and kernel events such as probes, client version reporting, cipher negotiation, and tunnel resumption messages.
+
+### Supported use cases
+This integration supports the following use cases:
+* Monitor remote-access user activity, including logins, logouts, and session lifecycle changes.
+* Investigate authentication problems such as SAML storage issues and TLS certificate failures.
+* Review HTTP and VPN audit activity from the SMA portal and remote access tunnel flows.
+* Track client tunnel health, probe failures, cipher negotiation, and client version details for troubleshooting.
+
+## What do I need to use this integration?
+Before you deploy this integration, make sure you have:
+* A SonicWall SMA appliance configured to forward syslog events.
+* Network connectivity from the SonicWall SMA appliance to the Elastic Agent listener.
+* The host and port you want Elastic Agent to listen on for SonicWall SMA syslog traffic.
+* A TCP TLS certificate configuration if you plan to receive SonicWall SMA logs over encrypted TCP.
+
+## How do I deploy this integration?
+
+### Agent-based deployment
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+Elastic Agent is required to stream data from the syslog receiver and ship the data to Elastic, where the events are processed by the integration ingest pipelines.
+
+### Onboard / configure
+To set up the integration:
+1. Install the SonicWall Secure Mobile Access integration in Fleet.
+2. Choose the input you want to use. Use TCP for reliable delivery, with optional TLS, or UDP for lightweight syslog forwarding.
+3. Configure the listening host and port in the integration policy.
+4. Enable the `Preserve original event` option if you want to keep the raw SMA log in `event.original` for troubleshooting.
+
+#### SonicWall SMA syslog configuration
+To send log files from the SonicWall SMA appliance to Elastic, you need to [configure a syslog export policy in the SMA](https://www.sonicwall.com/support/technical-documentation/docs/sma_1000-12-4-admin_guide/Content/Administration/sending-log-files-to-a-syslog-server.htm) management interface.
+
+Depending of your appliance model and software version, the exact navigation may differ.
+
+**For older SMA software versions:**
+1. In SMA management interface, go to **Log > Settings**
+2. Under **Log & Alert levels** section, define the severity level of log messages you want to receive in Elastic.
+3. In the **Syslog settings**, type the IP address and the port of your Elastic Agent listener as **Primary syslog server**.
+
+**For newer SMA software versions:**
+1. In the AMC, navigate to **Monitoring > Logging**. The **View Logs** page displays.
+2. Click the **Configure Logging** tab.
+3. Under **Syslog configuration**, type the IP address and port numbers for the Elastic Agent listener.
+
+### Validation
+After the integration is configured:
+1. Trigger a known event on the SonicWall SMA appliance, such as a user login or logout, a web portal request, or a tunnel connection attempt.
+2. Open Discover or the data stream view for `logs-sonicwall_sma.log-*`.
+3. Confirm events are arriving and that fields such as `event.category`, `event.action`, `user.name`, `source.ip`, `destination.ip`, and `tls.cipher` are populated when applicable.
+4. If parsing does not look correct, enable `Preserve original event` and review `event.original` alongside the parsed fields.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+Common vendor-specific checks:
+* If no logs arrive, verify the SonicWall SMA syslog destination host, port, and transport protocol.
+* If TCP with TLS is enabled, verify the Elastic Agent listener certificate configuration and confirm the SMA appliance trusts the configured certificate chain.
+* If events arrive but are missing expected fields, enable `Preserve original event` and compare the raw event with the parsed fields in Discover.
+
+## Scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+For higher-volume SonicWall SMA deployments:
+* Prefer TCP when delivery guarantees are more important than minimal overhead.
+* Use multiple Elastic Agent instances or a load-balanced syslog tier when collecting logs from several appliances.
+* Separate high-volume syslog collection from other workload types when sustained tunnel or audit activity is expected.
+
+## Reference
+
+### log
+
+The `log` data stream provides SonicWall Secure Mobile Access audit, authentication, session, system, and miscellaneous tunnel events.
