Explore and Analyze Sonicwall Firewall Events
After Logpoint ingests SonicWall Firewall logs:
Use Search to access and examine events.
View events in real time through Dashboards.
Generate Reports for compliance and trend analysis.
Configure Alerts to get notified of critical or suspicious activity.
Search
Use the following queries to explore common SonicWall Firewall events:
All SonicWall logs
col_type = "sonicwall" OR norm_id = "Sonic*"
Top source addresses
`norm_id = "Sonic*"
Top destination addresses
`norm_id = "Sonic*"
User activities
`norm_id = "Sonic*" user=*
Connection details
norm_id = "Sonic*" source_address=* destination_address=*
Data transfer events
norm_id = "Sonic*" bytes_sent=* bytes_received=*
High severity events
norm_id = "Sonic*" severity IN [0, 1, 2, 3]
Administrative tasks
norm_id = "Sonic*" event_type="admin"
Bandwidth usage by category
`norm_id = "Sonic*"
Port scan detection
norm_id = "Sonic*" message="*port scan*"
Upload and download events
norm_id = "Sonic*" (action="upload" OR action="download")
Dashboards
LP_SonicWall Firewall Dashboard
The LP_SonicWall Firewall dashboard provides a comprehensive overview of SonicWall Firewall activity across your environment, showing patterns in network traffic, security events, user activities, bandwidth consumption, and administrative operations. It helps you monitor overall security posture, track severity trends, identify top communicating hosts, investigate high bandwidth usage, and review administrative changes.
Dashboard Widgets:
Top 10 Source Addresses
An overview of the top 10 source addresses detected by the firewall on your network.
Top 10 Destination Addresses
An overview of the top 10 destination addresses detected by the firewall on your network.
Top 10 Users Activities Per Day
An overview of the top 10 user activities, such as user login or logout successful detected by the firewall on your network.
Top 10 Messages
An overview of the top 10 messages received, such as user logout successful or possible port scan detected.
Top 10 Source Port
An overview of the top 10 source port.
Connection - Details
A detailed list of connections established with your network by source address, source port, destination address, destination port, and protocol.
Data Transfer - Details
A detailed overview of data transferred event by source address, source port, destination address, and destination port.
Top Description by Source Address and Destination Address
A detailed overview of source and destination addresses.
Upload and Download
An overview of file upload and download events based on data size.
Severities
An overview of SonicWall Firewall events with their severity levels ranging from 0 (High) to 7 (Low).
IPS Categories
An overview of IPS categories, such as Wireless intrusion prevention system, Host-based intrusion prevention system, Network-based intrusion prevention system, or Network behavior analysis.
Bandwidth Usage by Category
An overview of network bandwidth by category.
Top 10 Heaviest Usage of Bandwidth
An overview of the source address with a high amount of bandwidth.
Bandwidth Usage by Protocols
An overview of the network bandwidth used based on protocols like FTP.
Top 10 Destination Countries
An overview of the top 10 destination countries.
Least Frequent Messages (Bottom 20%)
An overview of the infrequently sent messages. The frequency of the message is calculated based on a quantile value of less than 0.2.
Most Frequent Messages (Top 20%)
An overview of the frequently sent messages. The frequency of the message is calculated based on a quantile value of greater than 0.8.
Administrative Tasks
An overview of administrative tasks by user, message, and description.
Multiple Triggers from the Same Source
An overview of the count of the severity messages Alert, Emergency, Critical, or Error by source address.
High Severity Triggers
An overview of the events with high severities (Alert, Emergency, Critical, or Error) by source address, a destination address, message, and severity.
Adding SonicWall Firewall Dashboard
Navigate to Settings >> Knowledge Base >> Dashboards.
Select Vendor Dashboard from the dropdown.
Click the Add icon under Actions of the LP_SonicWall Firewall dashboard.
Click Choose Repos.
Select the repository configured for SonicWall Firewall logs and click Done.
Click Ok.
The dashboard will appear under Dashboards. You can view details about each widget by clicking the Info icon.
Reports
SonicWall Firewall supports report generation capabilities that provide time-bound summaries and trend analyses of security events, traffic patterns, and firewall activity.
Generating SonicWall Firewall Reports
Access Report Templates
Go to Reports >> Reports Templates.
Select VENDOR REPORT TEMPLATES from the dropdown.
Locate SonicWall Firewall report templates.
Run Report
Click the Run This Report icon.
Configure report parameters:
Repos: Select SonicWall Firewall log repos.
Time Zone: Set appropriate timezone.
Time Range: Define the analysis period.
Export Type: Choose PDF or HTML format.
Email: Specify recipients.
Access Generated Reports
View report generation status under Report Jobs.
Download completed reports from Inbox in PDF or HTML format.
Alerts
SonicWall Firewall integrates with Logpoint's alerting system to notify you about critical security and operational events based on firewall detections.
Configuring Custom Alerts
You can create custom alert rules for SonicWall Firewall events:
Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.
Click Add to create a new alert rule.
Configure the alert with appropriate queries for SonicWall events.
Example Alert Queries:
High severity events
norm_id = "Sonic*" severity IN [0, 1, 2]
Multiple failed login attempts
`norm_id = "Sonic*" message="loginfail*"
Port scan detection
norm_id = "Sonic*" message="*port scan*"
High bandwidth usage
`norm_id = "Sonic*"
Administrative changes
norm_id = "Sonic*" event_type="admin" action="*change*"
Critical system events
norm_id = "Sonic*" severity=0
Unusual destination countries
norm_id = "Sonic*" destination_country NOT IN ["known", "countries"]
Last updated
Was this helpful?