Google SecOps parser extension for SonicWall SMA 1000

Forum|Forum|1 month ago
October 30, 2025
6 replies
63 views

JSpoorSonic
Bronze 3

Please find below a Parser Extension for Google SecOps for SonicWall Secure Mobile Access (SMA)

This extension enhances the existing parser which is for SMA 100s, to support SMA 1000s (e.g. SMA 8200v

Work in progress

# SonicWall SMA 1000 Parser Extension

# Author: J Spoor

# Version: 2.0

# SonicWall SMA 1000 Parser Extension
# Author: J Spoor
# Version: 2.0

filter {

    grok {
        match => {
            "message" => "User='\\(\\s*%{EMAILADDRESS:user}\\s*\\)@"
        }
        on_error => "no_user_found"
    }
    if ![no_user_found] {
          mutate {
            replace => {
                "event1.idm.read_only_udm.principal.user.userid" => "%{user}"
            }
        }
    }else { mutate { replace => { "event1.idm.read_only_udm.principal.user.userid" => "UKNOWN" } } }
    mutate { merge => { "@output" => "event1"} } 

    grok {
        match => {
            "message" => "EventMessage: %{DATA:event_type} - User="
        }
        on_error => "no_event_type_found"
    }
    if ![no_event_type_found] {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.description" => "%{event_type}"
            }
          }
        if [event_type] == "Resource Access" {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.event_type" => "USER_RESOURCE_ACCESS"
            }
          }
        } else if [event_type] =~ "Session Start Success" {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.event_type" => "USER_LOGIN"
            }
          }
        } else if [event_type] =~ "Session End" {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.event_type" => "USER_LOGOUT"
            }
          }
        } else {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
            }
          }
        }
    }
    mutate { merge => { "@output" => "event1"} }

    grok {
        match => {
            "message" => "Allowed='%{INT:allowed}"
        }
        on_error => "no_action_found"
    }
    if ![no_action_found] {
      if [allowed] == 1 {
        mutate {
          replace => { "[event1][idm][read_only_udm][security_result][0][action]" => "ALLOW" }
        }
      }  else if [allowed] ==0 {
         mutate {
          replace => { "[event1][idm][read_only_udm][security_result][0][action]" => "BLOCK" }
         }
      } else { mutate { replace => { "[event1][idm][read_only_udm][security_result][0][action]" => "UNKNOWN_ACTION" } } }    
    }
    mutate { merge => { "@output" => "event1"} }


