fix(sonicwall): optimize field parsing and clean double quotes

Author: JocLRojas

filters/sonicwall/sonic_wall.conf

@@ -57,6 +57,12 @@ filter {
             }
           }
           }
+          #Remove unnecessary spaces from the msg_all field
+          if ([msg_all]){
+            mutate {
+              strip => ["msg_all"]
+            }
+          } 
           #Checking if the log is in CEF format
           if ("CEF:" in [message] and [message] =~/\|(\w+)?(\s)?SonicWall(\s)?(\w+)?\|/){
             #......................................................................#
@@ -222,6 +228,58 @@ filter {
             grok { match => { "msg_all" => [" cs3=%{DATA:vpnpolicyDst} %{WORD:}="," cs3=%{GREEDYDATA:vpnpolicyDst}"] } }
 
           }
+          
+          # Clean double quotes from extracted fields
+          mutate {
+            gsub => [
+              "fw_action", "^\"", "",
+              "fw_action", "\"$", "",
+              "msg", "^\"", "",
+              "msg", "\"$", "",
+              "note", "^\"", "",
+              "note", "\"$", "",
+              "rule", "^\"", "",
+              "rule", "\"$", "",
+              "user", "^\"", "",
+              "user", "\"$", "",
+              "vpnpolicy", "^\"", "",
+              "vpnpolicy", "\"$", "",
+              "vpnpolicyDst", "^\"", "",
+              "vpnpolicyDst", "\"$", "",
+              "fileid", "^\"", "",
+              "fileid", "\"$", "",
+              "referer", "^\"", "",
+              "referer", "\"$", "",
+              "time", "^\"", "",
+              "time", "\"$", "",
+              "cfs_category", "^\"", "",
+              "cfs_category", "\"$", "",
+              "ipscat", "^\"", "",
+              "ipscat", "\"$", "",
+              "app_cat", "^\"", "",
+              "app_cat", "\"$", "",
+              "appid", "^\"", "",
+              "appid", "\"$", "",
+              "arg", "^\"", "",
+              "arg", "\"$", "",
+              "app_name", "^\"", "",
+              "app_name", "\"$", "",
+              "contentObject", "^\"", "",
+              "contentObject", "\"$", "",
+              "request", "^\"", "",
+              "request", "\"$", "",
+              "anti_spyware_cat", "^\"", "",
+              "anti_spyware_cat", "\"$", "",
+              "anti_spyware_pri", "^\"", "",
+              "anti_spyware_pri", "\"$", "",
+              "mgmt_source_ip", "^\"", "",
+              "mgmt_source_ip", "\"$", "",
+              "radio", "^\"", "",
+              "radio", "\"$", "",
+              "station", "^\"", "",
+              "station", "\"$", ""
+            ]
+          }
           #Checking if the src field exists and using grok to parse it
           if ([src]){
             grok {
@@ -292,7 +350,7 @@ filter {
             rename => { "[af_policy_id]" => "[logx][sonicwall][af_policy_id]" }
             rename => { "[af_policy]" => "[logx][sonicwall][af_policy]" }
             rename => { "[af_policy_type]" => "[logx][sonicwall][af_policy_type]" }
-            rename => { "[=%{WORD:af_policy_service]" => "[logx][sonicwall][af_policy_service]" }
+            rename => { "[af_policy_service]" => "[logx][sonicwall][af_policy_service]" }
             rename => { "[af_policy_action]" => "[logx][sonicwall][af_policy_action]" }
             rename => { "[af_policy_object]" => "[logx][sonicwall][af_policy_object]" }
             rename => { "[active_interface]" => "[logx][sonicwall][active_interface]" }