Tag Archives: vendor

Configuring Logstash and Kibana to receive and Dashboard Sonicwall Logs

Note: If you want to quickly download my Logstash config and Kibana dashboards, see the end of this post.

Locate and Update your Logstash.conf File
First, you must update your logstash configuration file, generally located in /etc/logstash or /etc/logstash/conf.d/ and named logstash.conf

Add a logstash input
In logstash.conf, you must first add an input which will allow logstash to receive the syslog from your Sonicwall appliance along with a designated “listening” port. For my configuration, I set this to port 5515. In my logstash instance, I am using Suricata SELKs, so you can also see a file input for that prior to my Sonicwall input. See below (the text highlighted in RED was the text I added to the config file).

input {
file {
path => [“/var/log/suricata/eve.json”]
#sincedb_path => [“/var/lib/logstash/”]
sincedb_path => [“/var/cache/logstash/sincedbs/since.db”]
codec => json
type => “SELKS”
syslog {
type => Sonicwall
port => 5515

Insert a logstash Filter
The next step is to insert a new filter for parsing your sonicwall logs, this is so that Logstash knows how to automatically create fields so that you can filter on specific fields in Syslog. Below is the text that I added to the configuration file.  Important: You must make sure that if you have pre-existing filters, your start and end curly braces appropriately open and close and in the filter section the text below incorporated into the filter bracketed text.

if [type] == “Sonicwall” {
kv {
exclude_keys => [ “c”, “id”, “m”, “n”, “pri” ]
grok {
match => [ “src”, “%{IP:srcip}:%{DATA:srcinfo}” ]
grok {
match => [ “dst”, “%{IP:dstip}:%{DATA:dstinfo}” ]
grok {
remove_field => [ “srcinfo”, “dstinfo” ]
geoip {
add_tag => [ “geoip” ]
source => “srcip”
database => “/opt/logstash/vendor/geoip/GeoLiteCity.dat”

Configure the Parsed Output Location
Finally, you need to configure the output for the config file. The output is to send into the logstash instance. Below is the configuration for this. In this case, my logstash instance is sending to localhost because it is running on the same box.


output {
elasticsearch {
host => “”
protocol => transport

Configure the Sonicwall
Next you will need to configure your Sonicwall to send syslog messages to the logstash server. Login to your sonicwall, go to “Log->Syslog and then add a server x.x.x.x with port 5515.

Next you’ll need to turn on Sonicwall Name Resolution for Logs
Go to Log->Name Resolution and make sure to setup a DNS server to resolve names. Otherwise, the src and dst fields in the Kibana dashboards will not have names and show double IP address entries.

Finally, you’ll need to configure dashboards in Kibana. To make all of this easier, I’ve included all my files below that can be easily downloaded.

Logstash Configuration *Use Right-Click and Save As*

Kibana Dashboards
(To Import go into Kibana and select “Load” then go to “Advanced and click on “Load File”)

  • Sonic-Alerts (Filters the Top Alert Messages from the Sonicwall Syslog
  • Sonic Top (Filters the Top Source and Destination hosts and events associated with your sonicwall.


My latest Gartner research: Vendor Rating: Huawei

Huawei has established itself as a solid provider of ICT infrastructure technologies across consumer, carrier and enterprise markets worldwide. CIOs and IT leaders should utilize this research to familiarize themselves with Huawei’s “all-cloud” strategy and ecosystem development….

Gartner subscribers can access this research by clicking here.


My latest Gartner Research: SWOT: Check Point Software Technologies, Network Security, Worldwide

Check Point remains a leading security vendor, with a strong and broad portfolio that has improved with the pace of innovation. However, its product leaders need better marketing and refined renewal pricing strategies to sustain its growth and leadership in the firewall market….

Gartner subscribers can access this research by clicking here.


My latest Gartner Research: Cool Vendors in Security for Technology and Service Providers, 2016

The boundaries of information security are fast expanding. These Cool Vendors are pioneering new directions and potential opportunities in the security market. TSP product managers and CMOs looking to partner with these vendors should examine their innovative security technologies.

Gartner customers can read this research by clicking here.


