We have a customer who had CISCO firewall but got it replaced by Sonicwall, now the VPN user session reports are not generating correctly.
What needs to be checked? Please share details.
You probably need to change TAs. The Cisco TA probably won't work with Sonicwall data. Try the one at https://splunkbase.splunk.com/app/4507/.
Then, like @woodcock said, you likely need to change the query that produces the report. There looks to be an app for that, too. See https://splunkbase.splunk.com/app/4544/.
sourcetype="cisco:asa" created OR deleted direction=inbound | rex "(?i)(SPI= (?P[^)]+)" | rex "(?i)(user= (?P[^)]+)" | rex "(?i) and (?P[^ ]+)" | eval Date_Time = date_mday." ".date_month." ".date_year." ".date_hour.":".date_minute.":".date_second | transaction SPI | table UserName, SourceIP, Date_Time, duration | eval duration = round(duration/(60*60), 2) | rename duration as "SessionTime(Hour)"
i have already tried all this sonicwall apps and add ons this are useless not loading any data
can some one help me how can i fliter vpn authentication logs from syslog or /var/log
or if someone has used sonicwall firewall and generated VPN reports please share the query or spl
this is the old query with cisco firewall tried chnagng soure cetypes but no data
it is really disappointing no one knows the answer for the above query
Find the SPL that generates the report and run it. From the bottom, one by one, remove each pipe and the SPL after it until you get results. Then look at what is in the line that you removed and fix whatever is in it that doesn't exist.
Please share the SPL