-
Notifications
You must be signed in to change notification settings - Fork 602
New integration for SonicWall firewall #3365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 17 commits
Commits
Show all changes
26 commits
Select commit
Hold shift + click to select a range
6bf8260
New integration for SonicWall firewall
adriansr f8b2b55
Get rid of zone config
adriansr 7bbb957
Adjust PR number
adriansr 2a5db3d
CODEOWNERS update
adriansr 624e889
Deprecate sonicwall rsa2elk package
adriansr 5a1005c
Missing event.outcome values
adriansr d8f9f88
Simplify painless script
adriansr 35b8ebf
System test
adriansr a62b37e
Logfile system test
adriansr 7b7e6e6
Format
adriansr 0c9a4e5
Build readme
adriansr 3898f94
Make compatible with 8.2.0
adriansr ebfa33b
Add dashboard
adriansr 2ff3b78
Update version
adriansr 873372b
Add list of enriched messages
adriansr bbc4a06
Update version
adriansr fd6a56d
Missing dashboard image
adriansr 3f2b5b3
Add final newline
adriansr 71e8648
Document and map known vendor fields
adriansr 6933525
Support [ipv6]:port format in NAT fields
adriansr 4b1e213
Add link to docs in README
adriansr 26dd611
Document origin of CSV
adriansr f248f22
Populate message with note if not present
adriansr 4dba8eb
Reset initial version to 0.1.0
adriansr d99dd23
Add event.{module,dataset} constant_keyword fields
adriansr a5691d9
Update README
adriansr File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| dependencies: | ||
| ecs: | ||
| reference: git@8.2 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| # SonicWall Firewall Integration | ||
|
|
||
| This integration collects syslog messages from SonicWall firewalls. It has been tested with SonicOS 6.5 and 7.0. | ||
|
|
||
| ## Configuration | ||
|
|
||
| Configure a Syslog Server in your firewall using the following options: | ||
| - **Name or IP Address:** The address where your Elastic Agent running this integration is reachable. | ||
| - **Port:** The Syslog port (UDP) configured in this integration. | ||
| - **Server Type:** Syslog Server. | ||
| - **Syslog Format:** Enhanced Syslog. | ||
| - **Syslog ID:** Change this default (`firewall`) if you need to differentiate between multiple firewalls. | ||
| This value will be stored in the `observer.name` field. | ||
|
|
||
| It's recommended to enable the **Display UTC in logs (instead of local time)** setting under the | ||
| _Device > Settings > Time_ configuration menu. Otherwise you'll have to configure the **Timezone Offset** | ||
| setting of this integration to match the timezone configured in your firewall. | ||
|
|
||
| Ensure proper connectivity between your firewall and Elastic Agent. | ||
|
|
||
| ## Supported messages | ||
|
|
||
| This integration features generic support for enhanced syslog messages produced by SonicOS and features | ||
| more detailed ECS enrichment for the following messages: | ||
|
|
||
| | Category | Subcategory | Message IDs | | ||
| |----------|-------------|-------------| | ||
| | Firewall | Access Rules | 440-442, 646, 647, 734, 735 | | ||
| | Firewall | Application Firewall | 793, 1654 | | ||
| | Firewall Settings | Advanced | 428, 1473, 1573, 1576, 1590 | | ||
| | Firewall Settings | Checksum Enforcement | 883-886, 1448, 1449 | | ||
| | Firewall Settings | FTP | 446, 527, 528, 538 | | ||
| | Firewall Settings | Flood Protection | 25, 856-860, 862-864, 897, 898, 901, 904, 905, 1180, 1213, 1214, 1366, 1369, 1450-1452 | | ||
