sonicwall_* — SonicWall firewall logs
The read-only SonicWall log-analysis tool namespace — freeform syslog search, triage summaries, and VPN activity — served from Loki, with the source_ip label and dedup behavior.
The sonicwall_* family is read-only log analysis over the SonicWall edge
firewalls. Logs land in Loki (on obs-01) and
these tools query it — they don’t configure the firewall. Every tool is keyed
by a source_ip Loki label identifying which firewall’s log you’re reading;
it defaults to the HQ TZ80 (10.10.0.1). All three take their args inside a
nested params object.
sonicwall_log_search
Freeform search of the syslog, newest first. Each match comes back as both the
raw line and a parsed key=value dict.
sonicwall_log_search(params={
"contains": None, "regex": None, "hours_back": 6,
"limit": 200, "source_ip": "10.10.0.1"})| Param | Default | Notes |
|---|---|---|
contains | — | Plain substring the line must include (Loki |=) |
regex | — | RE2 regex the line must match (Loki |~); ANDs with contains |
hours_back | 6 | Lookback window (max 720) |
limit | 200 | Max events (max 5000) |
Examples: contains="src=203." for a subnet, regex="m=(177|178)" for message
IDs, contains="Dropped" for drops. Response includes a truncated flag.
sonicwall_log_summary
Triage view — “what is this firewall talking about?” Tallies top message IDs (with sample text), categories, source IPs, usernames, and a drop/deny count over the window.
sonicwall_log_summary(params={
"hours_back": 24, "top_n": 10, "scan_limit": 5000,
"source_ip": "10.10.0.1"})Good for spotting noise (a runaway message ID) and a quick health read.
scan_limit is capped at 5000 lines (Loki hard cap).
sonicwall_vpn_activity
Two structured VPN views over a window:
control_plane— VPN/IKE (c=16) events: IKE negotiation, IPsec SA add/delete, DPD, IKEv2. The tunnel lifecycle / rekey / failure signal. Sparse, newest-first.sessions— distinct VPN users on L2TP / SSL-VPN, deduplicated to one row per (user, source IP, session type) with a hit count and first/last seen.
sonicwall_vpn_activity(params={
"hours_back": 24, "limit": 500, "source_ip": "10.10.0.1"})Related pages
- obs-01 — the Loki backend these queries hit
- Network Topology — the firewalls, VPNs, and VoIP edge
- Service Map — the SonicWall edge-filtering rows
- M365 Incident Investigation — a related security-forensics workflow