Custom parser for SonicWall SMA 1000 series
e.g. SonicWall SMA 8200v
Parser supports both Legacy Logging Format, as well as Modern Logging Format
12.4.2 CEM Key: LOGGING_MODERN_FORMAT = true
12.5 Default.
# SonicWall SMA 1000 Custom Parser
# Author: J Spoor
# Version: 2.2
# Product: SonicWall Cloud Secure Edge
# Supported Format: JSON
# Last Updated: 2025-12-01
# Copyright 2025 SonicWall
filter {
# Initialization
mutate {
replace => {
"loginlogout_event" => "false"
"is_logging_modern_protocol" => "false"
}
}
grok { # LOGGING_MODERN_PROTOCOL = true
match => {"message" => "^<%{NUMBER:syslog_pri}>%{NUMBER:syslog_version} %{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:hostname}"}
on_error => "no_header_match"
}
if ![no_header_match]{
grok { # split timestamp in components
match => {"timestamp" => "%{YEAR:timestamp_year}-%{MONTHNUM:timestamp_month}-%{MONTHDAY:timestamp_day}T%{HOUR:timestamp_hour}:%{MINUTE:timestamp_minute}:%{SECOND:timestamp_second}(?:%{ISO8601_TIMEZONE:timestamp_offset})"}
}
if [timestamp_offset] =~ ":" { # if offset contains : remove
mutate {
gsub => ["timestamp_offset",":",""]
}
mutate {
replace => {"timestamp" => "%{timestamp_year}-%{timestamp_month}-%{timestamp_day}T%{timestamp_hour}:%{timestamp_minute}:%{timestamp_second}%{timestamp_offset}"}
}
}
mutate {gsub => ["hostname",".sma",""]}
mutate {
replace => {"event1.idm.read_only_udm.principal.hostname" => "%{hostname}"}
}
mutate {replace =>{"is_logging_modern_protocl" => "true"}}
}
# Check for logserver: [datetime] hostname
grok {
match => {"message" => "logserver: [[]%{DATA:bracket_timestamp}[]] %{HOSTNAME:hostname}"}
on_error => "no_logserver_datetime"
}
if ![no_header_match] {
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
on_error => "no_datematch"
}
date {
match => ["timestamp", "ISO8601"]
target => "event1.idm.read_only_udm.metadata.event_timestamp"
on_error => "no_datematch"
}
} else if ![no_logserver_datetime] {
# Extract and convert logserver: [datetime]
mutate {
gsub => ["bracket_timestamp","/","-"]
}
grok {
match => {"bracket_timestamp" => "(?<bracket_date_part>[^:]+):(?<bracket_time_part>.*)"}
}
date {
match => [ "bracket_timestamp", "dd-MMM-yyyy:HH:mm:ss Z" ]
target => "event1.idm.read_only_udm.metadata.event_timestamp"
time_precision => "microsecond"
on_error => "failed_datematch"
}
mutate {
replace => {"event1.idm.read_only_udm.principal.hostname" => "%{hostname}"}
}
}
grok {
match => {"message" => "User='%{DATA:user_display_name}'"}
on_error => "no_user_display_name"
}
if ![no_user_display_name] {
mutate {replace => {"event1.idm.read_only_udm.principal.user.user_display_name" => "%{user_display_name}"}}
}
# Remove @(Community) from user
grok {
# match => {"message" => "User='\\(\\s*%{EMAILADDRESS:user}\\s*\\)@"}
match => {"message" => "'\\(%{EMAILADDRESS:user}\\)@\\(%{DATA:community}\\)"}
on_error => "no_full_user_found"
}
if ![no_full_user_found] {
mutate {
replace => {
"event1.idm.read_only_udm.principal.user.userid" => "%{user}"
"event1.idm.read_only_udm.target.user.userid" => "%{user}"
"event1.idm.read_only_udm.principal.user.user_display_name" => "(%{user})@(%{community})"
}
}
}else {
grok {
match => {"message" => "'\\(%{USERNAME:username}\\)@\\(%{DATA:community}\\)"}
