Tag Archives: data

Configuring Logstash and Kibana to receive and Dashboard Sonicwall Logs

Note: If you want to quickly download my Logstash config and Kibana dashboards, see the end of this post.

Locate and Update your Logstash.conf File
First, you must update your logstash configuration file, generally located in /etc/logstash or /etc/logstash/conf.d/ and named logstash.conf

Add a logstash input
In logstash.conf, you must first add an input which will allow logstash to receive the syslog from your Sonicwall appliance along with a designated “listening” port. For my configuration, I set this to port 5515. In my logstash instance, I am using Suricata SELKs, so you can also see a file input for that prior to my Sonicwall input. See below (the text highlighted in RED was the text I added to the config file).

input {
file {
path => [“/var/log/suricata/eve.json”]
#sincedb_path => [“/var/lib/logstash/”]
sincedb_path => [“/var/cache/logstash/sincedbs/since.db”]
codec => json
type => “SELKS”
syslog {
type => Sonicwall
port => 5515

Insert a logstash Filter
The next step is to insert a new filter for parsing your sonicwall logs, this is so that Logstash knows how to automatically create fields so that you can filter on specific fields in Syslog. Below is the text that I added to the configuration file.  Important: You must make sure that if you have pre-existing filters, your start and end curly braces appropriately open and close and in the filter section the text below incorporated into the filter bracketed text.

if [type] == “Sonicwall” {
kv {
exclude_keys => [ “c”, “id”, “m”, “n”, “pri” ]
grok {
match => [ “src”, “%{IP:srcip}:%{DATA:srcinfo}” ]
grok {
match => [ “dst”, “%{IP:dstip}:%{DATA:dstinfo}” ]
grok {
remove_field => [ “srcinfo”, “dstinfo” ]
geoip {
add_tag => [ “geoip” ]
source => “srcip”
database => “/opt/logstash/vendor/geoip/GeoLiteCity.dat”

Configure the Parsed Output Location
Finally, you need to configure the output for the config file. The output is to send into the logstash instance. Below is the configuration for this. In this case, my logstash instance is sending to localhost because it is running on the same box.


output {
elasticsearch {
host => “”
protocol => transport

Configure the Sonicwall
Next you will need to configure your Sonicwall to send syslog messages to the logstash server. Login to your sonicwall, go to “Log->Syslog and then add a server x.x.x.x with port 5515.

Next you’ll need to turn on Sonicwall Name Resolution for Logs
Go to Log->Name Resolution and make sure to setup a DNS server to resolve names. Otherwise, the src and dst fields in the Kibana dashboards will not have names and show double IP address entries.

Finally, you’ll need to configure dashboards in Kibana. To make all of this easier, I’ve included all my files below that can be easily downloaded.

Logstash Configuration *Use Right-Click and Save As*

Kibana Dashboards
(To Import go into Kibana and select “Load” then go to “Advanced and click on “Load File”)

  • Sonic-Alerts (Filters the Top Alert Messages from the Sonicwall Syslog
  • Sonic Top (Filters the Top Source and Destination hosts and events associated with your sonicwall.


[ISN] Newly Fired CEO Of Norse Fires Back At Critics

www.darkreading.com/threat-intelligence/newly-fired-ceo-of-norse-fires-back-at-critics-/d/d-id/1324195 By Jai Vijayan DarkReading.com 2/4/2016 Critics maintain that Norse Corp. is peddling threat data as threat intelligence. A massive and potentially company-ending shakeup at security vendor Norse Corp. in recent weeks amid controversy over its practices may be a signal that the threat intelligence industry is finally maturing. KrebsonSecurity last week reported that Norse had fired its CEO Sam Glines after letting go some 30% of its staff less than a month earlier. The blog quoted unnamed sources as saying Norse’s board of directors had asked board member Howard Bain to take over as an interim CEO. The remaining employees at the Foster City, Calif.-based threat intelligence firm were apparently informed they could continue showing up for work, but there would be no guarantee they would be paid, KrebsonSecurity reported. Shortly thereafter, Norse’s website went dark and remained unavailable through the week


[ISN] IoT risks raise concerns among IT specialists in central and eastern Europe

www.computerweekly.com/news/4500272253/IoT-risks-raise-concerns-among-IT-specialists-in-CEE By Krzysztof Polak ComputerWeekly.com 04 Feb 2016 The internet of things (IoT) has gone from an industry buzzword to a highly promising phenomenon in central and eastern Europe – but IT specialists are concerned about how to protect networks from the extra strain of new connected devices. The driving force behind IoT is the desire to gain knowledge and insights about, for example, buildings, cars, industrial installations, healthcare, aviation and civil infrastructure, using smart and connected devices. But according to Sylwester Chojnacki, director, enterprise business group at Huawei CEE, the designers of IoT equipment have not learned the lessons from the early years of internet development. “They do not pay sufficient attention to the safety of devices and applications,” he said. IoT devices are often the first target in cyber attacks, leading to intrusions into computer systems and large databases. […]


[ISN] Hackers post private files of America’s biggest police union

www.theguardian.com/uk-news/2016/jan/28/fraternal-order-of-police-hacked-fbi-investigation-data-servers By Jon Swaine and George Joseph in New York The Guardian 28 January 2016 Private files belonging to America’s biggest police union, including the names and addresses of officers, forum posts critical of Barack Obama, and controversial contracts made with city authorities, were posted online Thursday after a hacker breached its website. The Fraternal Order of Police (FOP), which says it represents about 330,000 law enforcement officers across the US, said the FBI was investigating after 2.5GB of data taken from its servers was dumped online and swiftly shared on social media. The union’s national site, fop.net, remained offline on Thursday evening. “We have contacted the office of the assistant attorney general in charge of cyber crime, and officials from FBI field offices have already made contact with our staff,” Chuck Canterbury, the FOP’s national president, said in an interview. The FBI did not respond to a request to confirm that it was investigating. Canterbury said he was confident that no sensitive personal information or financial details of their members had been obtained. “Some names and addresses were taken,” he said. “It concerns us. We’re taking steps to try to notify our members but that is going to take some time.” […]


[ISN] Feds primary network security weapon needs more bang

www.networkworld.com/article/3027635/security/dhs-gao-feds-primary-network-security-weapon-needs-more-bang.html By Michael Cooney Layer 8 Network World Jan 28, 2016 In the face of relenting network attacks and it seems that the government’s chief weapon for combatting the assault lacks some teeth. That weapon – the Department of Homeland Security’s (DHS) National Cybersecurity Protection System (NCPS)—also known as Einstein has is intended to provide DHS with capabilities to detect malicious traffic traversing federal agencies’ computer networks, prevent intrusions, and support data analytics and information sharing. A tall tale no doubt but one that is imperative to protecting the gargantuan amount of government intelligence and personally identifiable information the feds watch over. The threat is obvious


[ISN] Cloud security roadmap essential for healthcare as off-site threats persist, experts say

www.healthcareitnews.com/news/cloud-security-roadmap-essential-healthcare-site-threats-persist-experts-say By Jack McCarthy Health IT News January 28, 2016 The onset of cloud computing brought with it an information technology revolution, allowing organizations to have their IT resources hosted off site, reducing their costs and simplifying operations. Unfortunately, the move to the cloud did not mean organizations could forget about requirements for a successful security profile. Healthcare organizations making the move to a cloud-centric strategy can’t lower their guard on security defenses, said Chris Bowen, founder and chief privacy and security officer of ClearDATA, a healthcare cloud computing company. “People may think that by offloading security responsibility to the cloud, they won’t have to worry, but that’s not the case,” Bowen said. “We know that threats exist in the cloud.” Bowen will discuss this issue at HIMSS16 along with J. Gary Seay, senior vice president and CIO of Community Health Systems, Bowen will give a presentation entitled, “Developing a Cloud Security Roadmap.” […]


[ISN] Here’s what ‘Shmoocon 2016,’ the D.C. hackerfest, tells us about the cybersecurity industry

www.washingtonpost.com/news/capital-business/wp/2016/01/28/heres-whats-changing-in-d-c-s-hacker-community/ By Aaron Gregg The Washington Post January 28, 2016 Walking around Shmoocon, a D.C. cybersecurity conference in its 12th year, one gets the impression that the hacker community is growing out of a bit of its outrageousness. “There’s a chaotic element to it that has really fallen off,” said Shmoocon founder Bruce Potter. “All the shenanigans you used to see; dumping Jello in the fountain in Vegas…you don’t even see it anywhere anymore.” To be sure, the cultural quirks are still there. Grown men still call each other by over-the-top hacker aliases. A man walks around wearing a chicken mask with a fluorescent-green box strapped to this back blaring electronic music. With the exception of a group of West Point cadets, everyone is wearing T-shirts. But the crowd’s absurdities make it easy to forget that these are some of the most sought-after professionals in business, government and war. Over the past few years costly and highly-public instances of data theft have driven huge corporations to give cybersecurity professionals C-suite representation for the first time. And there’s a massive dearth of trained cybersecurity professionals, even in the Washington area: a 2015 report from market research firm Burning Glass found almost 50,000 open positions for cybersecurity professionals across the country with an advertised average salary of $83,934. As a result, conferences like Shmoocon have become central nodes where corporate and government recruiters find cyber talent. Local economic development boosters are targeting cybersecurity as a growth sector for the region, hoping they can capitalize on the steady stream of specialized talent that spills out the region’s military and intelligence agencies. […]


[ISN] Broad use of cloud services leaves enterprise data vulnerable to theft, report says

www.networkworld.com/article/3025944/security/broad-use-of-cloud-services-leave-enterprise-data-vulnerable-to-theft-report-says.html By Patrick Nelson Network World Jan 25, 2016 Data theft is a very real and growing threat for companies that increasingly use cloud services, says a security firm. Workers who widely share documents stored in the cloud with clients, independent contractors, or even others within the company are creating a Swiss-cheese of security holes, a study by Blue Coat Systems has found. In some cases, cloud documents were publicly discoverable through Google searches, the researchers say of their analysis. ‘Broadly shared’ The study found that 26% of documents stored in cloud apps are shared so widely that they pose a security risk. Compounding the issue is that many organizations aren’t even aware of it. […]