#Grok Code to extract and parse syslog priority
    # Use grok to parse syslog messages. The on_error clause handles messages that don't match the pattern.
#    grok {
#        match => {
#            "message" => [
#                # Extract message with syslog headers.
#                "(<%{POSINT:_syslog_priority}>)%{SYSLOGTIMESTAMP:datetime} %{DATA:logginghost}: %{GREEDYDATA:log_data}"
#            ]
#        }
#        on_error => "not_supported_format"
#    }
#    # If the grok parsing failed, tag the event as unsupported and drop it.
#    if ![not_supported_format] {
#        if [_syslog_priority] != "" {
#            if [_syslog_priority] =~ /0|8|16|24|32|40|48|56|64|72|80|88|96|104|112|120|128|136|144|152|160|168|176|184/ {
#                mutate { replace => { "_security_result.severity_details" => "EMERGENCY" } } 
#            }
#            if [_syslog_priority] =~ /1|9|17|25|33|41|49|57|65|73|81|89|97|105|113|121|129|137|145|153|161|169|177|185/ {
#                mutate { replace => { "_security_result.severity_details" => "ALERT" } } 
#            }
#            if [_syslog_priority] =~ /2|10|18|26|34|42|50|58|66|74|82|90|98|106|114|122|130|138|146|154|162|170|178|186/ {
#                mutate { replace => { "_security_result.severity_details" => "CRITICAL" } }
#            }
#            if [_syslog_priority] =~ /3|11|19|27|35|43|51|59|67|75|83|91|99|107|115|123|131|139|147|155|163|171|179|187/ {
#                mutate { replace => { "_security_result.severity_details" => "ERROR" } }
#            }
#            if [_syslog_priority] =~ /4|12|20|28|36|44|52|60|68|76|84|92|100|108|116|124|132|140|148|156|164|172|180|188/ {
#                mutate { replace => { "_security_result.severity_details" => "WARNING" } }
#            }
#            if [_syslog_priority] =~ /5|13|21|29|37|45|53|61|69|77|85|93|101|109|117|125|133|141|149|157|165|173|181|189/ {
#                mutate { replace => { "_security_result.severity_details" => "NOTICE" } }
#            }
#            if [_syslog_priority] =~ /6|14|22|30|38|46|54|62|70|78|86|94|102|110|118|126|134|142|150|158|166|174|182|190/ {
#                mutate { replace => { "_security_result.severity_details" => "INFORMATIONAL" } }
#            }
#            if [_syslog_priority] =~ /7|15|23|31|39|47|55|63|71|79|87|95|103|111|119|127|135|143|151|159|167|175|183|191/ {
#                mutate { replace => { "_security_result.severity_details" => "DEBUG" } }
#            }
#            # Facilities (mapped to priority)
#            if [_syslog_priority] =~ /0|1|2|3|4|5|6|7/ { 
#                mutate { replace => { "_security_result.priority_details" => "KERNEL" } } 
#            }
#            if [_syslog_priority] =~ /8|9|10|11|12|13|14|15/ { 
#                mutate { replace => { "_security_result.priority_details" => "USER" } } 
#            }
#            if [_syslog_priority] =~ /16|17|18|19|20|21|22|23/ { 
#                mutate { replace => { "_security_result.priority_details" => "MAIL" } } 
#            }
#            if [_syslog_priority] =~ /24|25|26|27|28|29|30|31/ { 
#                mutate { replace => { "_security_result.priority_details" => "SYSTEM" } } 
#            }
#            if [_syslog_priority] =~ /32|33|34|35|36|37|38|39/ { 
#                mutate { replace => { "_security_result.priority_details" => "SECURITY" } } 
#            }
#            if [_syslog_priority] =~ /40|41|42|43|44|45|46|47/ { 
#                mutate { replace => { "_security_result.priority_details" => "SYSLOG" } } 
#            }
#            if [_syslog_priority] =~ /48|49|50|51|52|53|54|55/ { 
#                mutate { replace => { "_security_result.priority_details" => "LPD" } } 
#            }
#            if [_syslog_priority] =~ /56|57|58|59|60|61|62|63/ { 
#                mutate { replace => { "_security_result.priority_details" => "NNTP" } } 
#            }
#            if [_syslog_priority] =~ /64|65|66|67|68|69|70|71/ { 
#                mutate { replace => { "_security_result.priority_details" => "UUCP" } } 
#            }
#            if [_syslog_priority] =~ /72|73|74|75|76|77|78|79/ { 
#                mutate { replace => { "_security_result.priority_details" => "TIME" } } 
#            }
#            if [_syslog_priority] =~ /80|81|82|83|84|85|86|87/ { 
#                mutate { replace => { "_security_result.priority_details" => "SECURITY" } } 
#            }
#            if [_syslog_priority] =~ /88|89|90|91|92|93|94|95/ { 
#                mutate { replace => { "_security_result.priority_details" => "FTPD" } } 
#            }
#            if [_syslog_priority] =~ /96|97|98|99|100|101|102|103/ { 
#                mutate { replace => { "_security_result.priority_details" => "NTPD" } } 
#            }
#            if [_syslog_priority] =~ /104|105|106|107|108|109|110|111/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOGAUDIT" } } 
#            }
#            if [_syslog_priority] =~ /112|113|114|115|116|117|118|119/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOGALERT" } } 
#            }
#            if [_syslog_priority] =~ /120|121|122|123|124|125|126|127/ { 
#                mutate { replace => { "_security_result.priority_details" => "CLOCK" } } 
#            }
#            if [_syslog_priority] =~ /128|129|130|131|132|133|134|135/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL0" } } 
#            }
#            if [_syslog_priority] =~ /136|137|138|139|140|141|142|143/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL1" } } 
#            }
#            if [_syslog_priority] =~ /144|145|146|147|148|149|150|151/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL2" } } 
#            }
#            if [_syslog_priority] =~ /152|153|154|155|156|157|158|159/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL3" } } 
#            }
#            if [_syslog_priority] =~ /160|161|162|163|164|165|166|167/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL4" } } 
#            }
#            if [_syslog_priority] =~ /168|169|170|171|172|173|174|175/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL5" } } 
#            }
#            if [_syslog_priority] =~ /176|177|178|179|180|181|182|183/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL6" } } 
#            }
#            if [_syslog_priority] =~ /184|185|186|187|188|189|190|191/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL7" } } 
#            }
#            mutate {
#                merge => {
#                    "event.idm.read_only_udm.security_result" => "_security_result"
#                }
#            }
#        }
#        mutate {
#            merge => {
#                "@output" => "event"
#            }
#        }
#    }

