TEAM: Huntress SIEM
PRODUCT: Huntress Managed SIEM
ENVIRONMENT: Syslog
SUMMARY: Device Configuration Guide for SonicWall firewalls
Device Configuration Checklist
Vendor Information
Vendor |
SonicWall |
---|---|
Supported Model Name/Number |
SonicWall Firewall |
Supported Software Version(s) |
SonicOS 6.5.x, SonicOS 7.x |
Collection Method |
Syslog |
Provider Name |
Syslog-SonicWall |
Additional Information |
https://www.sonicwall.com/techdocs/pdf/sonicos-6-5-logs-and-reporting.pdf https://www.sonicwall.com/techdocs/pdf/SonicOS-X_7.0.1_LogEvents_ReferenceGuide.pdf
|
Device Configuration Checklist
-
Creating an address object
-
Go to Network > Address Objects
-
Click Add
- Enter a friendly name for the object. Example:
Huntress-SIEM
(this will be used later) -
Set Zone Assignment to LAN
-
Set Type to Host
-
Enter the IP address of the Huntress agent configured to listen for syslog
-
Click Add
-
-
Add a Syslog Server
-
Go to Device > Log > Syslog page.
-
Click Syslog Servers tab.
-
Click Add. The Add Syslog Server dialog appears.
-
Set the Event Profile to 0.
-
For the Name or IP Address, select the name of the Address Object created above
-
Set Port to 514
-
Set Syslog Format to “Enhanced”
-
Set Syslog Facility to “Local Use 0”
-
Click OK
-
-
Enable the Syslog Server
-
From the Syslog Server list find the one created above
-
Check the box in the Enable column corresponding to the Syslog Server
-
Example Log Messages
Traffic Log Message
<134> id=firewall sn=123456789ABC time="2024-09-13 07:51:33" fw=10.0.0.1 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=a1:b2:c3:d4:e5:f6 src=10.0.0.2:58927:X0-V30 srcZone=LAN natSrc=10.0.0.3:39386 dstMac=a1:b2:c3:d4:e5:f6 dst=10.0.0.4:80:X1 dstZone=WAN natDst=10.0.0.5:80 usr="Unknown (SSO failed)" proto=tcp/http sent=693 rcvd=838 sess="Auto" rule="Default Access Rule" app=9 op=1 dstname=ocsp.digicert.com arg=/ME8wTTBLMEkwRzAHBgUrDgMCGgQU6468nUcrfgKRdxkj8qXxwcUeV7UEFLPbSKT5ocXYrjZBzBFjaWIpvEvGAhAMq6rRzsTpfMJmWIHQITj3 code=76 Category="Computer and Internet Security" note="Policy: CFS Default Policy, Info: 6148 " n=308796 fw_action="forward" dpi=0
IPS Log Message
<129> id=firewall sn=123456789ABC time="2024-09-13 07:51:12" fw=10.0.0.1 pri=1 c=32 gcat=3 m=608 srcMac=a1:b2:c3:d4:e5:f6 src=10.0.0.2::X0-V30 srcZone=LAN dstMac=a1:b2:c3:d4:e5:f6 dst=10.0.0.3::X0 dstZone=LAN usr="Unknown (SSO failed)" proto=icmp type=8 icmpCode=0 rcvd=42 sess="Auto" rule="Default Access Rule_8" msg="IPS Detection Alert: ICMP PING, SID: 293, Priority: Low" msg="IPS Detection Alert: ICMP PING" sid=293 ipscat="ICMP PING" ipspri=3 n=113781
Comments
0 comments
Article is closed for comments.