on_error => "no_simple_user"
}
if ![no_simple_user] {
mutate {
replace => {
"event1.idm.read_only_udm.principal.user.userid" => "%{username}"
"event1.idm.read_only_udm.target.user.userid" => "%{username}"
"event1.idm.read_only_udm.principal.user.user_display_name" => "(%{username})@(%{community})"
}
}
} else {mutate { replace => { "event1.idm.read_only_udm.principal.user.userid" => "UKNOWN" } } }
}
grok {
match => {
"message" => "Src='%{IP:src_ip}:%{INT:src_port}'"
}
on_error => "no_src"
}
if ![no_src] {
if [src_ip] != "" {
mutate {
merge => {
"event1.idm.read_only_udm.src.ip" => "src_ip"
"event1.idm.read_only_udm.principal.ip" => "src_ip"
"event1.idm.read_only_udm.principal.asset.ip" => "src_ip"
}
}
}
} else {
grok {
match => {"message" => "Src='%{IP:src_ip}'"}
on_error => "no_source_ip"
}
if ![no_source_ip] {
if [src_ip] != "" {
mutate {
merge => {
"event1.idm.read_only_udm.src.ip" => "src_ip"
"event1.idm.read_only_udm.principal.ip" => "src_ip"
"event1.idm.read_only_udm.principal.asset.ip" => "src_ip"
}
}
}
} else {
grok {
match => {"message" => "Source='%{IP:src_ip}'"}
on_error => "no_source"
}
if ![no_source] {
if [src_ip] != "" {
mutate {
merge => {
"event1.idm.read_only_udm.src.ip" => "src_ip"
"event1.idm.read_only_udm.principal.ip" => "src_ip"
"event1.idm.read_only_udm.principal.asset.ip" => "src_ip"
}
}
}
}
}
}
# Check for SessionKey
grok {
match => {"message" => "SessionKey='%{DATA:session_key}'"}
on_error => "no_sessionkey"
}
# Extract Event Type
grok {
match => {
"message" => "EventMessage: %{DATA:event_type} - User="
}
on_error => "no_event_type_found1"
}
if [no_event_type_found1] {
grok {
match => {
"message" => "EventMessage: %{DATA:event_type} Context"
}
on_error => "no_event_type_found2"
}
}
if ![no_event_type_found1] or ![no_event_type_found2] {
mutate {gsub => ["event_type", " infos", ""]}
mutate {
replace => {"event1.idm.read_only_udm.metadata.description" => "%{event_type}"}
}
if [event_type] == "Resource Access" {
mutate {
replace => {"event1.idm.read_only_udm.metadata.event_type" => "USER_RESOURCE_ACCESS"}
}
mutate {
replace => {
"event1.idm.read_only_udm.target.resource.name" => "%{src_ip}"
"event1.idm.read_only_udm.target.resource.resource_type" => "IP_ADDRESS"
}
}
} else if [event_type] =~ "Session Start" {
mutate {
replace => {
"event1.idm.read_only_udm.metadata.event_type" => "USER_LOGIN"
"event1.idm.read_only_udm.extensions.auth.auth_details" => "Session Start"
"loginlogout_event" => "true"
"network_errorcode" => "0"
}
}
} else if [event_type] =~ "Session End" {
mutate {
replace => {
"event1.idm.read_only_udm.metadata.event_type" => "USER_LOGOUT"
"event1.idm.read_only_udm.extensions.auth.auth_details" => "Session End"
"loginlogout_event" => "true"
"network_errorcode" => "999"
}
}
} else if [event_type] =~ "Session Update" {
mutate {
replace => {
"event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
"network_errorcode" => "99"
}
}
} else if ![no_sessionkey]{
mutate {
replace => {"event1.idm.read_only_udm.metadata.event_type" => "NETWORK_CONNECTION"}
}
} else {
mutate {
replace => {"event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"}
}
}
} else {
if ![no_sessionkey]{
mutate {
replace => {
"event1.idm.read_only_udm.metadata.event_type" => "NETWORK_CONNECTION"
"event1.idm.read_only_udm.network.session_id" => "%{session_key}"
}
}
grok {
match => {
"message" => "Command='%{DATA:command}' Dest='%{IP:dest_ip}:%{NUMBER:dest_port}' Error='%{DATA:network_errorcode}' SrcBytes='%{NUMBER:src_bytes}' DstBytes='%{NUMBER:dst_bytes}'"
}
on_error => "no_command_data"
}
if ![no_command_data] {
if [command] =~ "Flow:" {
mutate {replace => {"sessionflow" => "%{command}"}}
mutate {gsub => ["sessionflow","Flow:",""]}
if [sessionflow] == "TCP" {
mutate {replace => {"event1.idm.read_only_udm.network.ip_protocol" => "TCP"}}
} else if [sessionflow] == "UDP" {
mutate {replace => {"event1.idm.read_only_udm.network.ip_protocol" => "UDP"}}
} else if [sessionflow] == "ICMP" {
mutate {replace => {"event1.idm.read_only_udm.network.ip_protocol" => "ICMP"}}
} else {
mutate {replace => {"event1.idm.read_only_udm.network.ip_protocol" => "UNKNOWN_IP_PROTOCOL"}}
}
} else if [command] =~ "Tunnel" {
mutate {
replace => {"event1.idm.read_only_udm.network.proxy_info.vpn_service_name" => "Tunnel"}
}
}
mutate {
replace => {
"event1.idm.read_only_udm.network.sent_bytes" => "%{src_bytes}"
"event1.idm.read_only_udm.network.received_bytes" => "%{dst_bytes}"
}
}
mutate {convert => {"event1.idm.read_only_udm.network.sent_bytes" => "uinteger"}}
mutate {convert => {"event1.idm.read_only_udm.network.received_bytes" => "uinteger"}}
}
} else {
grok {
match => {"message" => "System\\s{1,2}%{DATA:system_command}: '\\(%{USERNAME:system_command_username}\\)"}
on_error => "no_system_command"
}
if ![no_system_command] {
if [system_command] =~ "Session End" {
mutate {
replace => {
"event1.idm.read_only_udm.metadata.event_type" => "USER_LOGOUT"
"event1.idm.read_only_udm.extensions.auth.auth_details" => "Session End"
"loginlogout_event" => "true"
}
}
} else if [system_command] =~ "Session Start" {
mutate {
replace => {
"event1.idm.read_only_udm.metadata.event_type" => "USER_LOGIN"
"event1.idm.read_only_udm.extensions.auth.auth_details" => "Session Start"
"loginlogout_event" => "true"
}
}
}
} else {
mutate {
replace => {"event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"}
}
}
}
}
grok {
match => {"message" => "Allowed='%{INT:allowed}"}
on_error => "no_action_found"
}
grok {
match => { "message" => "Rule Info='%{DATA:rule_info}'" }
on_error => "no_rule_info"
}
if ![no_action_found] {
if [allowed] == "1" {
mutate {replace => { "result_action" => "ALLOW" }}
} else if [allowed] == "0" {
mutate {replace => { "result_action" => "BLOCK" }}
} else {
mutate {replace => { "result_action" => "UNKNOWN_ACTION" }}
}
mutate {merge => {"security_result.action" => "result_action"}}
if ![no_rule_info] {
mutate {
replace => {"security_result.rule_name" => "%{rule_info}"}
}
}
mutate {merge => {"event1.idm.read_only_udm.security_result" => "security_result"}}
} else if ![no_sessionkey]{
if [network_errorcode] == "1" {
mutate {replace => { "result_action" => "BLOCK" }}
} else if [network_errorcode] == "0" {
mutate {replace => { "result_action" => "ALLOW" }}
} else if [network_errorcode] == "0xffffffff" {
mutate {replace => { "result_action" => "BLOCK" }}
} else if [network_errorcode] == "0x00000000" {
mutate {replace => { "result_action" => "ALLOW" }}
} else {
mutate {replace => { "result_action" => "UNKNOWN_ACTION" }}
}
mutate {merge => {"security_result.action" => "result_action"}}
mutate {merge => {"event1.idm.read_only_udm.security_result" => "security_result"}}
}
grok {
match => {"message" => "Dest_IP='%{IP:dest_ip}:%{INT:dest_port}'"}
on_error => "no_dest_ip"
}
if ![no_dest_ip] {
if [dest_ip] != "" {
mutate {merge => {"event1.idm.read_only_udm.target.ip" => "dest_ip"}}
}
if [dest_port] !="" {
mutate {replace => {"event1.idm.read_only_udm.target.port" => "%{dest_port}"}}
mutate {convert => {"event1.idm.read_only_udm.target.port" => "integer"}}
}
} else {
grok {
match => {"message" => "Dest='%{IP:destination_ip}:%{INT:destination_port}'"}
on_error => "no_dest"
}
if ![no_dest] {
if [destination_ip] != "" {
mutate {merge => {"event1.idm.read_only_udm.target.ip" => "destination_ip"}}
}
if [destination_port] !="" {
mutate {replace => {"event1.idm.read_only_udm.target.port" => "%{destination_port}"}}
mutate {convert => {"event1.idm.read_only_udm.target.port" => "integer"}}
}
}
}
# LEGACY LOGGING - Unparsed Logs
# Unparsed due to :ffff: before IPv4
grok {
# Escape bracket [ with [[] and bracket ] with []]
match => { "message" => "Src='[[]::ffff:%{IP:src_ip}[]]:%{INT:src_port}'" }
on_error => "no_unparsed_source"
}
if ![no_unparsed_source]{
mutate {replace => {"event_type" => "NETWORK_CONNECTION"}}
mutate {
replace => {"event1.idm.read_only_udm.metadata.event_type" => "NETWORK_CONNECTION"}
}
mutate {
replace => {"event1.idm.read_only_udm.network.ip_protocol" => "UNKNOWN_IP_PROTOCOL"}
}
mutate {
merge => {"event1.idm.read_only_udm.principal.ip" => "src_ip"}
}
mutate {
merge => {"event1.idm.read_only_udm.src.ip" => "src_ip"}
}
grok {
match => {"message" => "Error='%{INT:log_error}"}
on_error => "no_logerror"
}
if ![no_logerror]{
if [log_error] == "0" {
mutate {replace => {"logaction" => "ALLOW"}}
} else if [log_error] == "1" {
mutate {replace => {"logaction" => "BLOCK"}}
} else {
mutate {replace => {"logaction" => "UNKNOWN_ACTION"}}
}
} else {mutate {replace => {"logaction" => "UNKNOWN_ACTION"}}}
mutate {
merge => {"security_result.action" => "logaction"}
}
mutate {
merge => {"event1.idm.read_only_udm.security_result" => "security_result"}
}
grok {
match => {"message" => "Dest='%{IP:dest_ip}:%{INT:dest_port}"}
on_error => "no_dest_ip"
}
if ![no_dest_ip] {
mutate {merge => {"event1.idm.read_only_udm.target.ip" => "dest_ip"}}
mutate {replace => {"event1.idm.read_only_udm.target.port" => "%{dest_port}"}}
mutate {convert => {"event1.idm.read_only_udm.target.port" => "integer"}}
}
if [hostname] != "" {
mutate {
replace => {"event1.idm.read_only_udm.principal.hostname" => "%{hostname}" }
}
}
grok {
match => {"message" => "SessionKey='%{DATA:log_sessionkey}'"}
on_error => "no_session_key"
}
if ![no_session_key] {
mutate {replace => {"event1.idm.read_only_udm.network.session_id" => "%{log_sessionkey}"}}
}
grok {
match => {"message" => "SrcBytes='%{INT:srcbytes}' DstBytes='%{INT:dstbytes}'"}
on_error => "no_bytes"
}
if ![no_bytes] {
mutate {
replace => {
"event1.idm.read_only_udm.network.received_bytes" => "%{srcbytes}"
"event1.idm.read_only_udm.network.sent_bytes" => "%{dstbytes}"}
}
mutate {
convert => {
"event1.idm.read_only_udm.network.received_bytes" => "uinteger"