}

JSpoorSonic
Author
Bronze 3
Forum|Forum|30 days ago
November 12, 2025

# SonicWall SMA 1000 Parser Extension
# Author: J Spoor
# Version: 2.1
# SonicWall

filter {

    grok {
        match => {
            "message" => "User='\\(\\s*%{EMAILADDRESS:user}\\s*\\)@"
        }
        on_error => "no_user_found"
    }
    if ![no_user_found] {
          mutate {
            replace => {
                "event1.idm.read_only_udm.principal.user.userid" => "%{user}"
            }
        }
    }else { mutate { replace => { "event1.idm.read_only_udm.principal.user.userid" => "UKNOWN" } } }

    grok {
        match => {
            "message" => "EventMessage: %{DATA:event_type} - User="
        }
        on_error => "no_event_type_found"
    }
    if ![no_event_type_found] {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.description" => "%{event_type}"
            }
          }
        if [event_type] == "Resource Access" {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.event_type" => "USER_RESOURCE_ACCESS"
            }
          }
        } else if [event_type] =~ "Session Start Success" {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.event_type" => "USER_LOGIN"
            }
          }
        } else if [event_type] =~ "Session End" {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.event_type" => "USER_LOGOUT"
            }
          }
        } else {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
            }
          }
        }
    }

    grok {
        match => {
            "message" => "Allowed='%{INT:allowed}"
        }
        on_error => "no_action_found"
    }
    grok {
      match => { "message" => "Rule Info='%{DATA:rule_info}'" }
      on_error => "no_rule_info"
    }

    if ![no_action_found] {
      if [allowed] == "1" {
        mutate {
          replace => { "result_action" => "ALLOW" }
        }
      }  else if [allowed] == "0" {
         mutate {
          replace => { "result_action" => "BLOCK" }
         }
      } else { 
        mutate { 
          replace => { "result_action" => "UNKNOWN_ACTION" } 
        } 
      }    
      mutate {
        merge => {"security_result.action" => "result_action"}
      }      
      if ![no_rule_info] {
        mutate {
          replace => {"security_result.rule_name" => "%{rule_info}"}
        }
      }
      mutate {
        merge => {
          "event1.idm.read_only_udm.security_result" => "security_result"
        }
      }
    }

    grok {
      match => {
        "message" => "Full Destination='%{IP:dest_ip}:%{INT:dest_port}'"
      }
      on_error => "no_full_destination"
    }
    if ![no_full_destination] {
      if [dest_ip] != "" {
        mutate {
          merge => {"event1.idm.read_only_udm.target.ip" => "dest_ip"}
        }
      }
      if [dest_port] !="" {
        mutate {
          replace => {"event1.idm.read_only_udm.target.port" => "%{dest_port}"}
        }
        mutate {
          convert => {"event1.idm.read_only_udm.target.port" => "integer"}
        }
      }
    }


# Debug
#  mutate {
#    replace => {
#      "event1.idm.read_only_udm.metadata.description" => "%{allowed}"
#    }
#  }
# End Debug


