Skip to content

Commit 1a226a5

Browse files
JocLRojasJocLRojas
committed
refactor(sonic_wall-filter): improve the sonic_wall filter to correctly parse the new types of events received
1 parent 723c82c commit 1a226a5

File tree

1 file changed

+50
-23
lines changed

1 file changed

+50
-23
lines changed

filters/sonicwall/sonic_wall.yml

Lines changed: 50 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# SonicWall Firewall, version 3.0.1
1+
# SonicWall Firewall, version 3.2.0
22
# Based on docs
33
# Support Syslog CEF format
44
#
@@ -48,6 +48,30 @@ pipeline:
4848
pattern: '{{.greedy}}'
4949
source: raw
5050

51+
- grok:
52+
patterns:
53+
- fieldName: log.priority
54+
pattern: '\<{{.data}}\>'
55+
- fieldName: log.irrelevant
56+
pattern: '{{.data}}\='
57+
- fieldName: log.device
58+
pattern: '{{.word}}'
59+
- fieldName: log.irrelevant1
60+
pattern: '{{.data}}\='
61+
- fieldName: log.sn
62+
pattern: '{{.word}}'
63+
- fieldName: log.irrelevant2
64+
pattern: '{{.data}}\"'
65+
- fieldName: log.dvcTime
66+
pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}{{.space}}{{.time}}'
67+
- fieldName: log.irrelevant3
68+
pattern: '{{.data}}\='
69+
- fieldName: log.srcIp
70+
pattern: '{{.ipv4}}'
71+
- fieldName: log.msgAll
72+
pattern: '{{.greedy}}'
73+
source: raw
74+
5175
# ......................................................................#
5276
# Checking if the log is in CEF format
5377
#......................................................................#
@@ -70,7 +94,7 @@ pipeline:
7094
- fieldName: log.cefMsgAll
7195
pattern: '{{.greedy}}'
7296
source: log.msgAll
73-
where: log.msgAll.contains("CEF:")
97+
where: contains("log.msgAll", "CEF:")
7498

7599
- grok:
76100
patterns:
@@ -85,7 +109,7 @@ pipeline:
85109
- fieldName: log.cefMsgAll
86110
pattern: '{{.greedy}}'
87111
source: log.msgAll
88-
where: log.msgAll.contains("CEF:")
112+
where: contains("log.msgAll", "CEF:")
89113

90114
#......................................................................#
91115
# Removing unnecessary characters of the syslogHeader
@@ -317,119 +341,119 @@ pipeline:
317341
params:
318342
key: log.groupCategory
319343
value: 'System'
320-
where: safe("log.gcat", "") == "1"
344+
where: equals("log.gcat", "1")
321345

322346
- add:
323347
function: 'string'
324348
params:
325349
key: log.groupCategory
326350
value: 'Log'
327-
where: safe("log.gcat", "") == "2"
351+
where: equals("log.gcat", "2")
328352

329353
- add:
330354
function: 'string'
331355
params:
332356
key: log.groupCategory
333357
value: 'Security Services'
334-
where: safe("log.gcat", "") == "3"
358+
where: equals("log.gcat", "3")
335359

336360
- add:
337361
function: 'string'
338362
params:
339363
key: log.groupCategory
340364
value: 'Users'
341-
where: safe("log.gcat", "") == "4"
365+
where: equals("log.gcat", "4")
342366

343367
- add:
344368
function: 'string'
345369
params:
346370
key: log.groupCategory
347371
value: 'Firewall Settings'
348-
where: safe("log.gcat", "") == "5"
372+
where: equals("log.gcat", "5")
349373

350374
- add:
351375
function: 'string'
352376
params:
353377
key: log.groupCategory
354378
value: 'Network'
355-
where: safe("log.gcat", "") == "6"
379+
where: equals("log.gcat", "6")
356380

357381
- add:
358382
function: 'string'
359383
params:
360384
key: log.groupCategory
361385
value: 'VPN'
362-
where: safe("log.gcat", "") == "7"
386+
where: equals("log.gcat", "7")
363387

364388
- add:
365389
function: 'string'
366390
params:
367391
key: log.groupCategory
368392
value: 'High Availability'
369-
where: safe("log.gcat", "") == "8"
393+
where: equals("log.gcat", "8")
370394

371395
- add:
372396
function: 'string'
373397
params:
374398
key: log.groupCategory
375399
value: '3G/4G, Modem, and Module'
376-
where: safe("log.gcat", "") == "9"
400+
where: equals("log.gcat", "9")
377401

378402
- add:
379403
function: 'string'
380404
params:
381405
key: log.groupCategory
382406
value: 'Firewall'
383-
where: safe("log.gcat", "") == "10"
407+
where: equals("log.gcat", "10")
384408

385409
- add:
386410
function: 'string'
387411
params:
388412
key: log.groupCategory
389413
value: 'Wireless'
390-
where: safe("log.gcat", "") == "11"
414+
where: equals("log.gcat", "11")
391415

392416
- add:
393417
function: 'string'
394418
params:
395419
key: log.groupCategory
396420
value: 'VoIP'
397-
where: safe("log.gcat", "") == "12"
421+
where: equals("log.gcat", "12")
398422

399423
- add:
400424
function: 'string'
401425
params:
402426
key: log.groupCategory
403427
value: 'SSL VPN'
404-
where: safe("log.gcat", "") == "13"
428+
where: equals("log.gcat", "13")
405429

406430
- add:
407431
function: 'string'
408432
params:
409433
key: log.groupCategory
410434
value: 'Anti-Spam'
411-
where: safe("log.gcat", "") == "14"
435+
where: equals("log.gcat", "14")
412436

413437
- add:
414438
function: 'string'
415439
params:
416440
key: log.groupCategory
417441
value: 'WAN Acceleration'
418-
where: safe("log.gcat", "") == "15"
442+
where: equals("log.gcat", "15")
419443

420444
- add:
421445
function: 'string'
422446
params:
423447
key: log.groupCategory
424448
value: 'SD-WAN'
425-
where: safe("log.gcat", "") == "16"
449+
where: equals("log.gcat", "16")
426450

427451
- add:
428452
function: 'string'
429453
params:
430454
key: log.groupCategory
431455
value: 'Multi-Tenancy'
432-
where: safe("log.gcat", "") == "17"
456+
where: equals("log.gcat", "17")
433457

434458
# Adding geolocation to origin.ip
435459
- dynamic:
@@ -455,26 +479,29 @@ pipeline:
455479
params:
456480
key: severity
457481
value: 'high'
458-
where: safe("log.pri", "") in ["0", "1", "2", "3"]
482+
where: oneOf("log.pri", ["0", "1", "2", "3"])
459483
- add:
460484
function: 'string'
461485
params:
462486
key: severity
463487
value: 'medium'
464-
where: safe("log.pri", "") == "4"
488+
where: equals("log.pri", "4")
465489
- add:
466490
function: 'string'
467491
params:
468492
key: severity
469493
value: 'low'
470-
where: safe("log.pri", "") in ["5", "6", "7"]
494+
where: oneOf("log.pri", ["5", "6", "7"])
471495

472496
# ..........................................................................#
473497
# Removing unnuse fields
474498
#.........................................................................#
475499
- delete:
476500
fields:
477501
- log.irrelevant
502+
- log.irrelevant1
503+
- log.irrelevant2
504+
- log.irrelevant3
478505
- log.msgAll
479506
- log.cefMsgAll
480507
- log.pri

0 commit comments

Comments
 (0)