+
+#### log fields
+
+{{ fields "log" }}
+
+#### log sample event
+
+{{ event "log" }}
+
+### Inputs used
+{{/* All inputs used by this package will be automatically listed here. */}}
+{{ inputDocs }}
@@ -0,0 +1,17 @@
+version: '2.3'
+services:
+  sonicwall_sma-log-udp:
+    image: docker.elastic.co/observability/stream:v0.18.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/test-syslog.log
+  sonicwall_sma-log-tcp:
+    image: docker.elastic.co/observability/stream:v0.18.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9515 -p=tcp /sample_logs/test-syslog.log
+  sonicwall_sma-log-tls:
+    image: docker.elastic.co/observability/stream:v0.18.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9516 -p=tls --insecure /sample_logs/test-syslog.log
@@ -0,0 +1,7 @@
+224 <182>1 2026-05-05T13:24:26+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1545825"] [05/May/2026:13:24:26.979461 +0000] SMA-Primary 003405 ps 00000001 Info    System  Session End: '(user.name@example.org)@(Corp)'
+271 <182>1 2026-05-05T13:14:42+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1489571"] [05/May/2026:13:14:42.321293 +0000] SMA-Primary 003405 ps 00000000 Info    System  '(user.name@example.org)@(Corp)' logged in from 192.0.2.1 and was assigned to 'DV-Corp'.
+201 <180>1 2026-05-05T13:23:25+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1540947"] [05/May/2026:13:23:25.396776 +0000] SMA-Primary 003405 ps 00000001 Warning System  RPC: SSL Handshake Failed.
+[08/Nov/2016:07:16:24.312477 +0000] E-Class SMASSLVPN 002764 up 00000001 Info System CFG Pool Init STATIC/NAT id=1 name='HQ-pool2' gid='AV1160554493976A' ndns=2 nwins=2 nsuffix=0
+[09/Nov/2016:21:28:14.610949 +0000] E-Class SMASSLVPN 001539 ps 10000042 Info System Auth: CRL-CERT: Cert verification status = 0, err = 20 'unable to get local issuer certificate'
+[04/Oct/2016:22:29:23.867093 +0000] E-Class SMASSLVPN 027186 uk 00000001 Verbose System ::API::QAABA145dFYNZimCKNWHB7p2q2Y=::(timwillis)@(Students)::CLIENT:: Interrogation: Evaluation of OPSWATAV AV1128462569762A [NortonAV.dll,Symantec Corp.,Symantec Client Security,>=,9.x,,,,,FALSE] results: FALSE
+[04/Oct/2016:22:29:23.875781 +0000] E-Class SMASSLVPN 027186 uk 00000001 Verbose System ::API::QAABA145dFYNZimCKNWHB7p2q2Y=::(timwillis)@(Students):: Classified into zone: Default zone
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.1"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/18877
@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event
@@ -0,0 +1,2 @@
+458 <182>1 2026-05-05T11:39:48+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1114486"] [05/May/2026:11:39:48.259055 +0000] SMA-Primary 000000 kt 00000000 Info    Audit   Src='192.0.2.1:64026' User='(user.name@example.org)@(Corp)' TunnelVersion='0x102' Command='Flow:TCP' Dest='192.0.2.1:443' Error='0' SrcBytes='3263' DstBytes='5170' Duration='1' PlatformPrefix='W' EquipmentId='0012_34FF_AD52_4462.' SessionKey='SMA-Primary:69f9d2c0:00000000'
+473 <182>1 2026-05-05T13:46:54+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1668855"] [05/May/2026:13:46:55.014635 +0000] SMA-Primary 003548 ew 1000045b Info    Audit   VirtualHost='spf4.example.org' StartTime='05/May/2026 13:46:55 +0000' Src='192.0.2.1' User='-' Method='GET' HTTPVersion='0x3e9' Request='GET /__api__/logon/azertyuiop/totp HTTP/1.1' Status='200' Bytes='77' PlatformPrefix='' EquipmentId='-' ApplicationName='' SessionKey=''
@@ -0,0 +1,192 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2026-05-05T11:39:48.259Z",
+            "destination": {
+                "address": "192.0.2.1:443",
+                "bytes": 5170,
+                "ip": "192.0.2.1",
+                "port": 443
+            },
+            "ecs": {
+                "version": "9.3.0"
+            },
+            "event": {
+                "action": "Flow:TCP",
+                "category": [
+                    "network"