#Grok Code to extract and parse syslog priority
    # Use grok to parse syslog messages. The on_error clause handles messages that don't match the pattern.
#    grok {
#        match => {
#            "message" => [
#                # Extract message with syslog headers.
#                "(<%{POSINT:_syslog_priority}>)%{SYSLOGTIMESTAMP:datetime} %{DATA:logginghost}: %{GREEDYDATA:log_data}"
#            ]
#        }
#        on_error => "not_supported_format"
#    }
#    # If the grok parsing failed, tag the event as unsupported and drop it.
#    if ![not_supported_format] {
#        if [_syslog_priority] != "" {
#            if [_syslog_priority] =~ /0|8|16|24|32|40|48|56|64|72|80|88|96|104|112|120|128|136|144|152|160|168|176|184/ {
#                mutate { replace => { "_security_result.severity_details" => "EMERGENCY" } } 
#            }
#            if [_syslog_priority] =~ /1|9|17|25|33|41|49|57|65|73|81|89|97|105|113|121|129|137|145|153|161|169|177|185/ {
#                mutate { replace => { "_security_result.severity_details" => "ALERT" } } 
#            }
#            if [_syslog_priority] =~ /2|10|18|26|34|42|50|58|66|74|82|90|98|106|114|122|130|138|146|154|162|170|178|186/ {
#                mutate { replace => { "_security_result.severity_details" => "CRITICAL" } }
#            }
#            if [_syslog_priority] =~ /3|11|19|27|35|43|51|59|67|75|83|91|99|107|115|123|131|139|147|155|163|171|179|187/ {
#                mutate { replace => { "_security_result.severity_details" => "ERROR" } }
#            }
#            if [_syslog_priority] =~ /4|12|20|28|36|44|52|60|68|76|84|92|100|108|116|124|132|140|148|156|164|172|180|188/ {
#                mutate { replace => { "_security_result.severity_details" => "WARNING" } }
#            }
#            if [_syslog_priority] =~ /5|13|21|29|37|45|53|61|69|77|85|93|101|109|117|125|133|141|149|157|165|173|181|189/ {
#                mutate { replace => { "_security_result.severity_details" => "NOTICE" } }
#            }
#            if [_syslog_priority] =~ /6|14|22|30|38|46|54|62|70|78|86|94|102|110|118|126|134|142|150|158|166|174|182|190/ {
#                mutate { replace => { "_security_result.severity_details" => "INFORMATIONAL" } }
#            }
#            if [_syslog_priority] =~ /7|15|23|31|39|47|55|63|71|79|87|95|103|111|119|127|135|143|151|159|167|175|183|191/ {
#                mutate { replace => { "_security_result.severity_details" => "DEBUG" } }
#            }
#            # Facilities (mapped to priority)
#            if [_syslog_priority] =~ /0|1|2|3|4|5|6|7/ { 
#                mutate { replace => { "_security_result.priority_details" => "KERNEL" } } 
#            }
#            if [_syslog_priority] =~ /8|9|10|11|12|13|14|15/ { 
#                mutate { replace => { "_security_result.priority_details" => "USER" } } 
#            }
#            if [_syslog_priority] =~ /16|17|18|19|20|21|22|23/ { 
#                mutate { replace => { "_security_result.priority_details" => "MAIL" } } 
#            }
#            if [_syslog_priority] =~ /24|25|26|27|28|29|30|31/ { 
#                mutate { replace => { "_security_result.priority_details" => "SYSTEM" } } 
#            }
#            if [_syslog_priority] =~ /32|33|34|35|36|37|38|39/ { 
#                mutate { replace => { "_security_result.priority_details" => "SECURITY" } } 
#            }
#            if [_syslog_priority] =~ /40|41|42|43|44|45|46|47/ { 
#                mutate { replace => { "_security_result.priority_details" => "SYSLOG" } } 
#            }
#            if [_syslog_priority] =~ /48|49|50|51|52|53|54|55/ { 
#                mutate { replace => { "_security_result.priority_details" => "LPD" } } 
#            }
#            if [_syslog_priority] =~ /56|57|58|59|60|61|62|63/ { 
#                mutate { replace => { "_security_result.priority_details" => "NNTP" } } 
#            }
#            if [_syslog_priority] =~ /64|65|66|67|68|69|70|71/ { 
#                mutate { replace => { "_security_result.priority_details" => "UUCP" } } 
#            }
#            if [_syslog_priority] =~ /72|73|74|75|76|77|78|79/ { 
#                mutate { replace => { "_security_result.priority_details" => "TIME" } } 
#            }
#            if [_syslog_priority] =~ /80|81|82|83|84|85|86|87/ { 
#                mutate { replace => { "_security_result.priority_details" => "SECURITY" } } 
#            }
#            if [_syslog_priority] =~ /88|89|90|91|92|93|94|95/ { 
#                mutate { replace => { "_security_result.priority_details" => "FTPD" } } 
#            }
#            if [_syslog_priority] =~ /96|97|98|99|100|101|102|103/ { 
#                mutate { replace => { "_security_result.priority_details" => "NTPD" } } 
#            }
#            if [_syslog_priority] =~ /104|105|106|107|108|109|110|111/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOGAUDIT" } } 
#            }
#            if [_syslog_priority] =~ /112|113|114|115|116|117|118|119/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOGALERT" } } 
#            }
#            if [_syslog_priority] =~ /120|121|122|123|124|125|126|127/ { 
#                mutate { replace => { "_security_result.priority_details" => "CLOCK" } } 
#            }
#            if [_syslog_priority] =~ /128|129|130|131|132|133|134|135/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL0" } } 
#            }
#            if [_syslog_priority] =~ /136|137|138|139|140|141|142|143/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL1" } } 
#            }
#            if [_syslog_priority] =~ /144|145|146|147|148|149|150|151/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL2" } } 
#            }
#            if [_syslog_priority] =~ /152|153|154|155|156|157|158|159/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL3" } } 
#            }
#            if [_syslog_priority] =~ /160|161|162|163|164|165|166|167/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL4" } } 
#            }
#            if [_syslog_priority] =~ /168|169|170|171|172|173|174|175/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL5" } } 
#            }
#            if [_syslog_priority] =~ /176|177|178|179|180|181|182|183/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL6" } } 
#            }
#            if [_syslog_priority] =~ /184|185|186|187|188|189|190|191/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL7" } } 
#            }
#            mutate {
#                merge => {
#                    "event.idm.read_only_udm.security_result" => "_security_result"
#                }
#            }
#        }
#        mutate {
#            merge => {
#                "@output" => "event"
#            }
#        }
#    }

