Support for Sonicwall firewall?

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
ajwilliamson
Posts: 15
Joined: Mon Sep 17, 2018 10:38 am

Support for Sonicwall firewall?

Post by ajwilliamson »

Can anyone offer any tips on getting Sonicwall syslogs to work properly?

I receive data but comes into NLS tagged with "_grokparsefailure_sysloginput".

Thanks
Top
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Support for Sonicwall firewall?

Post by cdienger »

I found option at https://github.com/jdnow/Logstash-Confi ... l.conf#L24.

First create an input under Configure > Global (All Instances) > Global Config, with this configuration:

Code: Select all

syslog {
    type => Sonicwall
    port => 5514
}
Next, create a filter with:

Code: Select all

 if [type] == "Sonicwall" {
                kv {
                        exclude_keys => [ "c", "id", "m", "n", "pri", "proto" ]
                }
                grok {
                        match => [ "src", "%{IP:srcip}:%{DATA:srcinfo}" ]
                }
                grok {
                        match => [ "dst", "%{IP:dstip}:%{DATA:dstinfo}" ]
                }
                grok {
                        remove_field => [ "srcinfo", "dstinfo" ]
                }
        geoip {
                add_tag => [ "geoip" ]
                source => "srcip"
        }
}
After applying the configuration, configure the Sonicwall to send logs to port 5514 and it will go through this input and filter.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Top
Locked

Return to “Nagios Log Server”