[ISN] Healthcare Vendor Risk Management Programs Lagging, Says Study

http://healthitsecurity.com/news/healthcare-vendor-risk-management-programs-lagging-says-study By Elizabeth Snell healthitsecurity.com July 8, 2015 Healthcare vendor risk management programs can have a huge impact on a healthcare organization’s ability to keep sensitive data – such as patient PHI – secure. However, if a recent study is any indication, healthcare vendor risk management programs have room for improvement. The 2015 Vendor Risk Management Benchmark Study, conducted by The Shared Assessments Program and Protiviti, found that vendor risk management programs within financial services organizations are more mature than companies in other industries, such as insurance and healthcare. “Even the more optimistic assessments of the current state of vendor risk management indicate that significant improvements may be needed,” the report’s authors explained. “The time for progress and improvements in vendor risk management capabilities is now, particularly when considering that cyberattacks and other security incidents are very likely to continue increasing.” The survey interviewed more than 460 executives and managers in various industries. Respondents were asked to rate their organization’s maturity level in different areas of vendor risk management on a 0 to 5 scale, with 0 equal to “Do not perform” and 5 equal to “Continuous improvement – benchmarking, moving to best practices.” […]


[ISN] Wearables Maker Jawbone Sues Fitbit Over Alleged Data Theft

http://www.eweek.com/mobile/wearables-maker-jawbone-sues-fitbit-over-alleged-data-theft.html By Todd R. Weiss eWEEK.com 2015-05-28 Wearables vendor Jawbone is suing rival Fitbit based on allegations that Fitbit hired away some Jawbone employees who then took confidential corporate information with them to their new jobs. The lawsuit, which was filed in California State Court in San Francisco, charges that Fitbit employees were “systematically plundering” confidential information by hiring the former Jawbone workers, who “improperly downloaded sensitive materials shortly before leaving,” according to a May 27 report by The New York Times. “This case arises out of the clandestine efforts of Fitbit to steal talent, trade secrets and intellectual property from its chief competitor,” Jawbone lawyers wrote in the complaint, according to the story. The lawsuit comes at an interesting time for Fitbit, which earlier in May filed for an initial public offering. The company has been in the business of creating and selling a full line of health tracking and fitness bands since 2007. […]


[ISN] Skytalks 2015 CFP – NOW OPEN

Forwarded from: bluknight bluknight@skytalks.info> == https://skytalks.info == Skytalks is a ‘sub-conference’ that gives a unique platform for researchers to share their research, for angry hackers to rant about the issues of their industry, and for curious souls to probe interesting issues, all without the watchful eye of the rest of the world. With a strict, well-enforced “no recording” policy, research that is underway or critical of a vendor can be aired to your peers. You are talking to other security people, sharing your working knowledge of a topic. That said, this isn’t a soapbox to say and trash whoever or whatever you want. Skytalks is old-school DEF CON. We encourage handles – we want your material to stand on its own, not what company’s logo is on your slide deck. We encourage the audience to ask questions and challenge what does not seem to be right. Speakers will be held accountable for their material by their peers… loudly. We’re looking for talks that are about cutting edge material, either in-progress, or ready to be disclosed… at the risk of offending a company. Talks that challenge the industry norms are great. Calling out those who plague our beloved industry, welcome! Talks that are outside the realm of a PG rating, can find (and have found) a home here (was re: Teledildonics). First time speakers are welcome. We have had the privilege and honor of hosting for the first time some great names in the community. You, too, can be among that group. What you must bring: A compelling topic, slides, and willingness to educate and/or face your peers. You should be: outgoing, willing to educate, wanting to learn (yes, as a presenter), and wanting to engage your peers. If you lack any of these skills, we can fix this. Please bring a spare liver. A good talk is about mutual learning; it is a conversation. We just provide a room of professionals that want to converse, over booze. Sometimes… a lot of booze. Your submission must include a brief abstract that explains your talk. It must include a detailed outline of the major talking points. Optionally, you can give us additional information or arguments about why we should accept your talk. What we provide: A place to present, with projectors (VGA video). While we may have adapters on-hand, please be prepared and bring your own. We’ll have a PA system with appropriate microphones, as well as audio input from a device if you need it. Please let us know if you have any special requirements, such as a fire extinguisher for when you plan to set the table on fire. Please note: all speakers must already be badged Defcon attendees. Skytalks cannot provide DEF CON badges for speakers, and Skytalks badges, while great keepsakes, do not provide access to DEF CON itself. Also, dongs. == https://skytalks.info ==