    mutate { merge => { "@output" => "event1"} }

}

New Version

JSpoorSonic
Author
Bronze 3
Forum|Forum|29 days ago
November 14, 2025

New version: 2.2

# SonicWall SMA 1000 Parser Extension
# Author: J Spoor
# Version: 2.2

filter {
    # Check for logserver: [datetime] hostname
    grok {
      match => {"message" => "logserver: [[]%{DATA:bracket_timestamp}[]] %{HOSTNAME:hostname}"}
      on_error => "no_logserver_datetime"
    }

    if ![no_logserver_datetime] {
      # Extract and convert logserver: [datetime]  
      mutate {
        gsub => ["bracket_timestamp","/","-"]
      }
      grok {
        match => {"bracket_timestamp" => "(?<bracket_date_part>[^:]+):(?<bracket_time_part>.*)"}
      }  
      date {
        match => [ "bracket_timestamp", "dd-MMM-yyyy:HH:mm:ss Z" ]
        target => "event1.idm.read_only_udm.metadata.event_timestamp"
        time_precision => "microsecond"
        on_error => "failed_datematch"
      }
    }

    # Remove @(SonicWall Connect) from user
    grok {
        match => {"message" => "User='\\(\\s*%{EMAILADDRESS:user}\\s*\\)@"}
        on_error => "no_user_found"
    }
    if ![no_user_found] {
          mutate {
            replace => {
                "event1.idm.read_only_udm.principal.user.userid" => "%{user}"
            }
        }
    }else { mutate { replace => { "event1.idm.read_only_udm.principal.user.userid" => "UKNOWN" } } }

