Monitoring Splunk

More than 70% of the syslog messages generated from TZ600 have the firewall action as "N/A"

kdevmu
New Member

Observed that more than 70% of syslog messages generated from TZ600 is having firewall action as N/A. So can anyone help me to understand how SIEM classifies such logs and why we get "NA" in fw_action field for SonicWALL syslogs?

Sample log:
id=firewall sn=XXXXX time="2017-08-17 13:33:40 UTC" fw=104.X X.X pri=6 c=262144 m=98 dmsg="Connection Opened" n=11353263 src=172.27.17.2:53175:X0 dst=52.52.X.X:80:X1 proto=tcp/http sent=52 fw_action="NA"

0 Karma

mattymo
Splunk Employee
Splunk Employee

Hey kdevmu!

The log literally has the value of fw_action="NA". I would suggest you consult the admin guide of your device, but taking a wild stab, I would assume there was no action taken by the firewall, thus...action=na. I'd assume the other 30% of your logs say things like "allow, deny or drop"? If so, must just mean it is hitting a default policy or no policy.

Either way hit up Sonicwall documentation or your vendor.

- MattyMo
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>