Skip to content

Sonicwall Global Category fixes, and add rule UUID #15853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Sonicwall Global Category fixes, and add rule UUID #15853

wants to merge 5 commits into from
+27 −14

Conversation

@ppalmieri
Copy link

@ppalmieri ppalmieri commented Nov 3, 2025
edited
Loading

se label this PR with one of the following labels, depending on the scope of your change:

  • Bug
  • Enhancement

Proposed commit message

Bug Fixes

This PR corrects the gcat (Global Category) mapping for Sonicwall messages, as they changed from version 6.x of SonicOS to 7.x. This documented on page 105. This also corrects a incorrect event action for log event [#]36 should be listed as packet-dropped, which is documented on page 12.

Enhancement

Added is a new ecs field called rule.uuid that adds the rule UUID when it appears in the log. This makes it alittle eaiser to identify rule hits, as the rule name (mapped to rule.id) can sometimes cover many rules, if they have the same name.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • Verified that new mappings are working correctly

How to test this PR locally

Install the SonicWall integration, and configure to receive logs. After make the following changes to the logs-sonicwall-log ingest pipline.

  • In the Script described as Maps SonicWall fields to ECS, Update the following mappings in the parameters section
    • Update the gcat mapping to reflect the updated categrories.
    • After the rule.id mapping, add in the mapping for rule.uuid
  • In the Script described as Fills ECS categorization fields depending on message Event ID update the following:
    • In message-codes update 36 from connection-close to packet-dropped.

Related issues

N/A

Screenshots

N/A

@ppalmieri ppalmieri requested a review from a team as a code owner November 3, 2025 20:34
@cla-checker-service
Copy link

cla-checker-service bot commented Nov 3, 2025
edited
Loading

💚 CLA has been signed

@ppalmieri
Copy link
Author

ppalmieri commented Nov 3, 2025

I have completed the Contributor Agreement.

@andrewkroh andrewkroh added Integration:sonicwall_firewall SonicWall Firewall Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] labels Nov 3, 2025
@elasticmachine
Copy link

elasticmachine commented Nov 3, 2025

Pinging @elastic/integration-experience (Team:Integration-Experience)

qcorporation
qcorporation reviewed Nov 3, 2025
View reviewed changes
Copy link
Contributor

@qcorporation qcorporation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You will also need to update the manifest.yml file with the new version 1.19.3

@qcorporation qcorporation requested a review from a team November 3, 2025 21:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qcorporation qcorporation qcorporation left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Integration:sonicwall_firewall SonicWall Firewall Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ppalmieri @elasticmachine @qcorporation @andrewkroh