| | Firewall Settings | Multicast | 683, 690, 694, 1233 | | ||
| | Firewall Settings | SSL Control | 999, 1001-1006, 1081 | | ||
| | High Availability | Cluster | 1149, 1152 | | ||
| | Log | Configuration Auditing | 1382, 1383, 1674 | | ||
| | Network | ARP | 45, 815, 1316 | | ||
| | Network | DNS | 1098, 1099 | | ||
| | Network | DNS Security | 1593 | | ||
| | Network | ICMP | 38, 63, 175, 182, 188, 523, 597, 598, 1254-1257, 1431, 1433, 1458 | | ||
| | Network | IP | 28, 522, 910, 1301-1303, 1429, 1430 | | ||
| | Network | IPcomp | 651-653 | | ||
| | Network | IPv6 Tunneling | 1253 | | ||
| | Network | Interfaces | 58 | | ||
| | Network | NAT | 339, 1197, 1436 | | ||
| | Network | NAT Policy | 1313-1315 | | ||
| | Network | Network Access | 41, 46, 98, 347, 524, 537, 590, 714, 1304 | | ||
| | Network | TCP | 36, 48, 173, 181, 580, 708, 709, 712, 713, 760, 887-896, 1029-1031, 1384, 1385, 1628, 1629 | | ||
| | Security Services | Anti-Spyware | 794-796 | | ||
| | Security Services | Anti-Virus | 123-125, 159, 408, 482 | | ||
| | Security Services | Application Control | 1154, 1155 | | ||
| | Security Services | Attacks | 22, 23, 27, 81-83, 177-179, 267, 606, 1373-1376, 1387, 1471 | | ||
| | Security Services | Botnet Filter | 1195, 1200, 1201, 1476, 1477, 1518, 1519 | | ||
| | Security Services | Content Filter | 14, 16, 1599-1601 | | ||
| | Security Services | Geo-IP Filter | 1198, 1199, 1474, 1475 | | ||
| | Security Services | IDP | 789, 790 | | ||
| | Security Services | IPS | 608, 609 | | ||
| | Security Services | Next-Gen Anti-Virus | 1559-1562 | | ||
| | Security Services | RBL Filter | 797, 798 | | ||
| | System | Administration | 340, 341 | | ||
| | System | Cloud Backup | 1511-1516 | | ||
| | System | Restart | 93-95, 164, 599-601, 1046, 1047, 1392, 1393 | | ||
| | System | Settings | 573, 574, 1049, 1065, 1066, 1160, 1161, 1268, 1269, 1336-1340, 1432, 1494, 1520, 1521, 1565-1568, 1636, 1637 | | ||
| | System | Status | 4, 53, 521, 1107, 1196, 1332, 1495, 1496 | | ||
| | Users | Authentication Access | 24, 29-35, 199, 200, 235-238, 246, 261-265, 328, 329, 438, 439, 486, 506-509, 520, 549-551, 557-562, 564, 583, 728, 729, 759, 986, 987, 994-998, 1008, 1035, 1048, 1080, 1117-1124, 1157, 1158, 1243, 1333-1335, 1341, 1342, 1517, 1570-1572, 1585, 1627, 1655, 1672 | | ||
| | Users | Radius Authentication | 243-245, 744-751, 753-757, 1011 | | ||
| | Users | SSO Agent Authentication | 988-991 | | ||
| | VPN | DHCP Relay | 229 | | ||
| | Wireless | RF Monitoring | 879 | | ||
| | Wireless | WLAN | 1363 | | ||
| | Wireless | WLAN IDS | 546, 548 | | ||
|
|
||
| ## Logs | ||
|
|
||
| {{event "log"}} | ||
|
|
||
| {{fields "log"}} | ||
14 changes: 14 additions & 0 deletions
14
packages/sonicwall_firewall/_dev/deploy/docker/docker-compose.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| version: '2.3' | ||
| services: | ||
| sonicwall_firewall-logfile: | ||
| image: alpine | ||
| volumes: | ||
| - ./sample_logs:/sample_logs:ro | ||
| - ${SERVICE_LOGS_DIR}:/var/log | ||
| command: /bin/sh -c "cp /sample_logs/* /var/log/" | ||
| sonicwall_firewall-syslog: | ||
| image: docker.elastic.co/observability/stream:v0.7.0 | ||
| volumes: | ||
| - ./sample_logs:/sample_logs:ro | ||
| entrypoint: /bin/bash | ||
| command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/log.log" |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a link to the vendor docs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done