+                ],
+                "code": "00000000",
+                "duration": 1000000000,
+                "kind": "event",
+                "original": "458 <182>1 2026-05-05T11:39:48+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1114486\"] [05/May/2026:11:39:48.259055 +0000] SMA-Primary 000000 kt 00000000 Info    Audit   Src='192.0.2.1:64026' User='(user.name@example.org)@(Corp)' TunnelVersion='0x102' Command='Flow:TCP' Dest='192.0.2.1:443' Error='0' SrcBytes='3263' DstBytes='5170' Duration='1' PlatformPrefix='W' EquipmentId='0012_34FF_AD52_4462.' SessionKey='SMA-Primary:69f9d2c0:00000000'",
+                "outcome": "success",
+                "sequence": 1114486,
+                "severity": 6,
+                "type": [
+                    "connection"
+                ]
+            },
+            "log": {
+                "level": "info",
+                "syslog": {
+                    "appname": "logserver",
+                    "facility": {
+                        "code": 22
+                    },
+                    "hostname": "SMA-Primary.sma",
+                    "msgid": "-",
+                    "priority": 182,
+                    "procid": "-",
+                    "severity": {
+                        "code": 6
+                    },
+                    "version": "1"
+                }
+            },
+            "network": {
+                "bytes": 8433,
+                "transport": "tcp"
+            },
+            "observer": {
+                "hostname": "SMA-Primary.sma",
+                "name": "SMA-Primary",
+                "product": "Secure Mobile Access",
+                "type": "access-management",
+                "vendor": "SonicWall"
+            },
+            "related": {
+                "hosts": [
+                    "SMA-Primary",
+                    "SMA-Primary.sma"
+                ],
+                "ip": [
+                    "192.0.2.1"
+                ],
+                "user": [
+                    "user.name@example.org"
+                ]
+            },
+            "sonicwall_sma": {
+                "log": {
+                    "category": "Audit",
+                    "component": "kt",
+                    "component_name": "kernel tunnel component",
+                    "context_id": "00000000",
+                    "equipment_id": "0012_34FF_AD52_4462.",
+                    "platform_prefix": "W",
+                    "session_key": "SMA-Primary:69f9d2c0:00000000",
+                    "thread_id": "000000",
+                    "tunnel": {
+                        "version": "0x102"
+                    }
+                }
+            },
+            "source": {
+                "address": "192.0.2.1:64026",
+                "bytes": 3263,
+                "ip": "192.0.2.1",
+                "port": 64026
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "domain": "Corp",
+                "email": "user.name@example.org",
+                "name": "user.name@example.org"
+            }
+        },
+        {
+            "@timestamp": "2026-05-05T13:46:55.014Z",
+            "ecs": {
+                "version": "9.3.0"
+            },
+            "event": {
+                "action": "GET",
+                "category": [
+                    "web"
+                ],
+                "code": "1000045b",
+                "kind": "event",
+                "original": "473 <182>1 2026-05-05T13:46:54+00:00 SMA-Primary.sma logserver - - [meta sequenceId=\"1668855\"] [05/May/2026:13:46:55.014635 +0000] SMA-Primary 003548 ew 1000045b Info    Audit   VirtualHost='spf4.example.org' StartTime='05/May/2026 13:46:55 +0000' Src='192.0.2.1' User='-' Method='GET' HTTPVersion='0x3e9' Request='GET /__api__/logon/azertyuiop/totp HTTP/1.1' Status='200' Bytes='77' PlatformPrefix='' EquipmentId='-' ApplicationName='' SessionKey=''",
