Skip to content

Sonicwall Global Category fixes, and add rule UUID #15853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Dec 2, 2025
Merged

Sonicwall Global Category fixes, and add rule UUID #15853

merged 11 commits into from
Dec 2, 2025

Conversation

@ppalmieri
Copy link
Contributor

@ppalmieri ppalmieri commented Nov 3, 2025
edited
Loading

se label this PR with one of the following labels, depending on the scope of your change:

  • Bug
  • Enhancement

Proposed commit message

Bug Fixes

This PR corrects the gcat (Global Category) mapping for Sonicwall messages, as they changed from version 6.x of SonicOS to 7.x. This documented on page 105. This also corrects a incorrect event action for log event [#]36 should be listed as packet-dropped, which is documented on page 12.

Enhancement

Added is a new ecs field called rule.uuid that adds the rule UUID when it appears in the log. This makes it alittle eaiser to identify rule hits, as the rule name (mapped to rule.id) can sometimes cover many rules, if they have the same name.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • Verified that new mappings are working correctly

How to test this PR locally

Install the SonicWall integration, and configure to receive logs. After make the following changes to the logs-sonicwall-log ingest pipline.

  • In the Script described as Maps SonicWall fields to ECS, Update the following mappings in the parameters section
    • Update the gcat mapping to reflect the updated categrories.
    • After the rule.id mapping, add in the mapping for rule.uuid
  • In the Script described as Fills ECS categorization fields depending on message Event ID update the following:
    • In message-codes update 36 from connection-close to packet-dropped.

Related issues

N/A

Screenshots

N/A

@ppalmieri ppalmieri requested a review from a team as a code owner November 3, 2025 20:34
@cla-checker-service
Copy link

cla-checker-service bot commented Nov 3, 2025
edited
Loading

💚 CLA has been signed

@ppalmieri
Copy link
Contributor Author

ppalmieri commented Nov 3, 2025

I have completed the Contributor Agreement.

@andrewkroh andrewkroh added Integration:sonicwall_firewall SonicWall Firewall Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] labels Nov 3, 2025
@elasticmachine
Copy link

elasticmachine commented Nov 3, 2025

Pinging @elastic/integration-experience (Team:Integration-Experience)

qcorporation
qcorporation reviewed Nov 3, 2025
View reviewed changes
Copy link
Contributor

@qcorporation qcorporation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You will also need to update the manifest.yml file with the new version 1.19.3

@qcorporation qcorporation requested a review from a team November 3, 2025 21:55
@ppalmieri
Copy link
Contributor Author

ppalmieri commented Nov 24, 2025

Is there anything else I need to do for this to be reviewed and merged in?

@taylor-swanson
Copy link
Contributor

taylor-swanson commented Dec 1, 2025

This PR corrects the gcat (Global Category) mapping for Sonicwall messages, as they changed from version 6.x of SonicOS to 7.x.

Were these values ever correct? I looked back at Sonic OS 6.x and I can't find any mentions of the old gcat mappings. 6.5.4 is the first version I see mentioning gcat categories and they are the same that you've listed in the PR.

I'm fine with correcting invalid mappings, but if they actually changed between 6.x and 7.x, then that would constitute a breaking change in the integration.

@ppalmieri
Copy link
Contributor Author

ppalmieri commented Dec 1, 2025

Were these values ever correct? I looked back at Sonic OS 6.x and I can't find any mentions of the old gcat mappings. 6.5.4 is the first version I see mentioning gcat categories and they are the same that you've listed in the PR.

I'm fine with correcting invalid mappings, but if they actually changed between 6.x and 7.x, then that would constitute a breaking change in the integration.

I just looked back at them myself, and you are correct, the first them that gcat mappings are mentioned is in the 6.5.4 Log Events Ref Guide which was published in June of 2021. I do not think these were ever mapped correctly in the integration.

taylor-swanson
taylor-swanson reviewed Dec 1, 2025
View reviewed changes
Copy link
Contributor

@taylor-swanson taylor-swanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, changes seem fine to me (aside from the changelog).

The pipeline test expected files will need to be updated, which can be done by running:

cd packages/sonicwall_firewall
elastic-package test pipeline --generate

If you don't have an environment set up, I can certainly run that command and update the test files, just let me know.

@ppalmieri
Copy link
Contributor Author

ppalmieri commented Dec 1, 2025

If you don't have an environment set up, I can certainly run that command and update the test files, just let me know.

@taylor-swanson I do not have an environment setup, would you mind doing that for me please?

Thank you

@taylor-swanson
Copy link
Contributor

taylor-swanson commented Dec 2, 2025

/test

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Dec 2, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Dec 2, 2025

💚 Build Succeeded

@taylor-swanson taylor-swanson merged commit 865e1db into elastic:main Dec 2, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Dec 2, 2025

Package sonicwall_firewall - 1.21.0 containing this change is available at https://epr.elastic.co/package/sonicwall_firewall/1.21.0/

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Dec 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qcorporation qcorporation qcorporation left review comments

@taylor-swanson taylor-swanson taylor-swanson approved these changes

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:sonicwall_firewall SonicWall Firewall Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ppalmieri @elasticmachine @taylor-swanson @qcorporation @andrewkroh