    # Extract Event Type
    grok {
        match => {
            "message" => "EventMessage: %{DATA:event_type} - User="
        }
        on_error => "no_event_type_found"
    }
    if ![no_event_type_found] {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.description" => "%{event_type}"
            }
          }
        if [event_type] == "Resource Access" {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.event_type" => "USER_RESOURCE_ACCESS"
            }
          }
        } else if [event_type] =~ "Session Start Success" {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.event_type" => "USER_LOGIN"
            }
          }
        } else if [event_type] =~ "Session End" {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.event_type" => "USER_LOGOUT"
            }
          }
        } else {
          mutate {
            replace => {
                "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
            }
          }
        }
    }

    grok {
        match => {
            "message" => "Allowed='%{INT:allowed}"
        }
        on_error => "no_action_found"
    }
    grok {
      match => { "message" => "Rule Info='%{DATA:rule_info}'" }
      on_error => "no_rule_info"
    }

    if ![no_action_found] {
      if [allowed] == "1" {
        mutate {
          replace => { "result_action" => "ALLOW" }
        }
      }  else if [allowed] == "0" {
         mutate {
          replace => { "result_action" => "BLOCK" }
         }
      } else { 
        mutate { 
          replace => { "result_action" => "UNKNOWN_ACTION" } 
        } 
      }    
      mutate {
        merge => {"security_result.action" => "result_action"}
      }      
      if ![no_rule_info] {
        mutate {
          replace => {"security_result.rule_name" => "%{rule_info}"}
        }
      }
      mutate {
        merge => {
          "event1.idm.read_only_udm.security_result" => "security_result"
        }
      }
    }

    grok {
      match => {
        "message" => "Full Destination='%{IP:dest_ip}:%{INT:dest_port}'"
      }
      on_error => "no_full_destination"
    }
    if ![no_full_destination] {
      if [dest_ip] != "" {
        mutate {
          merge => {"event1.idm.read_only_udm.target.ip" => "dest_ip"}
        }
      }
      if [dest_port] !="" {
        mutate {
          replace => {"event1.idm.read_only_udm.target.port" => "%{dest_port}"}
        }
        mutate {
          convert => {"event1.idm.read_only_udm.target.port" => "integer"}
        }
      }
    }

# Unparsed Logs
  # Unparsed due to :ffff: before IPv4

  grok {
    # Escape bracket [ with [[] and bracket ] with []]
    match => { "message" => "Src='[[]::ffff:%{IP:src_ip}[]]:%{INT:src_port}'" }
    on_error => "no_unparsed_source"
  }

  if ![no_unparsed_source]{
     mutate {replace => {"event_type" => "NETWORK_CONNECTION"}}
     mutate {
        replace => {"event1.idm.read_only_udm.metadata.event_type" => "NETWORK_CONNECTION"}
     }
     mutate {
        merge => {"event1.idm.read_only_udm.principal.ip" => "src_ip"}
     }
     mutate {
        merge => {"event1.idm.read_only_udm.src.ip" => "src_ip"}
     }

     grok {
        match => {"message" => "Error='%{INT:log_error}"}
        on_error => "no_logerror"
     }
     if ![no_logerror]{
       if [log_error] == "0" {
         mutate {replace => {"logaction" => "ALLOW"}}
       } else if [log_error] == "1" {
         mutate {replace => {"logaction" => "BLOCK"}}
       } else {
        mutate {replace => {"logaction" => "UNKNOWN_ACTION"}}
       }

     } else {mutate {replace => {"logaction" => "UNKNOWN_ACTION"}}}
     mutate {
        merge => {"event1.idm.read_only_udm.security_result.action" => "logaction"}
     }

     grok {
        match => {"message" => "Dest='%{IP:dest_ip}:%{INT:dest_port}"}
        on_error => "no_dest_ip"
     }
     if ![no_dest_ip] {
        mutate {merge => {"event1.idm.read_only_udm.target.ip" => "dest_ip"}}
        mutate {replace => {"event1.idm.read_only_udm.target.port" => "%{dest_port}"}}
        mutate {convert => {"event1.idm.read_only_udm.target.port" => "integer"}}
     }
     if [hostname] != "" {
        mutate {
            replace => {"event1.idm.read_only_udm.principal.hostname" => "%{hostname}" }
        }
     }