"event1.idm.read_only_udm.network.sent_bytes" => "uinteger"}
}
}
}
# END LEGACY LOGGING - Unparsed Logs
mutate { merge => { "@output" => "event1"} }
# statedump {
# label => "Post Merge"
# }
# TODO
#Grok Code to extract and parse syslog priority
# Use grok to parse syslog messages. The on_error clause handles messages that don't match the pattern.
# grok {
# match => {
# "message" => [
# # Extract message with syslog headers.
# "(<%{POSINT:_syslog_priority}>)%{SYSLOGTIMESTAMP:datetime} %{DATA:logginghost}: %{GREEDYDATA:log_data}"
# ]
# }
# on_error => "not_supported_format"
# }
# # If the grok parsing failed, tag the event as unsupported and drop it.
# if ![not_supported_format] {
# if [_syslog_priority] != "" {
# if [_syslog_priority] =~ /0|8|16|24|32|40|48|56|64|72|80|88|96|104|112|120|128|136|144|152|160|168|176|184/ {
# mutate { replace => { "_security_result.severity_details" => "EMERGENCY" } }
# }
# if [_syslog_priority] =~ /1|9|17|25|33|41|49|57|65|73|81|89|97|105|113|121|129|137|145|153|161|169|177|185/ {
# mutate { replace => { "_security_result.severity_details" => "ALERT" } }
# }
# if [_syslog_priority] =~ /2|10|18|26|34|42|50|58|66|74|82|90|98|106|114|122|130|138|146|154|162|170|178|186/ {
# mutate { replace => { "_security_result.severity_details" => "CRITICAL" } }
# }
# if [_syslog_priority] =~ /3|11|19|27|35|43|51|59|67|75|83|91|99|107|115|123|131|139|147|155|163|171|179|187/ {
# mutate { replace => { "_security_result.severity_details" => "ERROR" } }
# }
# if [_syslog_priority] =~ /4|12|20|28|36|44|52|60|68|76|84|92|100|108|116|124|132|140|148|156|164|172|180|188/ {
# mutate { replace => { "_security_result.severity_details" => "WARNING" } }
# }
# if [_syslog_priority] =~ /5|13|21|29|37|45|53|61|69|77|85|93|101|109|117|125|133|141|149|157|165|173|181|189/ {
# mutate { replace => { "_security_result.severity_details" => "NOTICE" } }
# }
# if [_syslog_priority] =~ /6|14|22|30|38|46|54|62|70|78|86|94|102|110|118|126|134|142|150|158|166|174|182|190/ {
# mutate { replace => { "_security_result.severity_details" => "INFORMATIONAL" } }
# }
# if [_syslog_priority] =~ /7|15|23|31|39|47|55|63|71|79|87|95|103|111|119|127|135|143|151|159|167|175|183|191/ {
# mutate { replace => { "_security_result.severity_details" => "DEBUG" } }
# }
# # Facilities (mapped to priority)
# if [_syslog_priority] =~ /0|1|2|3|4|5|6|7/ {
# mutate { replace => { "_security_result.priority_details" => "KERNEL" } }
# }
# if [_syslog_priority] =~ /8|9|10|11|12|13|14|15/ {
# mutate { replace => { "_security_result.priority_details" => "USER" } }
# }
# if [_syslog_priority] =~ /16|17|18|19|20|21|22|23/ {
# mutate { replace => { "_security_result.priority_details" => "MAIL" } }
# }
# if [_syslog_priority] =~ /24|25|26|27|28|29|30|31/ {
# mutate { replace => { "_security_result.priority_details" => "SYSTEM" } }
# }
# if [_syslog_priority] =~ /32|33|34|35|36|37|38|39/ {
# mutate { replace => { "_security_result.priority_details" => "SECURITY" } }
# }
# if [_syslog_priority] =~ /40|41|42|43|44|45|46|47/ {
# mutate { replace => { "_security_result.priority_details" => "SYSLOG" } }
# }
# if [_syslog_priority] =~ /48|49|50|51|52|53|54|55/ {
# mutate { replace => { "_security_result.priority_details" => "LPD" } }
# }
# if [_syslog_priority] =~ /56|57|58|59|60|61|62|63/ {
# mutate { replace => { "_security_result.priority_details" => "NNTP" } }
# }
# if [_syslog_priority] =~ /64|65|66|67|68|69|70|71/ {
# mutate { replace => { "_security_result.priority_details" => "UUCP" } }
# }
# if [_syslog_priority] =~ /72|73|74|75|76|77|78|79/ {
# mutate { replace => { "_security_result.priority_details" => "TIME" } }
# }
# if [_syslog_priority] =~ /80|81|82|83|84|85|86|87/ {
# mutate { replace => { "_security_result.priority_details" => "SECURITY" } }
# }
# if [_syslog_priority] =~ /88|89|90|91|92|93|94|95/ {
# mutate { replace => { "_security_result.priority_details" => "FTPD" } }
# }
# if [_syslog_priority] =~ /96|97|98|99|100|101|102|103/ {
# mutate { replace => { "_security_result.priority_details" => "NTPD" } }
# }
# if [_syslog_priority] =~ /104|105|106|107|108|109|110|111/ {
# mutate { replace => { "_security_result.priority_details" => "LOGAUDIT" } }
# }
# if [_syslog_priority] =~ /112|113|114|115|116|117|118|119/ {
# mutate { replace => { "_security_result.priority_details" => "LOGALERT" } }
# }
# if [_syslog_priority] =~ /120|121|122|123|124|125|126|127/ {
# mutate { replace => { "_security_result.priority_details" => "CLOCK" } }
# }
# if [_syslog_priority] =~ /128|129|130|131|132|133|134|135/ {
# mutate { replace => { "_security_result.priority_details" => "LOCAL0" } }
# }
# if [_syslog_priority] =~ /136|137|138|139|140|141|142|143/ {
# mutate { replace => { "_security_result.priority_details" => "LOCAL1" } }
# }
# if [_syslog_priority] =~ /144|145|146|147|148|149|150|151/ {
# mutate { replace => { "_security_result.priority_details" => "LOCAL2" } }
# }
# if [_syslog_priority] =~ /152|153|154|155|156|157|158|159/ {
# mutate { replace => { "_security_result.priority_details" => "LOCAL3" } }
# }
# if [_syslog_priority] =~ /160|161|162|163|164|165|166|167/ {
# mutate { replace => { "_security_result.priority_details" => "LOCAL4" } }
# }
# if [_syslog_priority] =~ /168|169|170|171|172|173|174|175/ {
# mutate { replace => { "_security_result.priority_details" => "LOCAL5" } }
# }
# if [_syslog_priority] =~ /176|177|178|179|180|181|182|183/ {
# mutate { replace => { "_security_result.priority_details" => "LOCAL6" } }
# }
# if [_syslog_priority] =~ /184|185|186|187|188|189|190|191/ {
# mutate { replace => { "_security_result.priority_details" => "LOCAL7" } }
# }
# mutate {
# merge => {
# "event.idm.read_only_udm.security_result" => "_security_result"
# }
# }
# }
# }
}
