/
Log Types: SonicWallSSLVPN

Log Types: SonicWallSSLVPN

Owned by Leigh Purdie (Unlicensed)
Sept 30, 2020
2 min read

Overview

Sonicwall produces network firewall that include features such as unified threat management (UTM), virtual private networks (VPNs), and anti-spam for email.

This collection module specifically collects and processes the SSL and VPN event data

Sonicwall SSL/VPN logs are identified by the “SSLVPN: id=” string content in the event.

Collection

On your sonicwall management interface, go to the Log > Syslog page.

  • The Syslog Facility may be left as the factory default.

  • From the Syslog Format menu list, choose the ‘default’ SonicWall Syslog format.

  • In the Syslog ID field, enter the Syslog ID that you want.

    • A Syslog ID field is included in all generated Syslog messages, prefixed by “id= ". Thus, for the default value, firewall, all Syslog messages include "id=firewall." The ID can be set to a string consisting of 0 to 32 alphanumeric and underscore characters, and is generally set to the hostname of the associated firewall.

  • When you’ve finished setting the Syslog options, click Accept at the top of the page.

 

Sample Events

Jan 13 13:42:07 192.168.0.9 connect SSLVPN: id=sslvpn sn=0017C552F0A4 time="2013-02-02 11:36:44" vp_time="2013-02-02 16:36:43 UTC" fw=10.10.254.5 pri=4 m=1 c=1 src=24.176.55.122 dst=10.10.254.4 user="Sgreen" usr="Sgreen" msg="User login failed" agent="Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

SonicWallSSLVPN

ACTION

connect

PRIORITY

Priority (p=) value

FWADDR

IP address of the firewall

SRCADDR

Source address

DSTADDR

Destination address

PORTAL

Portal, if supplied

DOMAIN

Domain, if supplied

USER

User name

MESSAGE

msg field

AGENT

User agent (generally a browser / version value)

STRINGS

Any other content within the event, that is not assigned to the fields above - generally in key=value format, with space separators

Notes

https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-syslog-server-on-a-sonicwall-firewall/170505984096810/

http://help.sonicwall.com/help/sw/eng/9320/25/9/0/content/Ch134_Log_Syslog.156.4.html