Ship SonicWall logs

SonicWall firewalls allow you to identify and control all of the applications in use on your network. This integration allows you to send logs from your SonicWall applications to your Layerlog SIEM account.

Configuration

Before you begin

These are the prerequisites you’ll need before you can begin:

• SonicWall firewall
• Filebeat 7
• root access

Configure SonicWall Server logging

Configure your SonicWall firewall to send logs to your Filebeat server. Make sure you meet this configuration:

• Log format: syslog
• IP address: Filebeat server IP address
• Port 514

SonicWall firewall sends logs over UDP by default. See SonicWall docs for more information on configuring your SonicWall firewall.

Download the Layerlog public certificate to your credentials server

For HTTPS shipping, download the Layerlog public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Configure Filebeat

Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor. Copy and paste the code block below, overwriting the previous contents. (Replace the file’s contents with this code block.)

This code block adds SonicWall as an input sent over UDP traffic.

# ...
filebeat.inputs:
- type: udp
  max_message_size: 10MiB
  host: "0.0.0.0:514"

  fields:
    logzio_codec: plain

    # Your Layerlog account token. You can find your token at
    #  http://panel.layerlog.com/#/dashboard/settings/manage-accounts
    token: <<LOG-SHIPPING-TOKEN>>
    type: sonicwall
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h

  # ... For Filebeat 7 only ...
filebeat.registry.path: /var/lib/filebeat
processors:
- rename:
    fields:
    - from: "agent"
      to: "filebeat_agent"
    ignore_missing: true
- rename:
    fields:
    - from: "log.file.path"
      to: "source"
    ignore_missing: true

Copy and paste the following code block directly below. It sets Layerlog as the output.

# ...
output.logstash:
  hosts: ["<<LISTENER-HOST>>:5015"]
  ssl:
    certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Replace the placeholders to match your specifics. (They are indicated by the double angle brackets << >>):

• Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

• Replace <<LISTENER-HOST>> with the host for your region. For example, listener.layerlog.com if your account is hosted on AWS US East, or listener-nl.layerlog.com if hosted on Azure West Europe.

One last validation - make sure Layerlog is the only output and appears only once. If the file has other outputs, remove them.

Start Filebeat

Start or restart Filebeat for the changes to take effect. Start or restart Filebeat for the changes to take effect.

Check Layerlog for your logs

Give your logs some time to get from your system to ours, and then open Kibana.

If you still don’t see your logs, see log shipping troubleshooting.