  }

# Debug
#  mutate {
#    replace => {
#      "event1.idm.read_only_udm.metadata.description" => "%{extracted_timestamp}"
#    }
#  }
# End Debug

   mutate { merge => { "@output" => "event1"} }

#  statedump {
#    label => "Post Merge"
#  }


# TODO
#Grok Code to extract and parse syslog priority
    # Use grok to parse syslog messages. The on_error clause handles messages that don't match the pattern.
#    grok {
#        match => {
#            "message" => [
#                # Extract message with syslog headers.
#                "(<%{POSINT:_syslog_priority}>)%{SYSLOGTIMESTAMP:datetime} %{DATA:logginghost}: %{GREEDYDATA:log_data}"
#            ]
#        }
#        on_error => "not_supported_format"
#    }
#    # If the grok parsing failed, tag the event as unsupported and drop it.
#    if ![not_supported_format] {
#        if [_syslog_priority] != "" {
#            if [_syslog_priority] =~ /0|8|16|24|32|40|48|56|64|72|80|88|96|104|112|120|128|136|144|152|160|168|176|184/ {
#                mutate { replace => { "_security_result.severity_details" => "EMERGENCY" } } 
#            }
#            if [_syslog_priority] =~ /1|9|17|25|33|41|49|57|65|73|81|89|97|105|113|121|129|137|145|153|161|169|177|185/ {
#                mutate { replace => { "_security_result.severity_details" => "ALERT" } } 
#            }
#            if [_syslog_priority] =~ /2|10|18|26|34|42|50|58|66|74|82|90|98|106|114|122|130|138|146|154|162|170|178|186/ {
#                mutate { replace => { "_security_result.severity_details" => "CRITICAL" } }
#            }
#            if [_syslog_priority] =~ /3|11|19|27|35|43|51|59|67|75|83|91|99|107|115|123|131|139|147|155|163|171|179|187/ {
#                mutate { replace => { "_security_result.severity_details" => "ERROR" } }
#            }
#            if [_syslog_priority] =~ /4|12|20|28|36|44|52|60|68|76|84|92|100|108|116|124|132|140|148|156|164|172|180|188/ {
#                mutate { replace => { "_security_result.severity_details" => "WARNING" } }
#            }
#            if [_syslog_priority] =~ /5|13|21|29|37|45|53|61|69|77|85|93|101|109|117|125|133|141|149|157|165|173|181|189/ {
#                mutate { replace => { "_security_result.severity_details" => "NOTICE" } }
#            }
#            if [_syslog_priority] =~ /6|14|22|30|38|46|54|62|70|78|86|94|102|110|118|126|134|142|150|158|166|174|182|190/ {
#                mutate { replace => { "_security_result.severity_details" => "INFORMATIONAL" } }
#            }
#            if [_syslog_priority] =~ /7|15|23|31|39|47|55|63|71|79|87|95|103|111|119|127|135|143|151|159|167|175|183|191/ {
#                mutate { replace => { "_security_result.severity_details" => "DEBUG" } }
#            }
#            # Facilities (mapped to priority)
#            if [_syslog_priority] =~ /0|1|2|3|4|5|6|7/ { 
#                mutate { replace => { "_security_result.priority_details" => "KERNEL" } } 
#            }
#            if [_syslog_priority] =~ /8|9|10|11|12|13|14|15/ { 
#                mutate { replace => { "_security_result.priority_details" => "USER" } } 
#            }
#            if [_syslog_priority] =~ /16|17|18|19|20|21|22|23/ { 
#                mutate { replace => { "_security_result.priority_details" => "MAIL" } } 
#            }
#            if [_syslog_priority] =~ /24|25|26|27|28|29|30|31/ { 
#                mutate { replace => { "_security_result.priority_details" => "SYSTEM" } } 
#            }
#            if [_syslog_priority] =~ /32|33|34|35|36|37|38|39/ { 
#                mutate { replace => { "_security_result.priority_details" => "SECURITY" } } 
#            }
#            if [_syslog_priority] =~ /40|41|42|43|44|45|46|47/ { 
#                mutate { replace => { "_security_result.priority_details" => "SYSLOG" } } 
#            }
#            if [_syslog_priority] =~ /48|49|50|51|52|53|54|55/ { 
#                mutate { replace => { "_security_result.priority_details" => "LPD" } } 