+                "outcome": "success",
+                "sequence": 1668855,
+                "severity": 6,
+                "start": "2026-05-05T13:46:55.000Z",
+                "type": [
+                    "access"
+                ]
+            },
+            "http": {
+                "request": {
+                    "method": "GET"
+                },
+                "response": {
+                    "bytes": 77,
+                    "status_code": 200
+                },
+                "version": "1.1"
+            },
+            "log": {
+                "level": "info",
+                "syslog": {
+                    "appname": "logserver",
+                    "facility": {
+                        "code": 22
+                    },
+                    "hostname": "SMA-Primary.sma",
+                    "msgid": "-",
+                    "priority": 182,
+                    "procid": "-",
+                    "severity": {
+                        "code": 6
+                    },
+                    "version": "1"
+                }
+            },
+            "network": {
+                "protocol": "http"
+            },
+            "observer": {
+                "hostname": "SMA-Primary.sma",
+                "name": "SMA-Primary",
+                "product": "Secure Mobile Access",
+                "type": "access-management",
+                "vendor": "SonicWall"
+            },
+            "related": {
+                "hosts": [
+                    "SMA-Primary",
+                    "SMA-Primary.sma"
+                ],
+                "ip": [
+                    "192.0.2.1"
+                ]
+            },
+            "sonicwall_sma": {
+                "log": {
+                    "category": "Audit",
+                    "component": "ew",
+                    "component_name": "Web proxy service",
+                    "context_id": "1000045b",
+                    "http": {
+                        "version_hex": "0x3e9"
+                    },
+                    "thread_id": "003548"
+                }
+            },
+            "source": {
+                "address": "192.0.2.1",
+                "ip": "192.0.2.1"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "url": {
+                "domain": "spf4.example.org",
+                "original": "/__api__/logon/azertyuiop/totp"
+            }
+        }
+    ]
+}
@@ -0,0 +1 @@
+234 <179>1 2026-05-05T04:23:43+00:00 SMA-Primary.sma logserver - - [meta sequenceId="514004"] [05/May/2026:04:23:43.836470 +0000] SMA-Primary 003548 ew 1005a618 Error   Auth    ::SAML:: SAML Storage error : id/url or samlresponse missing
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		458 <182>1 2026-05-05T11:39:48+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1114486"] [05/May/2026:11:39:48.259055 +0000] SMA-Primary 000000 kt 00000000 Info Audit Src='192.0.2.1:64026' User='(user.name@example.org)@(Corp)' TunnelVersion='0x102' Command='Flow:TCP' Dest='192.0.2.1:443' Error='0' SrcBytes='3263' DstBytes='5170' Duration='1' PlatformPrefix='W' EquipmentId='0012_34FF_AD52_4462.' SessionKey='SMA-Primary:69f9d2c0:00000000'
		473 <182>1 2026-05-05T13:46:54+00:00 SMA-Primary.sma logserver - - [meta sequenceId="1668855"] [05/May/2026:13:46:55.014635 +0000] SMA-Primary 003548 ew 1000045b Info Audit VirtualHost='spf4.example.org' StartTime='05/May/2026 13:46:55 +0000' Src='192.0.2.1' User='-' Method='GET' HTTPVersion='0x3e9' Request='GET /__api__/logon/azertyuiop/totp HTTP/1.1' Status='200' Bytes='77' PlatformPrefix='' EquipmentId='-' ApplicationName='' SessionKey=''
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		234 <179>1 2026-05-05T04:23:43+00:00 SMA-Primary.sma logserver - - [meta sequenceId="514004"] [05/May/2026:04:23:43.836470 +0000] SMA-Primary 003548 ew 1005a618 Error Auth ::SAML:: SAML Storage error : id/url or samlresponse missing