DataDog · akanshi-crest · Sep 26, 2024 · Sep 26, 2024 · Sep 26, 2024 · Sep 26, 2024
@@ -298,6 +298,11 @@ datadog_checks_base/datadog_checks/base/checks/windows/              @DataDog/wi
 /snowflake/*.md                                                      @DataDog/saas-integrations @DataDog/documentation
 /snowflake/manifest.json                                             @DataDog/saas-integrations @DataDog/documentation
 
+/sonicwall_firewall/                                                  @DataDog/saas-integrations
+/sonicwall_firewall/*.md                                              @DataDog/saas-integrations @DataDog/documentation
+/sonicwall_firewall/manifest.json                                     @DataDog/saas-integrations @DataDog/documentation
+/sonicwall_firewall/assets/logs/                                      @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend
+
 /sophos_central_cloud/                                               @DataDog/saas-integrations
 /sophos_central_cloud/*.md                                           @DataDog/saas-integrations @DataDog/documentation
 /sophos_central_cloud/manifest.json                                  @DataDog/saas-integrations @DataDog/documentation

@@ -469,6 +469,8 @@ integration/solr:
 - solr/**/*
 integration/sonarqube:
 - sonarqube/**/*
+integration/sonicwall_firewall:
+- sonicwall_firewall/**/*
 integration/sophos_central_cloud:
 - sophos_central_cloud/**/*
 integration/spark:

@@ -0,0 +1,4 @@
+# CHANGELOG - sonicwall_firewall
+
+<!-- towncrier release notes start -->
+
@@ -0,0 +1,144 @@
+## Overview
+
+[SonicWall Firewall][1] is a network security solution designed to protect organizations from a wide range of cyber threats. It offers advanced security features, high performance, and scalability, making it suitable for businesses of all sizes. SonicWall Firewall is known for its ability to provide real-time protection against emerging threats, while ensuring secure and efficient network traffic management.
+
+This integration provides enrichment and visualization for all log types shared by SonicWall Firewall over syslog. Detailed insights into the logs received by syslog are visualized in out-of-the-box dashboards and detection rules.
+
+
+## Setup
+
+### Installation
+
+To install the SonicWall Firewall integration, run the following Linux command to install the Agent. 
+
+**Note**: This step is not necessary for Agent version >= 7.58.0.
+
+  ```shell
+  sudo -u dd-agent -- datadog-agent integration install datadog-sonicwall-firewall==1.0.0
+  ```
+
+For more information, see the [Integration Management][2] documentation.
+
+### Configuration
+
+#### Log Collection
+
+1.  Logs collection is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file:
+    ```yaml
+    logs_enabled: true
+    ```
+
+2. Add this configuration block to your `sonicwall_firewall.d/conf.yaml` file to start collecting your SonicWall Firewall logs:
+
+    ```yaml
+    logs:
+      - type: udp
+        port: <udp_port>
+        source: sonicwall-firewall
+    ```
+
+    See the [sample sonicwall_firewall.d/conf.yaml][3] for available configuration options.
+
+    **NOTE**: Configure a [syslog server][8] on a SonicWall Firewall with `<udp_port>`.
+
+    Configure a Syslog Server in your firewall using the following options:
+
+    - **Name or IP Address**: The address of the Datadog Agent running this integration.
+    - **Port**: The Syslog port (UDP) configured in this integration.
+    - **Server Type**: Syslog Server.
+    - **Syslog Format**: Enhanced Syslog.
+    - **Syslog ID**: Change this default (firewall) if you need to differentiate between multiple firewalls.
+
+    Set the default time as UTC:
+
+    - In **Device** > **Log** > **Syslog**, select the **Syslog Settings** tab, and then enable **Display Syslog Timestamp in UTC**. Click **Accept** to set the time to UTC.
+
+    Additional Configuration:
+
+    - In **Device** > **Log** > **Settings**, you can select the **Logging Level** and **Alert Level** to get different kind of logs.
+
+3. [Restart the Agent][4].
+
+#### Specify a time zone other than UTC in the SonicWall Firewall and Datadog log pipeline
+Datadog expects all logs to be in UTC time zone by default. If the time zone of your SonicWall Firewall logs is not in UTC, specify the correct time zone in the SonicWall Firewall Datadog pipeline.
+
+To change the time zone for the SonicWall Firewall pipeline:
+
+1. Navigate to the [**Pipelines** page][10] in the Datadog app.
+
+2. Enter `SonicWall Firewall` in the **Filter Pipelines** search box.
+
+3. Hover over the SonicWall Firewall pipeline and click **clone**. This creates an editable clone of the SonicWall Firewall pipeline.
+
+4. Edit the Grok Parser using the below steps:
+
+   - In the cloned pipeline, find the processor with the name **Grok Parser: Parsing Sonicwall FireWall time**. Hover over the pipelines and click **Edit**.
+   - Under **Define parsing rules**:
+      - Modify the rule and provide the [TZ identifier][9] of the time zone of your SonicWall Firewall server. For example, if your time zone is IST, replace `' z'` with `Asia/Calcutta`.
+      - For example, if this is the existing rule:
+
+          ```shell
+          rule %{date("yyyy-MM-dd HH:mm:ss z"):timestamp}
+          ```
+
+        The modified rule for IST timezone is:
+
+          ```shell
+          rule %{date("yyyy-MM-dd HH:mm:ss", "Asia/Calcutta"):timestamp}
+          ```
+
+      - To update the existing log sample, under **log samples**:
+        - Remove UTC from the existing value.
+        - For example, if the existing value is:
+
+              ```shell
+              2024-09-11 06:30:00 UTC
+              ```
+
+              The updated value is:
+              ```shell
+              2024-09-11 06:30:00
+              ```
+
+    - Click **Update**.
+
+### Validation
+
+[Run the Agent's status subcommand][5] and look for `sonicwall_firewall` under the Checks section.
+
+## Data Collected
+
+### Logs
+
+|         Format          | Log Types    |
+| --------------------    | -------------- |
+| CEF (Enhanced Syslog)   | All          |
+
+### Metrics
+
+The SonicWall Firewall integration does not include any metrics.
+
+### Events
+
+The SonicWall Firewall integration does not include any events.
+
+### Service Checks
+
+The SonicWall Firewall integration does not include any service checks.
+
+See [service_checks.json][6] for a list of service checks provided by this integration.
+
+## Troubleshooting
+
+Need help? Contact [Datadog support][7].
+
+[1]: https://www.sonicwall.com/
+[2]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install
+[3]: https://github.com/DataDog/integrations-core/blob/master/sonicwall_firewall/datadog_checks/sonicwall_firewall/data/conf.yaml.example
+[4]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent
+[5]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information
+[6]: https://github.com/DataDog/integrations-core/blob/master/sonicwall_firewall/assets/service_checks.json
+[7]: https://docs.datadoghq.com/help/
+[8]: https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-syslog-server-on-a-sonicwall-firewall/170505984096810
+[9]: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+[10]: https://app.datadoghq.com/logs/pipelines
@@ -0,0 +1,9 @@
+name: Sonicwall Firewall
+files:
+- name: sonicwall_firewall.yaml
+  options:
+  - template: logs
+    example:
+    - type: udp
+      port: <port>
+      source: sonicwall-firewall