#            }
#            if [_syslog_priority] =~ /56|57|58|59|60|61|62|63/ { 
#                mutate { replace => { "_security_result.priority_details" => "NNTP" } } 
#            }
#            if [_syslog_priority] =~ /64|65|66|67|68|69|70|71/ { 
#                mutate { replace => { "_security_result.priority_details" => "UUCP" } } 
#            }
#            if [_syslog_priority] =~ /72|73|74|75|76|77|78|79/ { 
#                mutate { replace => { "_security_result.priority_details" => "TIME" } } 
#            }
#            if [_syslog_priority] =~ /80|81|82|83|84|85|86|87/ { 
#                mutate { replace => { "_security_result.priority_details" => "SECURITY" } } 
#            }
#            if [_syslog_priority] =~ /88|89|90|91|92|93|94|95/ { 
#                mutate { replace => { "_security_result.priority_details" => "FTPD" } } 
#            }
#            if [_syslog_priority] =~ /96|97|98|99|100|101|102|103/ { 
#                mutate { replace => { "_security_result.priority_details" => "NTPD" } } 
#            }
#            if [_syslog_priority] =~ /104|105|106|107|108|109|110|111/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOGAUDIT" } } 
#            }
#            if [_syslog_priority] =~ /112|113|114|115|116|117|118|119/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOGALERT" } } 
#            }
#            if [_syslog_priority] =~ /120|121|122|123|124|125|126|127/ { 
#                mutate { replace => { "_security_result.priority_details" => "CLOCK" } } 
#            }
#            if [_syslog_priority] =~ /128|129|130|131|132|133|134|135/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL0" } } 
#            }
#            if [_syslog_priority] =~ /136|137|138|139|140|141|142|143/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL1" } } 
#            }
#            if [_syslog_priority] =~ /144|145|146|147|148|149|150|151/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL2" } } 
#            }
#            if [_syslog_priority] =~ /152|153|154|155|156|157|158|159/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL3" } } 
#            }
#            if [_syslog_priority] =~ /160|161|162|163|164|165|166|167/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL4" } } 
#            }
#            if [_syslog_priority] =~ /168|169|170|171|172|173|174|175/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL5" } } 
#            }
#            if [_syslog_priority] =~ /176|177|178|179|180|181|182|183/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL6" } } 
#            }
#            if [_syslog_priority] =~ /184|185|186|187|188|189|190|191/ { 
#                mutate { replace => { "_security_result.priority_details" => "LOCAL7" } } 
#            }
#            mutate {
#                merge => {
#                    "event.idm.read_only_udm.security_result" => "_security_result"
#                }
#            }
#        }
#        mutate {
#            merge => {
#                "@output" => "event"
#            }
#        }
#    }

    mutate { merge => { "@output" => "event1"} }

}

+16

matthewnichols
Community Manager
Forum|Forum|29 days ago
November 14, 2025

Hi @JSpoorSonic Thanks for sharing your updated version with the Community.

JSpoorSonic
Author
Bronze 3
Forum|Forum|28 days ago
November 14, 2025

Hi @JSpoorSonic Thanks for sharing your updated version with the Community.

You are most welcome.

It is still a work in progress :) So I’ll probably provide a few more updates.

JSpoorSonic
Author
Bronze 3
Forum|Forum|18 days ago
November 25, 2025

NOTE: SonicWall will intrude a modern logging format.

Withthat SonicWall SMA parser and extension will stop working.

I am working on a custom parser and will post soon.

JSpoorSonic
Author
Bronze 3
Forum|Forum|11 days ago
December 1, 2025

Custom parser found here:

SonicWall SMA 1000 Custom Parser | Community

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded